# Flog Txt Version 1 # Analyzer Version: 3.1.2 # Analyzer Build Date: Oct 28 2019 11:51:53 # Log Creation Date: 06.01.2020 02:34:15.454 Process: id = "1" image_name = "hwyfzd.exe" filename = "c:\\users\\fd1hvy\\desktop\\hwyfzd.exe" page_root = "0x379c1000" os_pid = "0xfb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xdb0 [0037.259] lstrlenW (lpString="") returned 0 [0037.259] GetCursor () returned 0x10007 [0037.260] GetTickCount () returned 0x1149e35 [0037.260] GetCursor () returned 0x10007 [0037.261] GetTickCount () returned 0x1149e35 [0037.261] GetCursor () returned 0x10007 [0037.261] GetTickCount () returned 0x1149e35 [0037.261] GetCursor () returned 0x10007 [0037.261] GetTickCount () returned 0x1149e35 [0037.261] GetCursor () returned 0x10007 [0037.261] GetTickCount () returned 0x1149e35 [0037.261] GetCursor () returned 0x10007 [0037.261] GetTickCount () returned 0x1149e35 [0037.261] GetCursor () returned 0x10007 [0037.261] GetTickCount () returned 0x1149e35 [0037.261] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.262] GetTickCount () returned 0x1149e35 [0037.262] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.263] GetTickCount () returned 0x1149e35 [0037.263] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.264] GetTickCount () returned 0x1149e35 [0037.264] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.265] GetTickCount () returned 0x1149e35 [0037.265] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.266] GetTickCount () returned 0x1149e35 [0037.266] GetCursor () returned 0x10007 [0037.267] GetTickCount () returned 0x1149e35 [0037.267] GetCursor () returned 0x10007 [0037.269] GetTickCount () returned 0x1149e45 [0037.269] GetCursor () returned 0x10007 [0037.269] GetTickCount () returned 0x1149e45 [0037.269] GetCursor () returned 0x10007 [0037.269] GetTickCount () returned 0x1149e45 [0037.269] GetCursor () returned 0x10007 [0037.269] GetTickCount () returned 0x1149e45 [0037.269] GetCursor () returned 0x10007 [0037.269] GetTickCount () returned 0x1149e45 [0037.269] GetCursor () returned 0x10007 [0037.269] GetTickCount () returned 0x1149e45 [0037.269] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.270] GetTickCount () returned 0x1149e45 [0037.270] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.271] GetTickCount () returned 0x1149e45 [0037.271] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.272] GetTickCount () returned 0x1149e45 [0037.272] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.273] GetTickCount () returned 0x1149e45 [0037.273] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.274] GetCursor () returned 0x10007 [0037.274] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.275] GetTickCount () returned 0x1149e45 [0037.275] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.276] GetCursor () returned 0x10007 [0037.276] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.277] GetTickCount () returned 0x1149e45 [0037.277] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.278] GetTickCount () returned 0x1149e45 [0037.278] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.279] GetTickCount () returned 0x1149e45 [0037.279] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.280] GetTickCount () returned 0x1149e45 [0037.280] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.281] GetTickCount () returned 0x1149e45 [0037.281] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.282] GetTickCount () returned 0x1149e45 [0037.282] GetCursor () returned 0x10007 [0037.283] GetTickCount () returned 0x1149e54 [0037.283] GetCursor () returned 0x10007 [0037.283] GetTickCount () returned 0x1149e54 [0037.687] LocalAlloc (uFlags=0x0, uBytes=0x3b56) returned 0x3a18748 [0037.699] lstrcatA (in: lpString1="", lpString2="kernel32.dll" | out: lpString1="kernel32.dll") returned="kernel32.dll" [0037.700] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0037.700] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualProtect") returned 0x75ea6a30 [0037.700] VirtualProtect (in: lpAddress=0x3a18748, dwSize=0x3b56, flNewProtect=0x40, lpflOldProtect=0x19f6a0 | out: lpflOldProtect=0x19f6a0*=0x4) returned 1 [0037.714] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0037.714] GetProcAddress (hModule=0x75e90000, lpProcName="GlobalAlloc") returned 0x75ea5750 [0037.714] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0037.715] GetProcAddress (hModule=0x75e90000, lpProcName="Sleep") returned 0x75ea6760 [0037.715] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualAlloc") returned 0x75ea6970 [0037.715] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0037.715] GetProcAddress (hModule=0x75e90000, lpProcName="Module32First") returned 0x75edfc90 [0037.715] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0037.715] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x0) returned 0x108 [0037.717] Module32First (hSnapshot=0x108, lpme=0x19f474) returned 1 [0037.718] VirtualAlloc (lpAddress=0x0, dwSize=0x6450, flAllocationType=0x1000, flProtect=0x40) returned 0x37e0000 [0037.719] GetProcAddress (hModule=0x75e90000, lpProcName="LoadLibraryA") returned 0x75ea5a80 [0037.719] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x75e90000 [0037.719] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualAlloc") returned 0x75ea6970 [0037.720] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualProtect") returned 0x75ea6a30 [0037.720] GetProcAddress (hModule=0x75e90000, lpProcName="VirtualFree") returned 0x75ea69d0 [0037.720] GetProcAddress (hModule=0x75e90000, lpProcName="GetVersionExA") returned 0x75ea56d0 [0037.720] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0037.720] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0037.720] GetProcAddress (hModule=0x75e90000, lpProcName="SetErrorMode") returned 0x75ea6500 [0037.720] SetErrorMode (uMode=0x400) returned 0x0 [0037.720] SetErrorMode (uMode=0x0) returned 0x400 [0037.720] GetVersionExA (in: lpVersionInformation=0x19e3a4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x3a0a800, dwMinorVersion=0x3a0ac70, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x19e3a4*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x2, dwBuildNumber=0x23f0, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0037.720] VirtualAlloc (lpAddress=0x0, dwSize=0x5600, flAllocationType=0x1000, flProtect=0x4) returned 0x37f0000 [0037.721] VirtualProtect (in: lpAddress=0x400000, dwSize=0xb000, flNewProtect=0x40, lpflOldProtect=0x19f42c | out: lpflOldProtect=0x19f42c*=0x2) returned 1 [0038.001] VirtualFree (lpAddress=0x37f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0038.001] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x75f60000 [0039.468] GetProcAddress (hModule=0x75f60000, lpProcName="PathRemoveFileSpecW") returned 0x75f74500 [0039.468] GetProcAddress (hModule=0x75f60000, lpProcName="StrStrIW") returned 0x75f74390 [0039.468] GetProcAddress (hModule=0x75f60000, lpProcName="StrCmpNA") returned 0x75f7ca10 [0039.468] GetProcAddress (hModule=0x75f60000, lpProcName="wnsprintfW") returned 0x75f84e90 [0039.468] GetProcAddress (hModule=0x75f60000, lpProcName="StrCmpNW") returned 0x75f72800 [0039.468] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x74250000 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="InternetCrackUrlW") returned 0x743acfa0 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="InternetQueryDataAvailable") returned 0x7437ec50 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="InternetOpenW") returned 0x7436e9e0 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="InternetReadFile") returned 0x74383a70 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="InternetConnectW") returned 0x7435e000 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="HttpOpenRequestW") returned 0x743cbdd0 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="InternetCloseHandle") returned 0x7435d000 [0039.857] GetProcAddress (hModule=0x74250000, lpProcName="HttpSendRequestW") returned 0x74379490 [0039.857] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x74710000 [0039.858] GetProcAddress (hModule=0x74710000, lpProcName="RpcStringFreeW") returned 0x74745830 [0039.858] GetProcAddress (hModule=0x74710000, lpProcName="UuidToStringW") returned 0x7474c200 [0039.858] GetProcAddress (hModule=0x74710000, lpProcName="UuidCreate") returned 0x7474e8b0 [0039.858] LoadLibraryA (lpLibFileName="RstrtMgr.DLL") returned 0x74220000 [0041.032] GetProcAddress (hModule=0x74220000, lpProcName="RmRegisterResources") returned 0x74227660 [0041.032] GetProcAddress (hModule=0x74220000, lpProcName="RmGetList") returned 0x742274f0 [0041.032] GetProcAddress (hModule=0x74220000, lpProcName="RmEndSession") returned 0x74227420 [0041.032] GetProcAddress (hModule=0x74220000, lpProcName="RmStartSession") returned 0x74227930 [0041.032] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x75e90000 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="ExpandEnvironmentStringsW") returned 0x75ea4a40 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="CreateThread") returned 0x75ea46b0 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcpyW") returned 0x75ee7140 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="GetCurrentProcessId") returned 0x75efea20 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteFileW") returned 0x75efed40 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="GetWindowsDirectoryW") returned 0x75ea5730 [0041.032] GetProcAddress (hModule=0x75e90000, lpProcName="CloseHandle") returned 0x75efeab0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="DeleteCriticalSection") returned 0x77bdfb90 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="CreateToolhelp32Snapshot") returned 0x75ededc0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="FindNextFileW") returned 0x75efee40 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcatW") returned 0x75ee71a0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpiW") returned 0x75ea6bf0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="Process32NextW") returned 0x75edf8f0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="WaitForMultipleObjects") returned 0x75efec80 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="FindClose") returned 0x75efed70 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="EnterCriticalSection") returned 0x77bfb2d0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="MoveFileW") returned 0x75ede500 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcAddress") returned 0x75ea51b0 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="GetLastError") returned 0x75ea5010 [0041.033] GetProcAddress (hModule=0x75e90000, lpProcName="GetTickCount") returned 0x75efdd50 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="HeapReAlloc") returned 0x77bef630 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="HeapAlloc") returned 0x77bf2dc0 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="HeapFree") returned 0x75ea57f0 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="GetProcessHeap") returned 0x75ea51f0 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="FindResourceW") returned 0x75ea4aa0 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="LoadResource") returned 0x75ea5b00 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="SizeofResource") returned 0x75ea6740 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleA") returned 0x75ea50b0 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="WideCharToMultiByte") returned 0x75ea6b10 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="LoadLibraryA") returned 0x75ea5a80 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcpyA") returned 0x75ee7060 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="ExitProcess") returned 0x75ea3cb0 [0041.034] GetProcAddress (hModule=0x75e90000, lpProcName="FindFirstFileW") returned 0x75efedf0 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="SetFilePointerEx") returned 0x75eff130 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleHandleW") returned 0x75ea50d0 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="GetUserDefaultLangID") returned 0x75ea5690 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="InitializeCriticalSection") returned 0x77c0af20 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="OpenProcess") returned 0x75ea5cc0 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="CopyFileW") returned 0x75eff3b0 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="LeaveCriticalSection") returned 0x77bfb250 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="TerminateProcess") returned 0x75ea67e0 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="GetModuleFileNameW") returned 0x75ea5090 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="lstrcmpW") returned 0x75ea6bb0 [0041.035] GetProcAddress (hModule=0x75e90000, lpProcName="lstrlenW") returned 0x75ea6c70 [0041.035] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x761b0000 [0041.035] GetProcAddress (hModule=0x761b0000, lpProcName="CryptDestroyKey") returned 0x761cfa60 [0041.036] GetProcAddress (hModule=0x761b0000, lpProcName="CryptGenKey") returned 0x761d3430 [0041.036] GetProcAddress (hModule=0x761b0000, lpProcName="CryptExportKey") returned 0x761cf700 [0041.036] LoadLibraryA (lpLibFileName="msvcr100.dll") returned 0x740f0000 [0041.220] GetProcAddress (hModule=0x740f0000, lpProcName="atexit") returned 0x7410c544 [0041.220] atexit (param_1=0x37e0920) returned 0 [0041.221] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x761b0000 [0041.221] LoadLibraryW (lpLibFileName="mpr.dll") returned 0x740d0000 [0041.315] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x76480000 [0045.174] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0045.174] FindResourceW (hModule=0x400000, lpName=0x7f, lpType=0xa) returned 0x408048 [0045.174] LoadResource (hModule=0x400000, hResInfo=0x408048) returned 0x408058 [0045.174] SizeofResource (hModule=0x400000, hResInfo=0x408048) returned 0x140a [0045.174] GetProcessHeap () returned 0x3a00000 [0045.174] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x140a) returned 0x3a22bf0 [0045.174] GetUserDefaultLangID () returned 0x409 [0045.175] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19edc0 | out: TokenHandle=0x19edc0*=0x228) returned 1 [0045.175] GetTokenInformation (in: TokenHandle=0x228, TokenInformationClass=0x14, TokenInformation=0x19edb8, TokenInformationLength=0x4, ReturnLength=0x19edbc | out: TokenInformation=0x19edb8, ReturnLength=0x19edbc) returned 1 [0045.176] CloseHandle (hObject=0x228) returned 1 [0045.176] CryptAcquireContextW (in: phProv=0x19f440, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19f440*=0x3a1e318) returned 1 [0045.457] GetModuleHandleW (lpModuleName="ntdll") returned 0x77bb0000 [0045.457] GetProcAddress (hModule=0x77bb0000, lpProcName="RtlGetVersion") returned 0x77bdfff0 [0045.457] RtlGetVersion (in: lpVersionInformation=0x19f218 | out: lpVersionInformation=0x19f218*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x3ad7, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0045.457] CryptGenKey (in: hProv=0x3a1e318, Algid=0xa400, dwFlags=0x4000001, phKey=0x19edb4 | out: phKey=0x19edb4*=0x3a1e868) returned 1 [0045.699] GetProcessHeap () returned 0x3a00000 [0045.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x10) returned 0x3a1d328 [0045.699] GetProcessHeap () returned 0x3a00000 [0045.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a29908 [0045.699] CryptExportKey (in: hKey=0x3a1e868, hExpKey=0x0, dwBlobType=0x6, dwFlags=0x0, pbData=0x3a29908, pdwDataLen=0x19edbc | out: pbData=0x3a29908*, pdwDataLen=0x19edbc*=0x94) returned 1 [0045.699] GetProcessHeap () returned 0x3a00000 [0045.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x94) returned 0x3a0e848 [0045.699] CryptExportKey (in: hKey=0x3a1e868, hExpKey=0x0, dwBlobType=0x7, dwFlags=0x0, pbData=0x3a29908, pdwDataLen=0x19edbc | out: pbData=0x3a29908*, pdwDataLen=0x19edbc*=0x254) returned 1 [0045.700] GetProcessHeap () returned 0x3a00000 [0045.700] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x254) returned 0x3a29d10 [0045.700] GetProcessHeap () returned 0x3a00000 [0045.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a29908 | out: hHeap=0x3a00000) returned 1 [0045.700] CryptDestroyKey (hKey=0x3a1e868) returned 1 [0045.700] CryptImportKey (in: hProv=0x3a1e318, pbData=0x3a0e848, dwDataLen=0x94, hPubKey=0x0, dwFlags=0x0, phKey=0x406020 | out: phKey=0x406020*=0x3a1ee28) returned 1 [0045.700] GetProcessHeap () returned 0x3a00000 [0045.700] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a29f70 [0045.700] CryptImportKey (in: hProv=0x3a1e318, pbData=0x3a22bf0, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x19f438 | out: phKey=0x19f438*=0x3a1e868) returned 1 [0045.716] CryptEncrypt (in: hKey=0x3a1e868, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19f334*, pdwDataLen=0x19f43c*=0xf5, dwBufLen=0x100 | out: pbData=0x19f334*, pdwDataLen=0x19f43c*=0x100) returned 1 [0045.719] CryptEncrypt (in: hKey=0x3a1e868, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x19f334*, pdwDataLen=0x19f43c*=0xf5, dwBufLen=0x100 | out: pbData=0x19f334*, pdwDataLen=0x19f43c*=0x100) returned 1 [0045.719] CryptEncrypt (in: hKey=0x3a1e868, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x19f334*, pdwDataLen=0x19f43c*=0x6a, dwBufLen=0x100 | out: pbData=0x19f334*, pdwDataLen=0x19f43c*=0x100) returned 1 [0045.719] CryptDestroyKey (hKey=0x3a1e868) returned 1 [0045.719] GetProcessHeap () returned 0x3a00000 [0045.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a0e848 | out: hHeap=0x3a00000) returned 1 [0045.719] GetProcessHeap () returned 0x3a00000 [0045.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a29d10 | out: hHeap=0x3a00000) returned 1 [0045.719] GetProcessHeap () returned 0x3a00000 [0045.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a1d328 | out: hHeap=0x3a00000) returned 1 [0045.719] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows Defender", ulOptions=0x0, samDesired=0x2, phkResult=0x19f434 | out: phkResult=0x19f434*=0x238) returned 0x0 [0045.720] RegSetValueExW (in: hKey=0x238, lpValueName="DisableAntiSpyware", Reserved=0x0, dwType=0x4, lpData=0x19f444*=0x1, cbData=0x4 | out: lpData=0x19f444*=0x1) returned 0x0 [0045.720] RegCloseKey (hKey=0x238) returned 0x0 [0045.720] GetWindowsDirectoryW (in: lpBuffer=0x19efdc, uSize=0x104 | out: lpBuffer="C:\\WINDOWS") returned 0xa [0045.721] lstrcatW (in: lpString1="C:\\WINDOWS", lpString2="\\sysnative\\vssadmin.exe" | out: lpString1="C:\\WINDOWS\\sysnative\\vssadmin.exe") returned="C:\\WINDOWS\\sysnative\\vssadmin.exe" [0045.721] lstrcpyW (in: lpString1=0x19edd4, lpString2=" delete shadows /all /quiet" | out: lpString1=" delete shadows /all /quiet") returned=" delete shadows /all /quiet" [0045.721] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\WINDOWS\\sysnative\\vssadmin.exe", lpParameters=" delete shadows /all /quiet", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0057.928] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x19ebb4 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming") returned 0x0 [0057.929] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\" [0057.929] lstrcatW (in: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\", lpString2="taridd" | out: lpString1="C:\\Users\\FD1HVy\\AppData\\Roaming\\taridd") returned="C:\\Users\\FD1HVy\\AppData\\Roaming\\taridd" [0057.929] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\taridd" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\taridd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x6, hTemplateFile=0x0) returned 0x2f0 [0057.931] GetLastError () returned 0x0 [0057.931] GetTickCount () returned 0x114eee5 [0057.931] GetTickCount () returned 0x114eee5 [0057.931] GetTickCount () returned 0x114eee5 [0057.931] GetTickCount () returned 0x114eee5 [0057.931] GetTickCount () returned 0x114eee5 [0057.931] GetTickCount () returned 0x114eee5 [0057.931] WriteFile (in: hFile=0x2f0, lpBuffer=0x406260*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x19edbc, lpOverlapped=0x0 | out: lpBuffer=0x406260*, lpNumberOfBytesWritten=0x19edbc*=0x6, lpOverlapped=0x0) returned 1 [0057.932] CloseHandle (hObject=0x2f0) returned 1 [0057.934] StrCmpNA (lpStr1="%link%", lpStr2="%name%", nChar=6) returned -1 [0057.934] StrCmpNA (lpStr1="%link%", lpStr2="%link%", nChar=6) returned 0 [0057.934] StrCmpNA (lpStr1="%name%", lpStr2="%name%", nChar=6) returned 0 [0057.934] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%name%", nChar=6) returned -1 [0057.935] StrCmpNA (lpStr1="%ID%\r\n", lpStr2="%link%", nChar=6) returned -1 [0057.935] StrCmpNA (lpStr1="%ID%", lpStr2="%ID%", nChar=4) returned 0 [0057.935] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19eb78, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hwyfzd.exe")) returned 0x22 [0057.935] lstrcpyW (in: lpString1=0x19e970, lpString2="C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe" | out: lpString1="C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe") returned="C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe" [0057.935] PathRemoveFileSpecW (in: pszPath="C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe" | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 1 [0057.935] SHGetFolderPathW (in: hwnd=0x0, csidl=7, hToken=0x0, dwFlags=0x0, pszPath=0x19e768 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 0x0 [0057.936] lstrcmpW (lpString1="C:\\Users\\FD1HVy\\Desktop", lpString2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 1 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.936] GetTickCount () returned 0x114eef5 [0057.937] wnsprintfW (in: pszDest=0x406040, cchDest=260, pszFmt="%s\\%s" | out: pszDest="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk") returned 99 [0057.937] wnsprintfW (in: pszDest=0x19e560, cchDest=260, pszFmt="%s.exe" | out: pszDest="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk.exe") returned 103 [0057.937] CopyFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\hwyfzd.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\hwyfzd.exe"), lpNewFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\6bringw2sozb79utr2sok.exe"), bFailIfExists=0) returned 1 [0058.444] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2f4 [0058.463] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0058.464] StrCmpNW (lpStr1="[Syst", lpStr2="mysql", nChar=5) returned -1 [0058.464] StrCmpNW (lpStr1="[Sy", lpStr2="IBM", nChar=3) returned -1 [0058.464] StrCmpNW (lpStr1="[Syst", lpStr2="bes10", nChar=5) returned -1 [0058.464] StrCmpNW (lpStr1="[Syst", lpStr2="black", nChar=5) returned -1 [0058.464] StrCmpNW (lpStr1="[Sy", lpStr2="sql", nChar=3) returned -1 [0058.464] StrCmpNW (lpStr1="[System P", lpStr2="store.exe", nChar=9) returned -1 [0058.464] StrCmpNW (lpStr1="[Sy", lpStr2="vee", nChar=3) returned -1 [0058.464] StrCmpNW (lpStr1="[Syst", lpStr2="postg", nChar=5) returned -1 [0058.464] StrCmpNW (lpStr1="[Sys", lpStr2="sage", nChar=4) returned -1 [0058.464] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6c, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0058.464] StrCmpNW (lpStr1="Syste", lpStr2="mysql", nChar=5) returned 1 [0058.464] StrCmpNW (lpStr1="Sys", lpStr2="IBM", nChar=3) returned 1 [0058.464] StrCmpNW (lpStr1="Syste", lpStr2="bes10", nChar=5) returned 1 [0058.464] StrCmpNW (lpStr1="Syste", lpStr2="black", nChar=5) returned 1 [0058.464] StrCmpNW (lpStr1="Sys", lpStr2="sql", nChar=3) returned 1 [0058.464] StrCmpNW (lpStr1="System", lpStr2="store.exe", nChar=9) returned 1 [0058.464] StrCmpNW (lpStr1="Sys", lpStr2="vee", nChar=3) returned -1 [0058.465] StrCmpNW (lpStr1="Syste", lpStr2="postg", nChar=5) returned 1 [0058.465] StrCmpNW (lpStr1="Syst", lpStr2="sage", nChar=4) returned 1 [0058.465] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0058.465] StrCmpNW (lpStr1="smss.", lpStr2="mysql", nChar=5) returned 1 [0058.465] StrCmpNW (lpStr1="sms", lpStr2="IBM", nChar=3) returned 1 [0058.465] StrCmpNW (lpStr1="smss.", lpStr2="bes10", nChar=5) returned 1 [0058.465] StrCmpNW (lpStr1="smss.", lpStr2="black", nChar=5) returned 1 [0058.465] StrCmpNW (lpStr1="sms", lpStr2="sql", nChar=3) returned -1 [0058.465] StrCmpNW (lpStr1="smss.exe", lpStr2="store.exe", nChar=9) returned -1 [0058.465] StrCmpNW (lpStr1="sms", lpStr2="vee", nChar=3) returned -1 [0058.465] StrCmpNW (lpStr1="smss.", lpStr2="postg", nChar=5) returned 1 [0058.465] StrCmpNW (lpStr1="smss", lpStr2="sage", nChar=4) returned 1 [0058.465] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x19c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.466] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0058.466] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0058.466] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0058.466] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0058.466] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0058.466] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0058.466] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0058.466] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0058.466] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0058.466] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x194, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0058.466] StrCmpNW (lpStr1="winin", lpStr2="mysql", nChar=5) returned 1 [0058.466] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0058.466] StrCmpNW (lpStr1="winin", lpStr2="bes10", nChar=5) returned 1 [0058.466] StrCmpNW (lpStr1="winin", lpStr2="black", nChar=5) returned 1 [0058.467] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0058.467] StrCmpNW (lpStr1="wininit.e", lpStr2="store.exe", nChar=9) returned 1 [0058.467] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0058.467] StrCmpNW (lpStr1="winin", lpStr2="postg", nChar=5) returned 1 [0058.467] StrCmpNW (lpStr1="wini", lpStr2="sage", nChar=4) returned 1 [0058.467] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0058.471] StrCmpNW (lpStr1="csrss", lpStr2="mysql", nChar=5) returned -1 [0058.471] StrCmpNW (lpStr1="csr", lpStr2="IBM", nChar=3) returned -1 [0058.471] StrCmpNW (lpStr1="csrss", lpStr2="bes10", nChar=5) returned 1 [0058.471] StrCmpNW (lpStr1="csrss", lpStr2="black", nChar=5) returned 1 [0058.471] StrCmpNW (lpStr1="csr", lpStr2="sql", nChar=3) returned -1 [0058.471] StrCmpNW (lpStr1="csrss.exe", lpStr2="store.exe", nChar=9) returned -1 [0058.471] StrCmpNW (lpStr1="csr", lpStr2="vee", nChar=3) returned -1 [0058.471] StrCmpNW (lpStr1="csrss", lpStr2="postg", nChar=5) returned -1 [0058.471] StrCmpNW (lpStr1="csrs", lpStr2="sage", nChar=4) returned -1 [0058.471] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x234, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0058.472] StrCmpNW (lpStr1="winlo", lpStr2="mysql", nChar=5) returned 1 [0058.472] StrCmpNW (lpStr1="win", lpStr2="IBM", nChar=3) returned 1 [0058.472] StrCmpNW (lpStr1="winlo", lpStr2="bes10", nChar=5) returned 1 [0058.472] StrCmpNW (lpStr1="winlo", lpStr2="black", nChar=5) returned 1 [0058.472] StrCmpNW (lpStr1="win", lpStr2="sql", nChar=3) returned 1 [0058.472] StrCmpNW (lpStr1="winlogon.", lpStr2="store.exe", nChar=9) returned 1 [0058.472] StrCmpNW (lpStr1="win", lpStr2="vee", nChar=3) returned 1 [0058.472] StrCmpNW (lpStr1="winlo", lpStr2="postg", nChar=5) returned 1 [0058.472] StrCmpNW (lpStr1="winl", lpStr2="sage", nChar=4) returned 1 [0058.472] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x250, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0058.473] StrCmpNW (lpStr1="servi", lpStr2="mysql", nChar=5) returned 1 [0058.473] StrCmpNW (lpStr1="ser", lpStr2="IBM", nChar=3) returned 1 [0058.473] StrCmpNW (lpStr1="servi", lpStr2="bes10", nChar=5) returned 1 [0058.475] StrCmpNW (lpStr1="servi", lpStr2="black", nChar=5) returned 1 [0058.475] StrCmpNW (lpStr1="ser", lpStr2="sql", nChar=3) returned -1 [0058.475] StrCmpNW (lpStr1="services.", lpStr2="store.exe", nChar=9) returned -1 [0058.475] StrCmpNW (lpStr1="ser", lpStr2="vee", nChar=3) returned -1 [0058.475] StrCmpNW (lpStr1="servi", lpStr2="postg", nChar=5) returned 1 [0058.475] StrCmpNW (lpStr1="serv", lpStr2="sage", nChar=4) returned 1 [0058.475] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1ec, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0058.476] StrCmpNW (lpStr1="lsass", lpStr2="mysql", nChar=5) returned -1 [0058.476] StrCmpNW (lpStr1="lsa", lpStr2="IBM", nChar=3) returned 1 [0058.476] StrCmpNW (lpStr1="lsass", lpStr2="bes10", nChar=5) returned 1 [0058.476] StrCmpNW (lpStr1="lsass", lpStr2="black", nChar=5) returned 1 [0058.476] StrCmpNW (lpStr1="lsa", lpStr2="sql", nChar=3) returned -1 [0058.476] StrCmpNW (lpStr1="lsass.exe", lpStr2="store.exe", nChar=9) returned -1 [0058.476] StrCmpNW (lpStr1="lsa", lpStr2="vee", nChar=3) returned -1 [0058.476] StrCmpNW (lpStr1="lsass", lpStr2="postg", nChar=5) returned -1 [0058.477] StrCmpNW (lpStr1="lsas", lpStr2="sage", nChar=4) returned -1 [0058.477] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.477] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.477] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.477] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.477] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.477] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.477] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.477] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.477] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.477] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.477] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x234, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0058.478] StrCmpNW (lpStr1="fontd", lpStr2="mysql", nChar=5) returned -1 [0058.478] StrCmpNW (lpStr1="fon", lpStr2="IBM", nChar=3) returned -1 [0058.478] StrCmpNW (lpStr1="fontd", lpStr2="bes10", nChar=5) returned 1 [0058.478] StrCmpNW (lpStr1="fontd", lpStr2="black", nChar=5) returned 1 [0058.478] StrCmpNW (lpStr1="fon", lpStr2="sql", nChar=3) returned -1 [0058.478] StrCmpNW (lpStr1="fontdrvho", lpStr2="store.exe", nChar=9) returned -1 [0058.478] StrCmpNW (lpStr1="fon", lpStr2="vee", nChar=3) returned -1 [0058.478] StrCmpNW (lpStr1="fontd", lpStr2="postg", nChar=5) returned -1 [0058.478] StrCmpNW (lpStr1="font", lpStr2="sage", nChar=4) returned -1 [0058.478] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1ec, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0058.479] StrCmpNW (lpStr1="fontd", lpStr2="mysql", nChar=5) returned -1 [0058.479] StrCmpNW (lpStr1="fon", lpStr2="IBM", nChar=3) returned -1 [0058.479] StrCmpNW (lpStr1="fontd", lpStr2="bes10", nChar=5) returned 1 [0058.479] StrCmpNW (lpStr1="fontd", lpStr2="black", nChar=5) returned 1 [0058.479] StrCmpNW (lpStr1="fon", lpStr2="sql", nChar=3) returned -1 [0058.479] StrCmpNW (lpStr1="fontdrvho", lpStr2="store.exe", nChar=9) returned -1 [0058.479] StrCmpNW (lpStr1="fon", lpStr2="vee", nChar=3) returned -1 [0058.479] StrCmpNW (lpStr1="fontd", lpStr2="postg", nChar=5) returned -1 [0058.479] StrCmpNW (lpStr1="font", lpStr2="sage", nChar=4) returned -1 [0058.479] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x318, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.480] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.480] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.480] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.480] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.480] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.480] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.480] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.480] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.480] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.480] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x234, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0058.480] StrCmpNW (lpStr1="dwm.e", lpStr2="mysql", nChar=5) returned -1 [0058.480] StrCmpNW (lpStr1="dwm", lpStr2="IBM", nChar=3) returned -1 [0058.480] StrCmpNW (lpStr1="dwm.e", lpStr2="bes10", nChar=5) returned 1 [0058.480] StrCmpNW (lpStr1="dwm.e", lpStr2="black", nChar=5) returned 1 [0058.481] StrCmpNW (lpStr1="dwm", lpStr2="sql", nChar=3) returned -1 [0058.481] StrCmpNW (lpStr1="dwm.exe", lpStr2="store.exe", nChar=9) returned -1 [0058.481] StrCmpNW (lpStr1="dwm", lpStr2="vee", nChar=3) returned -1 [0058.481] StrCmpNW (lpStr1="dwm.e", lpStr2="postg", nChar=5) returned -1 [0058.481] StrCmpNW (lpStr1="dwm.", lpStr2="sage", nChar=4) returned -1 [0058.481] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x57, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.481] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.481] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.481] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.482] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.482] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.482] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.482] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.482] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.482] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.482] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.482] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.482] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.482] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.482] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.483] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.483] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.483] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.483] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.483] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.483] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.483] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.483] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.483] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.483] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.484] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.484] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.484] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.484] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.484] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.484] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.484] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.484] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.484] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.484] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.485] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.485] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.485] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.485] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.485] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.485] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.485] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.485] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.485] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.485] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.487] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.487] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.487] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.487] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.487] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.487] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.487] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.487] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.487] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.487] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.487] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.487] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.488] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.488] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.488] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.488] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.488] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.488] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.488] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.488] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x538, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.545] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.545] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.545] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.545] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.545] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.545] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.545] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.545] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.545] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.545] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0058.546] StrCmpNW (lpStr1="spool", lpStr2="mysql", nChar=5) returned 1 [0058.546] StrCmpNW (lpStr1="spo", lpStr2="IBM", nChar=3) returned 1 [0058.546] StrCmpNW (lpStr1="spool", lpStr2="bes10", nChar=5) returned 1 [0058.546] StrCmpNW (lpStr1="spool", lpStr2="black", nChar=5) returned 1 [0058.546] StrCmpNW (lpStr1="spo", lpStr2="sql", nChar=3) returned -1 [0058.546] StrCmpNW (lpStr1="spoolsv.e", lpStr2="store.exe", nChar=9) returned -1 [0058.546] StrCmpNW (lpStr1="spo", lpStr2="vee", nChar=3) returned -1 [0058.546] StrCmpNW (lpStr1="spool", lpStr2="postg", nChar=5) returned 1 [0058.546] StrCmpNW (lpStr1="spoo", lpStr2="sage", nChar=4) returned 1 [0058.546] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.547] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.547] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.547] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.547] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.547] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.547] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.547] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.547] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.547] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.547] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x684, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.547] StrCmpNW (lpStr1="svcho", lpStr2="mysql", nChar=5) returned 1 [0058.547] StrCmpNW (lpStr1="svc", lpStr2="IBM", nChar=3) returned 1 [0058.547] StrCmpNW (lpStr1="svcho", lpStr2="bes10", nChar=5) returned 1 [0058.548] StrCmpNW (lpStr1="svcho", lpStr2="black", nChar=5) returned 1 [0058.548] StrCmpNW (lpStr1="svc", lpStr2="sql", nChar=3) returned 1 [0058.548] StrCmpNW (lpStr1="svchost.e", lpStr2="store.exe", nChar=9) returned 1 [0058.548] StrCmpNW (lpStr1="svc", lpStr2="vee", nChar=3) returned -1 [0058.548] StrCmpNW (lpStr1="svcho", lpStr2="postg", nChar=5) returned 1 [0058.548] StrCmpNW (lpStr1="svch", lpStr2="sage", nChar=4) returned 1 [0058.548] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x4fc, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0058.548] StrCmpNW (lpStr1="audio", lpStr2="mysql", nChar=5) returned -1 [0058.548] StrCmpNW (lpStr1="aud", lpStr2="IBM", nChar=3) returned -1 [0058.548] StrCmpNW (lpStr1="audio", lpStr2="bes10", nChar=5) returned -1 [0058.548] StrCmpNW (lpStr1="audio", lpStr2="black", nChar=5) returned -1 [0058.548] StrCmpNW (lpStr1="aud", lpStr2="sql", nChar=3) returned -1 [0058.548] StrCmpNW (lpStr1="audiodg.e", lpStr2="store.exe", nChar=9) returned -1 [0058.548] StrCmpNW (lpStr1="aud", lpStr2="vee", nChar=3) returned -1 [0058.548] StrCmpNW (lpStr1="audio", lpStr2="postg", nChar=5) returned -1 [0058.548] StrCmpNW (lpStr1="audi", lpStr2="sage", nChar=4) returned -1 [0058.548] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0058.549] StrCmpNW (lpStr1="sihos", lpStr2="mysql", nChar=5) returned 1 [0058.549] StrCmpNW (lpStr1="sih", lpStr2="IBM", nChar=3) returned 1 [0058.549] StrCmpNW (lpStr1="sihos", lpStr2="bes10", nChar=5) returned 1 [0058.549] StrCmpNW (lpStr1="sihos", lpStr2="black", nChar=5) returned 1 [0058.549] StrCmpNW (lpStr1="sih", lpStr2="sql", nChar=3) returned -1 [0058.549] StrCmpNW (lpStr1="sihost.ex", lpStr2="store.exe", nChar=9) returned -1 [0058.549] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x718, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.550] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.550] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0058.550] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0058.551] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x834, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0058.552] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0058.552] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0058.552] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0058.553] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0058.553] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0058.554] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x3c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.554] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="OfficeC2RClient.exe")) returned 1 [0058.555] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UsoClient.exe")) returned 1 [0058.555] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0058.556] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0058.556] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0058.557] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0058.557] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x654, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="msoia.exe")) returned 1 [0058.558] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3c0, pcPriClassBase=6, dwFlags=0x0, szExeFile="AppHostRegistrationVerifier.exe")) returned 1 [0058.558] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xda4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screensaver.exe")) returned 1 [0058.559] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="empty_suite_xml.exe")) returned 1 [0058.559] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="sets_buying_defeat.exe")) returned 1 [0058.560] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="boss.exe")) returned 1 [0058.560] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="screenshots-sample-organizing.exe")) returned 1 [0058.561] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="campus_rank_airplane.exe")) returned 1 [0058.561] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="spies_circus_courage.exe")) returned 1 [0058.561] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="swap.exe")) returned 1 [0058.562] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="interactive.exe")) returned 1 [0058.562] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="neil_arrived_victims.exe")) returned 1 [0058.563] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x324, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="global diverse.exe")) returned 1 [0058.564] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x408, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="quotations-brave.exe")) returned 1 [0058.564] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="bachelor.exe")) returned 1 [0058.565] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="genealogy.exe")) returned 1 [0058.565] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="experiments manage.exe")) returned 1 [0058.566] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="drama.exe")) returned 1 [0058.567] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="using-sandy.exe")) returned 1 [0058.567] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="thinkingpatents.exe")) returned 1 [0058.568] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="evaluations.exe")) returned 1 [0058.569] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xec0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="bringing-ip.exe")) returned 1 [0058.569] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="emotions.exe")) returned 1 [0058.570] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2b4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0058.570] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="bloodpopularity.exe")) returned 1 [0058.571] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xd0c, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.571] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x7ec, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.572] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.573] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x860, pcPriClassBase=8, dwFlags=0x0, szExeFile="hwyfzd.exe")) returned 1 [0058.573] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x12c, pcPriClassBase=4, dwFlags=0x0, szExeFile="CompatTelRunner.exe")) returned 1 [0058.574] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xe94, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.574] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x250, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0058.575] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xfb4, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0058.575] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x260, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0058.576] Process32NextW (in: hSnapshot=0x2f4, lppe=0x19eb4c | out: lppe=0x19eb4c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x39c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x260, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0058.576] CloseHandle (hObject=0x2f4) returned 1 [0058.576] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3a43920 [0058.613] EnumServicesStatusExW (in: hSCManager=0x3a43920, InfoLevel=0x0, dwServiceType=0x3b, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19eda8, lpServicesReturned=0x19edac, lpResumeHandle=0x19ed94, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19eda8, lpServicesReturned=0x19edac, lpResumeHandle=0x19ed94) returned 0 [0058.615] GetLastError () returned 0x5 [0058.615] CloseServiceHandle (hSCObject=0x3a43920) returned 1 [0058.615] SHGetFolderPathW (in: hwnd=0x0, csidl=0, hToken=0x0, dwFlags=0x0, pszPath=0x406268 | out: pszPath="C:\\Users\\FD1HVy\\Desktop") returned 0x0 [0058.615] GetLogicalDrives () returned 0x4 [0058.615] wnsprintfW (in: pszDest=0x19ed74, cchDest=25, pszFmt="%c:\\" | out: pszDest="C:\\") returned 3 [0058.615] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0058.616] GetProcessHeap () returned 0x3a00000 [0058.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x208) returned 0x3a35cc8 [0058.616] wnsprintfW (in: pszDest=0x3a35cc8, cchDest=260, pszFmt="\\\\?\\%c:" | out: pszDest="\\\\?\\C:") returned 6 [0058.616] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x402640, lpParameter=0x3a35cc8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2f0 [0058.616] WaitForMultipleObjects (nCount=0x1, lpHandles=0x19eda8*=0x2f0, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xb64 Thread: id = 3 os_tid = 0xd90 Thread: id = 4 os_tid = 0xf94 Thread: id = 5 os_tid = 0x36c Thread: id = 6 os_tid = 0xd84 Thread: id = 7 os_tid = 0xdb4 Thread: id = 8 os_tid = 0xecc Thread: id = 29 os_tid = 0xe98 [0058.629] GetProcessHeap () returned 0x3a00000 [0058.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a35428 [0058.629] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\*") returned 8 [0058.629] FindFirstFileW (in: lpFileName="\\\\?\\C:\\*", lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x3a37a78 [0058.630] lstrcmpiW (lpString1="$GetCurrent", lpString2="Windows") returned -1 [0058.630] lstrcmpiW (lpString1="$GetCurrent", lpString2="$Recycle.bin") returned -1 [0058.630] lstrcmpiW (lpString1="$GetCurrent", lpString2="System Volume Information") returned -1 [0058.630] lstrcmpiW (lpString1="$GetCurrent", lpString2="Program Files") returned -1 [0058.630] lstrcmpiW (lpString1="$GetCurrent", lpString2="Program Files (x86)") returned -1 [0058.630] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent") returned 18 [0058.630] lstrcmpW (lpString1="$GetCurrent", lpString2=".") returned -1 [0058.630] lstrcmpW (lpString1="$GetCurrent", lpString2="..") returned -1 [0058.630] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.630] GetProcessHeap () returned 0x3a00000 [0058.630] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0058.630] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\*") returned 20 [0058.630] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0058.632] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.632] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.632] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.632] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.632] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.632] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\.") returned 20 [0058.632] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.632] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0058.632] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0058.632] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0058.632] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.632] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\." (normalized: "c:\\$getcurrent\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.632] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.633] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.633] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.633] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.633] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.633] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.633] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\..") returned 21 [0058.633] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.633] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.633] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0058.633] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0058.633] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0058.633] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.633] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0058.633] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0058.633] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0058.633] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0058.633] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0058.633] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0058.633] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0058.633] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs") returned 23 [0058.633] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0058.633] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0058.633] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.633] GetProcessHeap () returned 0x3a00000 [0058.633] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.633] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\*") returned 25 [0058.633] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0058.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.636] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\.") returned 25 [0058.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.636] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.637] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.637] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.637] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.637] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.637] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\..") returned 26 [0058.637] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.637] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.637] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0058.637] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Windows") returned -1 [0058.637] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="$Recycle.bin") returned 1 [0058.637] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="System Volume Information") returned -1 [0058.637] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Program Files") returned -1 [0058.637] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="Program Files (x86)") returned -1 [0058.637] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 61 [0058.637] StrStrIW (lpFirst="downlevel_2017_09_07_02_02_39_766.log", lpSrch=".ebal") returned 0x0 [0058.637] lstrcmpW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.637] lstrcmpW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="taridd") returned -1 [0058.637] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.637] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.638] GetTickCount () returned 0x114f1a4 [0058.638] GetTickCount () returned 0x114f1a4 [0058.638] GetTickCount () returned 0x114f1a4 [0058.638] GetTickCount () returned 0x114f1a4 [0058.638] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.639] GetProcessHeap () returned 0x3a00000 [0058.639] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.639] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.641] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.641] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.642] GetProcessHeap () returned 0x3a00000 [0058.642] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.642] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.642] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.642] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.642] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.642] CloseHandle (hObject=0x430) returned 1 [0058.644] GetProcessHeap () returned 0x3a00000 [0058.644] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.644] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{8ew5f6}.ebal") returned 80 [0058.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log_r00t_{8ew5f6}.ebal")) returned 1 [0058.644] GetProcessHeap () returned 0x3a00000 [0058.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.644] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0058.644] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Windows") returned -1 [0058.644] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="$Recycle.bin") returned 1 [0058.644] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="System Volume Information") returned -1 [0058.645] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Program Files") returned -1 [0058.645] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="Program Files (x86)") returned -1 [0058.645] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 56 [0058.645] StrStrIW (lpFirst="oobe_2017_09_07_03_08_57_737.log", lpSrch=".ebal") returned 0x0 [0058.645] lstrcmpW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.645] lstrcmpW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="taridd") returned -1 [0058.645] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.645] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.646] GetTickCount () returned 0x114f1b4 [0058.646] GetTickCount () returned 0x114f1b4 [0058.646] GetTickCount () returned 0x114f1b4 [0058.646] GetTickCount () returned 0x114f1b4 [0058.646] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.646] GetProcessHeap () returned 0x3a00000 [0058.646] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.646] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x1774, lpOverlapped=0x0) returned 1 [0058.648] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffe88c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.648] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x1774, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x1774, lpOverlapped=0x0) returned 1 [0058.648] GetProcessHeap () returned 0x3a00000 [0058.648] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.648] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.648] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.648] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.648] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.648] CloseHandle (hObject=0x430) returned 1 [0058.649] GetProcessHeap () returned 0x3a00000 [0058.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.649] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{8ew5f6}.ebal") returned 75 [0058.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log_r00t_{8ew5f6}.ebal")) returned 1 [0058.650] GetProcessHeap () returned 0x3a00000 [0058.650] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.650] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0058.650] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Windows") returned -1 [0058.650] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="$Recycle.bin") returned 1 [0058.650] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="System Volume Information") returned -1 [0058.650] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Program Files") returned -1 [0058.650] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="Program Files (x86)") returned -1 [0058.650] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 54 [0058.650] StrStrIW (lpFirst="PartnerSetupCompleteResult.log", lpSrch=".ebal") returned 0x0 [0058.650] lstrcmpW (lpString1="PartnerSetupCompleteResult.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.650] lstrcmpW (lpString1="PartnerSetupCompleteResult.log", lpString2="taridd") returned -1 [0058.650] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.650] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.650] GetTickCount () returned 0x114f1b4 [0058.650] GetTickCount () returned 0x114f1b4 [0058.650] GetTickCount () returned 0x114f1b4 [0058.650] GetTickCount () returned 0x114f1b4 [0058.650] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.650] GetProcessHeap () returned 0x3a00000 [0058.650] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.651] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x28, lpOverlapped=0x0) returned 1 [0058.651] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.652] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x28, lpOverlapped=0x0) returned 1 [0058.652] GetProcessHeap () returned 0x3a00000 [0058.652] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.652] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.652] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.653] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.653] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.653] CloseHandle (hObject=0x430) returned 1 [0058.654] GetProcessHeap () returned 0x3a00000 [0058.654] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.654] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log_r00t_{8ew5f6}.ebal") returned 73 [0058.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log_r00t_{8ew5f6}.ebal")) returned 1 [0058.654] GetProcessHeap () returned 0x3a00000 [0058.654] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.654] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0058.654] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0058.654] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 55 [0058.654] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0058.655] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.656] CloseHandle (hObject=0x42c) returned 1 [0058.656] GetProcessHeap () returned 0x3a00000 [0058.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0058.656] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0058.656] lstrcmpiW (lpString1="SafeOS", lpString2="Windows") returned -1 [0058.656] lstrcmpiW (lpString1="SafeOS", lpString2="$Recycle.bin") returned 1 [0058.656] lstrcmpiW (lpString1="SafeOS", lpString2="System Volume Information") returned -1 [0058.656] lstrcmpiW (lpString1="SafeOS", lpString2="Program Files") returned 1 [0058.656] lstrcmpiW (lpString1="SafeOS", lpString2="Program Files (x86)") returned 1 [0058.656] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS") returned 25 [0058.656] lstrcmpW (lpString1="SafeOS", lpString2=".") returned 1 [0058.657] lstrcmpW (lpString1="SafeOS", lpString2="..") returned 1 [0058.657] lstrcmpW (lpString1="\\\\?\\C:\\$GetCurrent\\SafeOS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.657] GetProcessHeap () returned 0x3a00000 [0058.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.657] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\*") returned 27 [0058.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0058.658] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.658] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.659] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.659] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.659] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.659] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\.") returned 27 [0058.659] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.659] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.659] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.659] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.659] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.659] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.659] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.659] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\..") returned 28 [0058.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.659] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0058.659] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Windows") returned -1 [0058.659] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$Recycle.bin") returned 1 [0058.659] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="System Volume Information") returned -1 [0058.659] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Program Files") returned -1 [0058.659] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="Program Files (x86)") returned -1 [0058.659] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 44 [0058.659] StrStrIW (lpFirst="GetCurrentOOBE.dll", lpSrch=".ebal") returned 0x0 [0058.659] lstrcmpW (lpString1="GetCurrentOOBE.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.659] lstrcmpW (lpString1="GetCurrentOOBE.dll", lpString2="taridd") returned -1 [0058.659] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.659] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.661] GetTickCount () returned 0x114f1c4 [0058.661] GetTickCount () returned 0x114f1c4 [0058.661] GetTickCount () returned 0x114f1c4 [0058.661] GetTickCount () returned 0x114f1c4 [0058.661] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.661] GetProcessHeap () returned 0x3a00000 [0058.661] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.661] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.663] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.663] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.663] GetProcessHeap () returned 0x3a00000 [0058.663] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.663] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.664] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.664] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.664] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.664] CloseHandle (hObject=0x430) returned 1 [0058.689] GetProcessHeap () returned 0x3a00000 [0058.689] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.689] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll_r00t_{8ew5f6}.ebal") returned 63 [0058.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll_r00t_{8ew5f6}.ebal")) returned 1 [0058.690] GetProcessHeap () returned 0x3a00000 [0058.690] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.690] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0058.690] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Windows") returned -1 [0058.690] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="$Recycle.bin") returned 1 [0058.690] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="System Volume Information") returned -1 [0058.690] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Program Files") returned -1 [0058.690] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="Program Files (x86)") returned -1 [0058.690] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 48 [0058.690] StrStrIW (lpFirst="GetCurrentRollback.ini", lpSrch=".ebal") returned 0x0 [0058.690] lstrcmpW (lpString1="GetCurrentRollback.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.690] lstrcmpW (lpString1="GetCurrentRollback.ini", lpString2="taridd") returned -1 [0058.690] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.690] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.692] GetTickCount () returned 0x114f1f3 [0058.692] GetTickCount () returned 0x114f1f3 [0058.692] GetTickCount () returned 0x114f1f3 [0058.692] GetTickCount () returned 0x114f1f3 [0058.692] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.692] GetProcessHeap () returned 0x3a00000 [0058.692] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.692] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x9c, lpOverlapped=0x0) returned 1 [0058.693] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffff64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.693] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x9c, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x9c, lpOverlapped=0x0) returned 1 [0058.693] GetProcessHeap () returned 0x3a00000 [0058.693] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.693] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.693] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.695] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.695] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.695] CloseHandle (hObject=0x430) returned 1 [0058.696] GetProcessHeap () returned 0x3a00000 [0058.696] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.696] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini_r00t_{8ew5f6}.ebal") returned 67 [0058.696] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini_r00t_{8ew5f6}.ebal")) returned 1 [0058.700] GetProcessHeap () returned 0x3a00000 [0058.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.700] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0058.700] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Windows") returned -1 [0058.700] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="$Recycle.bin") returned 1 [0058.700] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="System Volume Information") returned -1 [0058.700] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Program Files") returned -1 [0058.700] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="Program Files (x86)") returned -1 [0058.700] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 50 [0058.700] StrStrIW (lpFirst="PartnerSetupComplete.cmd", lpSrch=".ebal") returned 0x0 [0058.700] lstrcmpW (lpString1="PartnerSetupComplete.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.700] lstrcmpW (lpString1="PartnerSetupComplete.cmd", lpString2="taridd") returned -1 [0058.700] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.700] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.700] GetTickCount () returned 0x114f1f3 [0058.700] GetTickCount () returned 0x114f1f3 [0058.701] GetTickCount () returned 0x114f1f3 [0058.701] GetTickCount () returned 0x114f1f3 [0058.701] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.701] GetProcessHeap () returned 0x3a00000 [0058.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.701] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x241, lpOverlapped=0x0) returned 1 [0058.702] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffdbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.702] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x241, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x241, lpOverlapped=0x0) returned 1 [0058.702] GetProcessHeap () returned 0x3a00000 [0058.702] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.702] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.702] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.702] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.703] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.703] CloseHandle (hObject=0x430) returned 1 [0058.703] GetProcessHeap () returned 0x3a00000 [0058.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.703] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd_r00t_{8ew5f6}.ebal") returned 69 [0058.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd_r00t_{8ew5f6}.ebal")) returned 1 [0058.704] GetProcessHeap () returned 0x3a00000 [0058.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.704] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0058.704] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Windows") returned -1 [0058.704] lstrcmpiW (lpString1="preoobe.cmd", lpString2="$Recycle.bin") returned 1 [0058.704] lstrcmpiW (lpString1="preoobe.cmd", lpString2="System Volume Information") returned -1 [0058.704] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Program Files") returned -1 [0058.704] lstrcmpiW (lpString1="preoobe.cmd", lpString2="Program Files (x86)") returned -1 [0058.704] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 37 [0058.704] StrStrIW (lpFirst="preoobe.cmd", lpSrch=".ebal") returned 0x0 [0058.704] lstrcmpW (lpString1="preoobe.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.704] lstrcmpW (lpString1="preoobe.cmd", lpString2="taridd") returned -1 [0058.704] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.704] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.705] GetTickCount () returned 0x114f1f3 [0058.705] GetTickCount () returned 0x114f1f3 [0058.705] GetTickCount () returned 0x114f1f3 [0058.705] GetTickCount () returned 0x114f1f3 [0058.705] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.705] GetProcessHeap () returned 0x3a00000 [0058.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.705] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x4a, lpOverlapped=0x0) returned 1 [0058.706] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffffb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.706] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x4a, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x4a, lpOverlapped=0x0) returned 1 [0058.706] GetProcessHeap () returned 0x3a00000 [0058.706] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.706] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.706] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.708] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.708] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.708] CloseHandle (hObject=0x430) returned 1 [0058.708] GetProcessHeap () returned 0x3a00000 [0058.708] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.709] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd_r00t_{8ew5f6}.ebal") returned 56 [0058.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\preoobe.cmd_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd_r00t_{8ew5f6}.ebal")) returned 1 [0058.709] GetProcessHeap () returned 0x3a00000 [0058.709] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.709] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0058.709] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Windows") returned -1 [0058.709] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="$Recycle.bin") returned 1 [0058.709] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="System Volume Information") returned -1 [0058.709] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Program Files") returned 1 [0058.709] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="Program Files (x86)") returned 1 [0058.709] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 43 [0058.709] StrStrIW (lpFirst="SetupComplete.cmd", lpSrch=".ebal") returned 0x0 [0058.709] lstrcmpW (lpString1="SetupComplete.cmd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.709] lstrcmpW (lpString1="SetupComplete.cmd", lpString2="taridd") returned -1 [0058.709] StrCmpNW (lpStr1="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.709] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.710] GetTickCount () returned 0x114f1f3 [0058.710] GetTickCount () returned 0x114f1f3 [0058.710] GetTickCount () returned 0x114f1f3 [0058.710] GetTickCount () returned 0x114f1f3 [0058.710] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.710] GetProcessHeap () returned 0x3a00000 [0058.710] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a61fc8 [0058.710] ReadFile (in: hFile=0x430, lpBuffer=0x3a61fc8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesRead=0x65af7e4*=0x133, lpOverlapped=0x0) returned 1 [0058.711] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffecd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.711] WriteFile (in: hFile=0x430, lpBuffer=0x3a61fc8*, nNumberOfBytesToWrite=0x133, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a61fc8*, lpNumberOfBytesWritten=0x65af7e4*=0x133, lpOverlapped=0x0) returned 1 [0058.711] GetProcessHeap () returned 0x3a00000 [0058.711] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a61fc8 | out: hHeap=0x3a00000) returned 1 [0058.711] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.712] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.712] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.712] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.712] CloseHandle (hObject=0x430) returned 1 [0058.713] GetProcessHeap () returned 0x3a00000 [0058.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd_r00t_{8ew5f6}.ebal") returned 62 [0058.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), lpNewFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd_r00t_{8ew5f6}.ebal" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd_r00t_{8ew5f6}.ebal")) returned 1 [0058.714] GetProcessHeap () returned 0x3a00000 [0058.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.714] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0058.714] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0058.714] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\SafeOS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0058.714] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\SafeOS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\safeos\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0058.714] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.715] CloseHandle (hObject=0x42c) returned 1 [0058.716] GetProcessHeap () returned 0x3a00000 [0058.716] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0058.716] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0058.716] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0058.716] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$GetCurrent\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 50 [0058.716] CreateFileW (lpFileName="\\\\?\\C:\\$GetCurrent\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\$getcurrent\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0058.716] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0058.717] CloseHandle (hObject=0x428) returned 1 [0058.718] GetProcessHeap () returned 0x3a00000 [0058.718] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0058.718] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0058.718] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="Windows") returned -1 [0058.718] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$Recycle.bin") returned 0 [0058.718] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0058.718] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Windows") returned -1 [0058.718] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="$Recycle.bin") returned 1 [0058.718] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="System Volume Information") returned -1 [0058.718] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Program Files") returned -1 [0058.718] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="Program Files (x86)") returned -1 [0058.718] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 37 [0058.718] StrStrIW (lpFirst="$WINRE_BACKUP_PARTITION.MARKER", lpSrch=".ebal") returned 0x0 [0058.718] lstrcmpW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0058.718] lstrcmpW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="taridd") returned -1 [0058.718] StrCmpNW (lpStr1="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.718] CreateFileW (lpFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0058.719] GetTickCount () returned 0x114f202 [0058.719] GetTickCount () returned 0x114f202 [0058.719] GetTickCount () returned 0x114f202 [0058.719] GetTickCount () returned 0x114f202 [0058.719] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65afc40*, pdwDataLen=0x65afcf0*=0x2c, dwBufLen=0x80 | out: pbData=0x65afc40*, pdwDataLen=0x65afcf0*=0x80) returned 1 [0058.720] GetProcessHeap () returned 0x3a00000 [0058.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a60fc0 [0058.720] ReadFile (in: hFile=0x428, lpBuffer=0x3a60fc0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x3a60fc0*, lpNumberOfBytesRead=0x65afcf4*=0x0, lpOverlapped=0x0) returned 1 [0058.720] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.720] WriteFile (in: hFile=0x428, lpBuffer=0x3a60fc0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x3a60fc0*, lpNumberOfBytesWritten=0x65afcf4*=0x0, lpOverlapped=0x0) returned 1 [0058.720] GetProcessHeap () returned 0x3a00000 [0058.720] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a60fc0 | out: hHeap=0x3a00000) returned 1 [0058.720] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.720] WriteFile (in: hFile=0x428, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afcf4*=0x300, lpOverlapped=0x0) returned 1 [0058.721] WriteFile (in: hFile=0x428, lpBuffer=0x65afc40*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x65afc40*, lpNumberOfBytesWritten=0x65afcf4*=0x80, lpOverlapped=0x0) returned 1 [0058.721] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afcf4*=0x4, lpOverlapped=0x0) returned 1 [0058.721] CloseHandle (hObject=0x428) returned 1 [0058.721] GetProcessHeap () returned 0x3a00000 [0058.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0058.721] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER_r00t_{8ew5f6}.ebal") returned 56 [0058.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="\\\\?\\C:\\$WINRE_BACKUP_PARTITION.MARKER_r00t_{8ew5f6}.ebal" (normalized: "c:\\$winre_backup_partition.marker_r00t_{8ew5f6}.ebal")) returned 1 [0058.722] GetProcessHeap () returned 0x3a00000 [0058.722] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0058.722] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0058.722] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Windows") returned -1 [0058.722] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="$Recycle.bin") returned 1 [0058.722] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="System Volume Information") returned -1 [0058.722] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Program Files") returned -1 [0058.722] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="Program Files (x86)") returned -1 [0058.722] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212") returned 25 [0058.722] lstrcmpW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0058.722] lstrcmpW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0058.722] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.722] GetProcessHeap () returned 0x3a00000 [0058.722] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0058.722] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\*") returned 27 [0058.723] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0058.763] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.763] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.763] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.763] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.763] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.763] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\.") returned 27 [0058.763] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.763] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.764] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.764] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.764] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.764] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.764] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.764] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\..") returned 28 [0058.764] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.764] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.764] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1025", cAlternateFileName="")) returned 1 [0058.764] lstrcmpiW (lpString1="1025", lpString2="Windows") returned -1 [0058.764] lstrcmpiW (lpString1="1025", lpString2="$Recycle.bin") returned 1 [0058.764] lstrcmpiW (lpString1="1025", lpString2="System Volume Information") returned -1 [0058.764] lstrcmpiW (lpString1="1025", lpString2="Program Files") returned -1 [0058.764] lstrcmpiW (lpString1="1025", lpString2="Program Files (x86)") returned -1 [0058.764] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025") returned 30 [0058.764] lstrcmpW (lpString1="1025", lpString2=".") returned 1 [0058.764] lstrcmpW (lpString1="1025", lpString2="..") returned 1 [0058.764] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1025", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.764] GetProcessHeap () returned 0x3a00000 [0058.764] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.764] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\*") returned 32 [0058.764] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0058.765] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.765] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.765] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.765] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.765] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.765] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\.") returned 32 [0058.765] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.765] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.765] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.765] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.765] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.765] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.765] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.765] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\..") returned 33 [0058.765] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.765] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.765] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.766] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.766] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.766] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.766] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.766] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.766] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 39 [0058.766] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0058.766] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.766] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.766] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.766] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.767] GetTickCount () returned 0x114f231 [0058.767] GetTickCount () returned 0x114f231 [0058.767] GetTickCount () returned 0x114f231 [0058.767] GetTickCount () returned 0x114f231 [0058.767] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.767] GetProcessHeap () returned 0x3a00000 [0058.767] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.767] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x1d8f, lpOverlapped=0x0) returned 1 [0058.769] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffe271, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.769] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x1d8f, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x1d8f, lpOverlapped=0x0) returned 1 [0058.769] GetProcessHeap () returned 0x3a00000 [0058.769] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.769] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.769] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.770] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.770] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.770] CloseHandle (hObject=0x430) returned 1 [0058.771] GetProcessHeap () returned 0x3a00000 [0058.771] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.771] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0058.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0058.773] GetProcessHeap () returned 0x3a00000 [0058.773] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.773] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.773] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.773] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.773] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.773] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.773] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.773] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 48 [0058.773] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0058.773] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.773] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.773] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.773] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.774] GetTickCount () returned 0x114f231 [0058.774] GetTickCount () returned 0x114f231 [0058.774] GetTickCount () returned 0x114f231 [0058.774] GetTickCount () returned 0x114f231 [0058.774] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.774] GetProcessHeap () returned 0x3a00000 [0058.774] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.774] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.776] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.776] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.776] GetProcessHeap () returned 0x3a00000 [0058.776] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.776] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.776] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.776] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.777] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.777] CloseHandle (hObject=0x430) returned 1 [0058.779] GetProcessHeap () returned 0x3a00000 [0058.779] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.779] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0058.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0058.779] GetProcessHeap () returned 0x3a00000 [0058.779] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.779] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.780] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.780] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.780] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.780] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.780] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.780] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 49 [0058.780] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0058.780] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.780] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.780] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.780] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.780] GetTickCount () returned 0x114f231 [0058.781] GetTickCount () returned 0x114f231 [0058.781] GetTickCount () returned 0x114f231 [0058.781] GetTickCount () returned 0x114f231 [0058.781] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.781] GetProcessHeap () returned 0x3a00000 [0058.781] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.781] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.786] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.786] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.786] GetProcessHeap () returned 0x3a00000 [0058.786] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.786] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.786] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.786] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.786] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.787] CloseHandle (hObject=0x430) returned 1 [0058.788] GetProcessHeap () returned 0x3a00000 [0058.788] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.788] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0058.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0058.788] GetProcessHeap () returned 0x3a00000 [0058.788] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.789] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.789] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0058.789] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1025\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.789] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1025\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1025\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0058.789] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.790] CloseHandle (hObject=0x42c) returned 1 [0058.790] GetProcessHeap () returned 0x3a00000 [0058.790] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0058.790] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1028", cAlternateFileName="")) returned 1 [0058.790] lstrcmpiW (lpString1="1028", lpString2="Windows") returned -1 [0058.790] lstrcmpiW (lpString1="1028", lpString2="$Recycle.bin") returned 1 [0058.790] lstrcmpiW (lpString1="1028", lpString2="System Volume Information") returned -1 [0058.790] lstrcmpiW (lpString1="1028", lpString2="Program Files") returned -1 [0058.790] lstrcmpiW (lpString1="1028", lpString2="Program Files (x86)") returned -1 [0058.790] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028") returned 30 [0058.790] lstrcmpW (lpString1="1028", lpString2=".") returned 1 [0058.791] lstrcmpW (lpString1="1028", lpString2="..") returned 1 [0058.791] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1028", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.791] GetProcessHeap () returned 0x3a00000 [0058.791] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.791] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\*") returned 32 [0058.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0058.791] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.791] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.792] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.792] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.792] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.792] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\.") returned 32 [0058.792] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.792] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.792] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.792] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.792] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.792] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.792] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.792] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\..") returned 33 [0058.792] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.792] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.792] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.792] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.792] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.792] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.792] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.792] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.792] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 39 [0058.792] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0058.792] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.792] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.792] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.792] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.792] GetTickCount () returned 0x114f241 [0058.792] GetTickCount () returned 0x114f241 [0058.792] GetTickCount () returned 0x114f241 [0058.793] GetTickCount () returned 0x114f241 [0058.793] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.793] GetProcessHeap () returned 0x3a00000 [0058.793] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.793] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0058.794] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffe75b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.794] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0058.794] GetProcessHeap () returned 0x3a00000 [0058.794] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.794] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.794] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.794] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.795] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.795] CloseHandle (hObject=0x430) returned 1 [0058.796] GetProcessHeap () returned 0x3a00000 [0058.796] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.796] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0058.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0058.798] GetProcessHeap () returned 0x3a00000 [0058.798] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.798] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.798] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.798] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.798] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.798] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.798] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.798] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 48 [0058.798] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0058.798] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.798] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.798] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.798] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.798] GetTickCount () returned 0x114f250 [0058.798] GetTickCount () returned 0x114f250 [0058.799] GetTickCount () returned 0x114f250 [0058.799] GetTickCount () returned 0x114f250 [0058.799] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.799] GetProcessHeap () returned 0x3a00000 [0058.799] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.799] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.801] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.801] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.801] GetProcessHeap () returned 0x3a00000 [0058.801] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.801] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.801] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.801] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.801] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.801] CloseHandle (hObject=0x430) returned 1 [0058.803] GetProcessHeap () returned 0x3a00000 [0058.803] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.804] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0058.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0058.804] GetProcessHeap () returned 0x3a00000 [0058.804] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.804] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.804] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.804] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.804] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.804] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.804] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.804] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 49 [0058.804] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0058.804] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.804] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.804] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.804] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.924] GetTickCount () returned 0x114f2cd [0058.925] GetTickCount () returned 0x114f2cd [0058.925] GetTickCount () returned 0x114f2cd [0058.925] GetTickCount () returned 0x114f2cd [0058.925] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.925] GetProcessHeap () returned 0x3a00000 [0058.925] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.925] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.927] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.927] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.927] GetProcessHeap () returned 0x3a00000 [0058.927] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.927] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.927] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.927] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.927] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.927] CloseHandle (hObject=0x430) returned 1 [0058.928] GetProcessHeap () returned 0x3a00000 [0058.929] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.929] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0058.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0058.929] GetProcessHeap () returned 0x3a00000 [0058.929] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.929] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.929] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0058.929] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1028\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.929] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1028\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1028\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0058.930] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.931] CloseHandle (hObject=0x42c) returned 1 [0058.931] GetProcessHeap () returned 0x3a00000 [0058.931] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0058.931] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1029", cAlternateFileName="")) returned 1 [0058.931] lstrcmpiW (lpString1="1029", lpString2="Windows") returned -1 [0058.931] lstrcmpiW (lpString1="1029", lpString2="$Recycle.bin") returned 1 [0058.931] lstrcmpiW (lpString1="1029", lpString2="System Volume Information") returned -1 [0058.931] lstrcmpiW (lpString1="1029", lpString2="Program Files") returned -1 [0058.931] lstrcmpiW (lpString1="1029", lpString2="Program Files (x86)") returned -1 [0058.931] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029") returned 30 [0058.931] lstrcmpW (lpString1="1029", lpString2=".") returned 1 [0058.931] lstrcmpW (lpString1="1029", lpString2="..") returned 1 [0058.931] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1029", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.931] GetProcessHeap () returned 0x3a00000 [0058.931] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.931] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\*") returned 32 [0058.931] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0058.932] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.932] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.932] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.932] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.932] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.932] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\.") returned 32 [0058.932] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.932] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.932] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.932] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.932] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.932] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.932] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.932] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\..") returned 33 [0058.932] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.932] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.932] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.933] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.933] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.933] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.933] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.933] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.933] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 39 [0058.933] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0058.933] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.933] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.933] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.933] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.933] GetTickCount () returned 0x114f2cd [0058.933] GetTickCount () returned 0x114f2cd [0058.933] GetTickCount () returned 0x114f2cd [0058.933] GetTickCount () returned 0x114f2cd [0058.934] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.934] GetProcessHeap () returned 0x3a00000 [0058.934] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.934] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0xe8e, lpOverlapped=0x0) returned 1 [0058.935] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff172, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.935] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0xe8e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0xe8e, lpOverlapped=0x0) returned 1 [0058.935] GetProcessHeap () returned 0x3a00000 [0058.935] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.935] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.935] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.935] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.936] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.936] CloseHandle (hObject=0x430) returned 1 [0058.936] GetProcessHeap () returned 0x3a00000 [0058.936] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.936] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0058.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0058.938] GetProcessHeap () returned 0x3a00000 [0058.938] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.938] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.938] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.938] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.939] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.939] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.939] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.939] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 48 [0058.939] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0058.939] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.939] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.939] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.939] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.939] GetTickCount () returned 0x114f2dd [0058.939] GetTickCount () returned 0x114f2dd [0058.939] GetTickCount () returned 0x114f2dd [0058.939] GetTickCount () returned 0x114f2dd [0058.939] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.939] GetProcessHeap () returned 0x3a00000 [0058.939] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.939] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.941] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.941] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.941] GetProcessHeap () returned 0x3a00000 [0058.942] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.942] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.942] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.942] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.942] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.942] CloseHandle (hObject=0x430) returned 1 [0058.944] GetProcessHeap () returned 0x3a00000 [0058.944] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.944] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0058.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0058.945] GetProcessHeap () returned 0x3a00000 [0058.945] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.945] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.945] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.945] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.945] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.945] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.945] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.945] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 49 [0058.945] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0058.945] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.945] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.945] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.945] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.945] GetTickCount () returned 0x114f2dd [0058.945] GetTickCount () returned 0x114f2dd [0058.945] GetTickCount () returned 0x114f2dd [0058.945] GetTickCount () returned 0x114f2dd [0058.945] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.945] GetProcessHeap () returned 0x3a00000 [0058.945] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.945] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.947] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.947] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.947] GetProcessHeap () returned 0x3a00000 [0058.947] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.947] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.947] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.948] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.948] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.948] CloseHandle (hObject=0x430) returned 1 [0058.949] GetProcessHeap () returned 0x3a00000 [0058.949] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.949] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0058.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0058.949] GetProcessHeap () returned 0x3a00000 [0058.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.949] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.949] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0058.949] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1029\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.949] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1029\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1029\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0058.950] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.951] CloseHandle (hObject=0x42c) returned 1 [0058.951] GetProcessHeap () returned 0x3a00000 [0058.951] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0058.951] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1030", cAlternateFileName="")) returned 1 [0058.951] lstrcmpiW (lpString1="1030", lpString2="Windows") returned -1 [0058.951] lstrcmpiW (lpString1="1030", lpString2="$Recycle.bin") returned 1 [0058.951] lstrcmpiW (lpString1="1030", lpString2="System Volume Information") returned -1 [0058.951] lstrcmpiW (lpString1="1030", lpString2="Program Files") returned -1 [0058.951] lstrcmpiW (lpString1="1030", lpString2="Program Files (x86)") returned -1 [0058.951] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030") returned 30 [0058.951] lstrcmpW (lpString1="1030", lpString2=".") returned 1 [0058.951] lstrcmpW (lpString1="1030", lpString2="..") returned 1 [0058.952] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.952] GetProcessHeap () returned 0x3a00000 [0058.952] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.952] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\*") returned 32 [0058.952] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0058.952] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.952] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.952] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.952] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.952] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.952] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\.") returned 32 [0058.952] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.952] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.952] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.952] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.953] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.953] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.953] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.953] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\..") returned 33 [0058.953] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.953] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.953] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.953] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.953] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 39 [0058.953] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0058.953] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.953] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.953] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.953] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.953] GetTickCount () returned 0x114f2dd [0058.953] GetTickCount () returned 0x114f2dd [0058.953] GetTickCount () returned 0x114f2ed [0058.953] GetTickCount () returned 0x114f2ed [0058.953] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.953] GetProcessHeap () returned 0x3a00000 [0058.954] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.954] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0xcf2, lpOverlapped=0x0) returned 1 [0058.956] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff30e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.956] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0xcf2, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0xcf2, lpOverlapped=0x0) returned 1 [0058.956] GetProcessHeap () returned 0x3a00000 [0058.956] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.956] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.956] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.956] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.956] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.956] CloseHandle (hObject=0x430) returned 1 [0058.957] GetProcessHeap () returned 0x3a00000 [0058.957] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.957] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0058.957] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0058.959] GetProcessHeap () returned 0x3a00000 [0058.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.959] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.959] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.959] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.959] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.959] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.959] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.960] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 48 [0058.960] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0058.960] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.960] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.960] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.960] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.960] GetTickCount () returned 0x114f2ed [0058.960] GetTickCount () returned 0x114f2ed [0058.960] GetTickCount () returned 0x114f2ed [0058.960] GetTickCount () returned 0x114f2ed [0058.960] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.960] GetProcessHeap () returned 0x3a00000 [0058.960] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.960] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.979] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.980] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.980] GetProcessHeap () returned 0x3a00000 [0058.980] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.980] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.980] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.980] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.980] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.980] CloseHandle (hObject=0x430) returned 1 [0058.983] GetProcessHeap () returned 0x3a00000 [0058.983] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.983] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0058.983] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0058.984] GetProcessHeap () returned 0x3a00000 [0058.984] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.984] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0058.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0058.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0058.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0058.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0058.984] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0058.984] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 49 [0058.984] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0058.984] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.984] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0058.984] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.984] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.985] GetTickCount () returned 0x114f30c [0058.985] GetTickCount () returned 0x114f30c [0058.985] GetTickCount () returned 0x114f30c [0058.985] GetTickCount () returned 0x114f30c [0058.985] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.985] GetProcessHeap () returned 0x3a00000 [0058.985] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.985] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.987] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.988] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0058.988] GetProcessHeap () returned 0x3a00000 [0058.988] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.988] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.988] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.988] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.988] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.988] CloseHandle (hObject=0x430) returned 1 [0058.989] GetProcessHeap () returned 0x3a00000 [0058.989] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.989] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0058.989] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0058.990] GetProcessHeap () returned 0x3a00000 [0058.990] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.990] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0058.990] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0058.990] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0058.990] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0058.990] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0058.991] CloseHandle (hObject=0x42c) returned 1 [0058.991] GetProcessHeap () returned 0x3a00000 [0058.991] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0058.991] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1031", cAlternateFileName="")) returned 1 [0058.991] lstrcmpiW (lpString1="1031", lpString2="Windows") returned -1 [0058.991] lstrcmpiW (lpString1="1031", lpString2="$Recycle.bin") returned 1 [0058.991] lstrcmpiW (lpString1="1031", lpString2="System Volume Information") returned -1 [0058.992] lstrcmpiW (lpString1="1031", lpString2="Program Files") returned -1 [0058.992] lstrcmpiW (lpString1="1031", lpString2="Program Files (x86)") returned -1 [0058.992] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031") returned 30 [0058.992] lstrcmpW (lpString1="1031", lpString2=".") returned 1 [0058.992] lstrcmpW (lpString1="1031", lpString2="..") returned 1 [0058.992] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1031", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0058.992] GetProcessHeap () returned 0x3a00000 [0058.992] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0058.992] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\*") returned 32 [0058.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0058.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0058.993] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0058.993] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0058.993] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0058.993] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0058.993] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\.") returned 32 [0058.993] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0058.993] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0058.993] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0058.993] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0058.993] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0058.993] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0058.993] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0058.993] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\..") returned 33 [0058.993] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0058.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0058.993] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0058.993] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0058.993] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0058.993] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0058.993] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0058.993] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0058.993] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 39 [0058.993] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0058.993] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.993] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0058.993] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.993] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.994] GetTickCount () returned 0x114f30c [0058.994] GetTickCount () returned 0x114f30c [0058.994] GetTickCount () returned 0x114f30c [0058.994] GetTickCount () returned 0x114f30c [0058.994] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.994] GetProcessHeap () returned 0x3a00000 [0058.994] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.994] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0xd5b, lpOverlapped=0x0) returned 1 [0058.995] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff2a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0058.995] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0xd5b, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0xd5b, lpOverlapped=0x0) returned 1 [0058.995] GetProcessHeap () returned 0x3a00000 [0058.995] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0058.995] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.995] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0058.996] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0058.996] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0058.996] CloseHandle (hObject=0x430) returned 1 [0058.996] GetProcessHeap () returned 0x3a00000 [0058.996] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0058.996] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0058.996] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0058.998] GetProcessHeap () returned 0x3a00000 [0058.998] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0058.998] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0058.998] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0058.998] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0058.998] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0058.998] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0058.998] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0058.998] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 48 [0058.999] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0058.999] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0058.999] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0058.999] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0058.999] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0058.999] GetTickCount () returned 0x114f30c [0058.999] GetTickCount () returned 0x114f30c [0058.999] GetTickCount () returned 0x114f30c [0058.999] GetTickCount () returned 0x114f30c [0058.999] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0058.999] GetProcessHeap () returned 0x3a00000 [0058.999] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0058.999] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.002] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.002] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.002] GetProcessHeap () returned 0x3a00000 [0059.002] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.002] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.002] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.002] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.002] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.002] CloseHandle (hObject=0x430) returned 1 [0059.005] GetProcessHeap () returned 0x3a00000 [0059.005] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.005] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.005] GetProcessHeap () returned 0x3a00000 [0059.005] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.005] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.005] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.005] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.005] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.005] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.005] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.005] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 49 [0059.005] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.005] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.005] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.005] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.005] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.006] GetTickCount () returned 0x114f31b [0059.006] GetTickCount () returned 0x114f31b [0059.006] GetTickCount () returned 0x114f31b [0059.006] GetTickCount () returned 0x114f31b [0059.006] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.006] GetProcessHeap () returned 0x3a00000 [0059.006] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.006] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.008] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.008] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.008] GetProcessHeap () returned 0x3a00000 [0059.008] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.008] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.008] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.008] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.008] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.008] CloseHandle (hObject=0x430) returned 1 [0059.010] GetProcessHeap () returned 0x3a00000 [0059.010] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.010] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.010] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.010] GetProcessHeap () returned 0x3a00000 [0059.010] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.010] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.010] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0059.010] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1031\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.010] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1031\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1031\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.011] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.012] CloseHandle (hObject=0x42c) returned 1 [0059.012] GetProcessHeap () returned 0x3a00000 [0059.012] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.012] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1032", cAlternateFileName="")) returned 1 [0059.012] lstrcmpiW (lpString1="1032", lpString2="Windows") returned -1 [0059.012] lstrcmpiW (lpString1="1032", lpString2="$Recycle.bin") returned 1 [0059.012] lstrcmpiW (lpString1="1032", lpString2="System Volume Information") returned -1 [0059.012] lstrcmpiW (lpString1="1032", lpString2="Program Files") returned -1 [0059.012] lstrcmpiW (lpString1="1032", lpString2="Program Files (x86)") returned -1 [0059.012] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032") returned 30 [0059.012] lstrcmpW (lpString1="1032", lpString2=".") returned 1 [0059.012] lstrcmpW (lpString1="1032", lpString2="..") returned 1 [0059.012] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1032", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.012] GetProcessHeap () returned 0x3a00000 [0059.012] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.012] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\*") returned 32 [0059.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0059.013] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.013] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.013] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.013] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.013] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.013] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\.") returned 32 [0059.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.013] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.013] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.013] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.013] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.013] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.013] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.014] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\..") returned 33 [0059.014] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.014] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.014] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.014] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.014] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.014] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.014] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.014] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.014] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 39 [0059.014] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.014] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.014] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.014] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.014] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.015] GetTickCount () returned 0x114f31b [0059.015] GetTickCount () returned 0x114f31b [0059.015] GetTickCount () returned 0x114f31b [0059.015] GetTickCount () returned 0x114f31b [0059.015] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.015] GetProcessHeap () returned 0x3a00000 [0059.015] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.015] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x22ac, lpOverlapped=0x0) returned 1 [0059.044] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffdd54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.044] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x22ac, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x22ac, lpOverlapped=0x0) returned 1 [0059.044] GetProcessHeap () returned 0x3a00000 [0059.044] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.044] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.044] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.044] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.044] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.045] CloseHandle (hObject=0x430) returned 1 [0059.046] GetProcessHeap () returned 0x3a00000 [0059.046] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.046] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.049] GetProcessHeap () returned 0x3a00000 [0059.049] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.049] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.049] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.049] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 48 [0059.049] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.049] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.049] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.049] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.049] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.049] GetTickCount () returned 0x114f34a [0059.049] GetTickCount () returned 0x114f34a [0059.049] GetTickCount () returned 0x114f34a [0059.049] GetTickCount () returned 0x114f34a [0059.049] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.050] GetProcessHeap () returned 0x3a00000 [0059.050] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.050] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.053] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.053] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.053] GetProcessHeap () returned 0x3a00000 [0059.053] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.053] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.053] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.053] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.054] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.054] CloseHandle (hObject=0x430) returned 1 [0059.056] GetProcessHeap () returned 0x3a00000 [0059.056] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.056] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.057] GetProcessHeap () returned 0x3a00000 [0059.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.057] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.057] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.057] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.057] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.057] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.057] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.057] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 49 [0059.057] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.057] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.057] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.057] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.057] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.057] GetTickCount () returned 0x114f34a [0059.057] GetTickCount () returned 0x114f34a [0059.057] GetTickCount () returned 0x114f34a [0059.057] GetTickCount () returned 0x114f34a [0059.057] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.058] GetProcessHeap () returned 0x3a00000 [0059.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.058] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.060] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.060] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.060] GetProcessHeap () returned 0x3a00000 [0059.060] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.060] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.060] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.060] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.060] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.060] CloseHandle (hObject=0x430) returned 1 [0059.061] GetProcessHeap () returned 0x3a00000 [0059.061] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.061] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.062] GetProcessHeap () returned 0x3a00000 [0059.062] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.062] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.062] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0059.062] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1032\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.062] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1032\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1032\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.062] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.063] CloseHandle (hObject=0x42c) returned 1 [0059.064] GetProcessHeap () returned 0x3a00000 [0059.064] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.064] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1033", cAlternateFileName="")) returned 1 [0059.064] lstrcmpiW (lpString1="1033", lpString2="Windows") returned -1 [0059.064] lstrcmpiW (lpString1="1033", lpString2="$Recycle.bin") returned 1 [0059.064] lstrcmpiW (lpString1="1033", lpString2="System Volume Information") returned -1 [0059.064] lstrcmpiW (lpString1="1033", lpString2="Program Files") returned -1 [0059.064] lstrcmpiW (lpString1="1033", lpString2="Program Files (x86)") returned -1 [0059.064] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033") returned 30 [0059.064] lstrcmpW (lpString1="1033", lpString2=".") returned 1 [0059.064] lstrcmpW (lpString1="1033", lpString2="..") returned 1 [0059.064] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1033", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.064] GetProcessHeap () returned 0x3a00000 [0059.064] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.064] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\*") returned 32 [0059.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0059.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.065] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\.") returned 32 [0059.065] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.065] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.065] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\..") returned 33 [0059.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.066] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.066] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.066] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.066] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.066] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.066] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.066] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 39 [0059.066] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.066] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.066] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.066] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.066] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.066] GetTickCount () returned 0x114f35a [0059.066] GetTickCount () returned 0x114f35a [0059.066] GetTickCount () returned 0x114f35a [0059.066] GetTickCount () returned 0x114f35a [0059.066] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.066] GetProcessHeap () returned 0x3a00000 [0059.066] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.066] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0xc74, lpOverlapped=0x0) returned 1 [0059.068] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff38c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.068] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0xc74, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0xc74, lpOverlapped=0x0) returned 1 [0059.069] GetProcessHeap () returned 0x3a00000 [0059.069] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.069] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.069] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.069] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.069] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.069] CloseHandle (hObject=0x430) returned 1 [0059.070] GetProcessHeap () returned 0x3a00000 [0059.070] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.070] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.070] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.072] GetProcessHeap () returned 0x3a00000 [0059.072] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.072] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.072] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.072] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.072] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.072] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.072] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.072] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 48 [0059.072] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.072] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.072] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.072] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.072] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.073] GetTickCount () returned 0x114f35a [0059.073] GetTickCount () returned 0x114f35a [0059.073] GetTickCount () returned 0x114f35a [0059.073] GetTickCount () returned 0x114f35a [0059.073] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.073] GetProcessHeap () returned 0x3a00000 [0059.073] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.073] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.075] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.075] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.075] GetProcessHeap () returned 0x3a00000 [0059.075] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.075] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.076] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.076] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.076] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.076] CloseHandle (hObject=0x430) returned 1 [0059.078] GetProcessHeap () returned 0x3a00000 [0059.078] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.078] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.078] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.079] GetProcessHeap () returned 0x3a00000 [0059.079] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.079] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.079] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.079] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.079] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.079] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.079] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.079] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 49 [0059.079] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.079] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.079] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.079] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.079] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.079] GetTickCount () returned 0x114f36a [0059.079] GetTickCount () returned 0x114f36a [0059.079] GetTickCount () returned 0x114f36a [0059.079] GetTickCount () returned 0x114f36a [0059.079] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.079] GetProcessHeap () returned 0x3a00000 [0059.079] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.080] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.083] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.083] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.083] GetProcessHeap () returned 0x3a00000 [0059.083] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.083] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.083] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.083] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.083] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.083] CloseHandle (hObject=0x430) returned 1 [0059.111] GetProcessHeap () returned 0x3a00000 [0059.111] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.111] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.111] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.112] GetProcessHeap () returned 0x3a00000 [0059.112] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.112] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.112] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0059.112] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.112] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.113] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.114] CloseHandle (hObject=0x42c) returned 1 [0059.115] GetProcessHeap () returned 0x3a00000 [0059.115] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.115] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1035", cAlternateFileName="")) returned 1 [0059.115] lstrcmpiW (lpString1="1035", lpString2="Windows") returned -1 [0059.115] lstrcmpiW (lpString1="1035", lpString2="$Recycle.bin") returned 1 [0059.115] lstrcmpiW (lpString1="1035", lpString2="System Volume Information") returned -1 [0059.115] lstrcmpiW (lpString1="1035", lpString2="Program Files") returned -1 [0059.115] lstrcmpiW (lpString1="1035", lpString2="Program Files (x86)") returned -1 [0059.115] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035") returned 30 [0059.115] lstrcmpW (lpString1="1035", lpString2=".") returned 1 [0059.115] lstrcmpW (lpString1="1035", lpString2="..") returned 1 [0059.115] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1035", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.115] GetProcessHeap () returned 0x3a00000 [0059.115] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.115] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\*") returned 32 [0059.115] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0059.115] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.115] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.115] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.115] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.115] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.115] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\.") returned 32 [0059.115] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.115] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.115] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.115] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.115] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.116] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.116] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.116] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\..") returned 33 [0059.116] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.116] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.116] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.116] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.116] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.116] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.116] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.116] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.116] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 39 [0059.116] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.116] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.116] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.116] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.116] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.116] GetTickCount () returned 0x114f389 [0059.116] GetTickCount () returned 0x114f389 [0059.116] GetTickCount () returned 0x114f389 [0059.116] GetTickCount () returned 0x114f389 [0059.116] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.116] GetProcessHeap () returned 0x3a00000 [0059.116] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.117] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0xe76, lpOverlapped=0x0) returned 1 [0059.118] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff18a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.118] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0xe76, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0xe76, lpOverlapped=0x0) returned 1 [0059.118] GetProcessHeap () returned 0x3a00000 [0059.118] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.118] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.118] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.118] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.118] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.118] CloseHandle (hObject=0x430) returned 1 [0059.119] GetProcessHeap () returned 0x3a00000 [0059.119] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.119] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.119] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.122] GetProcessHeap () returned 0x3a00000 [0059.122] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.122] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.122] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.122] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.122] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.122] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.122] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.122] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 48 [0059.122] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.123] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.123] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.123] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.123] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.123] GetTickCount () returned 0x114f389 [0059.123] GetTickCount () returned 0x114f389 [0059.123] GetTickCount () returned 0x114f389 [0059.123] GetTickCount () returned 0x114f389 [0059.123] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.123] GetProcessHeap () returned 0x3a00000 [0059.123] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.123] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.125] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.126] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.126] GetProcessHeap () returned 0x3a00000 [0059.126] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.126] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.126] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.126] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.126] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.126] CloseHandle (hObject=0x430) returned 1 [0059.128] GetProcessHeap () returned 0x3a00000 [0059.128] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.128] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.129] GetProcessHeap () returned 0x3a00000 [0059.129] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.129] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.129] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.129] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.129] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.129] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.129] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.129] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 49 [0059.129] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.129] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.129] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.129] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.129] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.129] GetTickCount () returned 0x114f398 [0059.130] GetTickCount () returned 0x114f398 [0059.130] GetTickCount () returned 0x114f398 [0059.130] GetTickCount () returned 0x114f398 [0059.130] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.130] GetProcessHeap () returned 0x3a00000 [0059.130] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.130] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.131] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.132] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.132] GetProcessHeap () returned 0x3a00000 [0059.132] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.132] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.132] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.132] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.132] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.132] CloseHandle (hObject=0x430) returned 1 [0059.142] GetProcessHeap () returned 0x3a00000 [0059.143] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.143] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.143] GetProcessHeap () returned 0x3a00000 [0059.143] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.143] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.143] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0059.143] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1035\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.143] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1035\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1035\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.144] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.144] CloseHandle (hObject=0x42c) returned 1 [0059.145] GetProcessHeap () returned 0x3a00000 [0059.145] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.145] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1036", cAlternateFileName="")) returned 1 [0059.145] lstrcmpiW (lpString1="1036", lpString2="Windows") returned -1 [0059.145] lstrcmpiW (lpString1="1036", lpString2="$Recycle.bin") returned 1 [0059.145] lstrcmpiW (lpString1="1036", lpString2="System Volume Information") returned -1 [0059.145] lstrcmpiW (lpString1="1036", lpString2="Program Files") returned -1 [0059.145] lstrcmpiW (lpString1="1036", lpString2="Program Files (x86)") returned -1 [0059.145] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036") returned 30 [0059.145] lstrcmpW (lpString1="1036", lpString2=".") returned 1 [0059.145] lstrcmpW (lpString1="1036", lpString2="..") returned 1 [0059.145] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1036", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.145] GetProcessHeap () returned 0x3a00000 [0059.145] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.145] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\*") returned 32 [0059.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0059.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.164] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.164] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.164] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.164] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.164] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\.") returned 32 [0059.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.164] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.164] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.164] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.164] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.164] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.164] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.164] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\..") returned 33 [0059.164] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.165] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.165] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.165] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.165] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.165] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.165] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.165] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.165] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 39 [0059.165] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.165] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.165] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.165] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.165] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.165] GetTickCount () returned 0x114f3b8 [0059.165] GetTickCount () returned 0x114f3b8 [0059.165] GetTickCount () returned 0x114f3b8 [0059.165] GetTickCount () returned 0x114f3b8 [0059.165] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.165] GetProcessHeap () returned 0x3a00000 [0059.165] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.165] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0xdc6, lpOverlapped=0x0) returned 1 [0059.167] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff23a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.167] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0xdc6, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0xdc6, lpOverlapped=0x0) returned 1 [0059.167] GetProcessHeap () returned 0x3a00000 [0059.167] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.167] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.167] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.167] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.167] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.167] CloseHandle (hObject=0x430) returned 1 [0059.168] GetProcessHeap () returned 0x3a00000 [0059.168] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.168] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.168] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.171] GetProcessHeap () returned 0x3a00000 [0059.171] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.171] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.171] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.172] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.172] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.172] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.172] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 48 [0059.172] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.172] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.172] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.172] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.172] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.172] GetTickCount () returned 0x114f3c7 [0059.172] GetTickCount () returned 0x114f3c7 [0059.172] GetTickCount () returned 0x114f3c7 [0059.172] GetTickCount () returned 0x114f3c7 [0059.172] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.172] GetProcessHeap () returned 0x3a00000 [0059.172] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.172] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.174] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.174] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.175] GetProcessHeap () returned 0x3a00000 [0059.175] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.175] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.175] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.175] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.175] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.175] CloseHandle (hObject=0x430) returned 1 [0059.177] GetProcessHeap () returned 0x3a00000 [0059.177] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.177] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.177] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.178] GetProcessHeap () returned 0x3a00000 [0059.178] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.178] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.178] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.178] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.178] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.178] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.178] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.178] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 49 [0059.178] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.178] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.179] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.179] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.179] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.179] GetTickCount () returned 0x114f3c7 [0059.179] GetTickCount () returned 0x114f3c7 [0059.179] GetTickCount () returned 0x114f3c7 [0059.179] GetTickCount () returned 0x114f3c7 [0059.179] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.179] GetProcessHeap () returned 0x3a00000 [0059.179] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.179] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.181] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.181] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.181] GetProcessHeap () returned 0x3a00000 [0059.181] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.181] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.181] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.181] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.181] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.181] CloseHandle (hObject=0x430) returned 1 [0059.182] GetProcessHeap () returned 0x3a00000 [0059.182] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.182] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.182] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.183] GetProcessHeap () returned 0x3a00000 [0059.183] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.183] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.183] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0059.183] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.183] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1036\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1036\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.183] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.184] CloseHandle (hObject=0x42c) returned 1 [0059.185] GetProcessHeap () returned 0x3a00000 [0059.185] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.185] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1037", cAlternateFileName="")) returned 1 [0059.185] lstrcmpiW (lpString1="1037", lpString2="Windows") returned -1 [0059.185] lstrcmpiW (lpString1="1037", lpString2="$Recycle.bin") returned 1 [0059.185] lstrcmpiW (lpString1="1037", lpString2="System Volume Information") returned -1 [0059.185] lstrcmpiW (lpString1="1037", lpString2="Program Files") returned -1 [0059.185] lstrcmpiW (lpString1="1037", lpString2="Program Files (x86)") returned -1 [0059.185] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037") returned 30 [0059.185] lstrcmpW (lpString1="1037", lpString2=".") returned 1 [0059.185] lstrcmpW (lpString1="1037", lpString2="..") returned 1 [0059.185] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1037", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.185] GetProcessHeap () returned 0x3a00000 [0059.185] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.185] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\*") returned 32 [0059.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0059.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.186] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.186] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.186] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.186] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.186] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\.") returned 32 [0059.186] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.186] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.186] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\..") returned 33 [0059.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.186] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.186] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.186] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.186] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.186] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.186] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.186] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 39 [0059.186] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.186] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.186] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.186] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.186] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.187] GetTickCount () returned 0x114f3c7 [0059.187] GetTickCount () returned 0x114f3c7 [0059.187] GetTickCount () returned 0x114f3c7 [0059.187] GetTickCount () returned 0x114f3c7 [0059.187] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.187] GetProcessHeap () returned 0x3a00000 [0059.187] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.187] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x1ac3, lpOverlapped=0x0) returned 1 [0059.189] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffe53d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.189] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x1ac3, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x1ac3, lpOverlapped=0x0) returned 1 [0059.189] GetProcessHeap () returned 0x3a00000 [0059.189] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.189] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.189] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.189] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.189] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.189] CloseHandle (hObject=0x430) returned 1 [0059.190] GetProcessHeap () returned 0x3a00000 [0059.190] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.190] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.192] GetProcessHeap () returned 0x3a00000 [0059.192] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.192] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.192] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.192] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 48 [0059.192] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.192] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.192] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.192] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.192] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.194] GetTickCount () returned 0x114f3d7 [0059.194] GetTickCount () returned 0x114f3d7 [0059.194] GetTickCount () returned 0x114f3d7 [0059.194] GetTickCount () returned 0x114f3d7 [0059.194] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.194] GetProcessHeap () returned 0x3a00000 [0059.194] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a62fd0 [0059.194] ReadFile (in: hFile=0x430, lpBuffer=0x3a62fd0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.197] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.198] WriteFile (in: hFile=0x430, lpBuffer=0x3a62fd0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a62fd0*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.198] GetProcessHeap () returned 0x3a00000 [0059.198] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a62fd0 | out: hHeap=0x3a00000) returned 1 [0059.198] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.198] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.198] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.198] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.198] CloseHandle (hObject=0x430) returned 1 [0059.200] GetProcessHeap () returned 0x3a00000 [0059.200] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.200] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.201] GetProcessHeap () returned 0x3a00000 [0059.201] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.201] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.201] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.201] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.201] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.201] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.201] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.201] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 49 [0059.201] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.201] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.201] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.201] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.201] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.202] GetTickCount () returned 0x114f3d7 [0059.202] GetTickCount () returned 0x114f3d7 [0059.202] GetTickCount () returned 0x114f3d7 [0059.202] GetTickCount () returned 0x114f3d7 [0059.202] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.202] GetProcessHeap () returned 0x3a00000 [0059.202] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.202] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.232] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.232] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.233] GetProcessHeap () returned 0x3a00000 [0059.233] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.233] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.233] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.233] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.233] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.233] CloseHandle (hObject=0x430) returned 1 [0059.234] GetProcessHeap () returned 0x3a00000 [0059.234] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.234] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.237] GetProcessHeap () returned 0x3a00000 [0059.237] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.237] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.237] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0059.237] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1037\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.237] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1037\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1037\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.237] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.238] CloseHandle (hObject=0x42c) returned 1 [0059.238] GetProcessHeap () returned 0x3a00000 [0059.238] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.238] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1038", cAlternateFileName="")) returned 1 [0059.238] lstrcmpiW (lpString1="1038", lpString2="Windows") returned -1 [0059.238] lstrcmpiW (lpString1="1038", lpString2="$Recycle.bin") returned 1 [0059.238] lstrcmpiW (lpString1="1038", lpString2="System Volume Information") returned -1 [0059.238] lstrcmpiW (lpString1="1038", lpString2="Program Files") returned -1 [0059.238] lstrcmpiW (lpString1="1038", lpString2="Program Files (x86)") returned -1 [0059.238] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038") returned 30 [0059.238] lstrcmpW (lpString1="1038", lpString2=".") returned 1 [0059.238] lstrcmpW (lpString1="1038", lpString2="..") returned 1 [0059.238] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1038", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.239] GetProcessHeap () returned 0x3a00000 [0059.239] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\*") returned 32 [0059.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0059.239] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.239] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.239] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.239] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\.") returned 32 [0059.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.239] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\..") returned 33 [0059.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.239] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.239] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.239] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.239] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.239] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.239] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 39 [0059.239] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.239] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.240] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.240] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.240] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.240] GetTickCount () returned 0x114f406 [0059.240] GetTickCount () returned 0x114f406 [0059.240] GetTickCount () returned 0x114f406 [0059.240] GetTickCount () returned 0x114f406 [0059.240] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.240] GetProcessHeap () returned 0x3a00000 [0059.240] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.240] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x109e, lpOverlapped=0x0) returned 1 [0059.241] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffef62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.241] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x109e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x109e, lpOverlapped=0x0) returned 1 [0059.242] GetProcessHeap () returned 0x3a00000 [0059.242] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.242] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.242] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.242] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.242] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.242] CloseHandle (hObject=0x430) returned 1 [0059.243] GetProcessHeap () returned 0x3a00000 [0059.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.243] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.245] GetProcessHeap () returned 0x3a00000 [0059.245] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.245] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.245] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.245] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.245] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.245] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.245] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.245] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 48 [0059.245] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.245] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.245] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.245] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.245] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.245] GetTickCount () returned 0x114f406 [0059.245] GetTickCount () returned 0x114f406 [0059.245] GetTickCount () returned 0x114f406 [0059.245] GetTickCount () returned 0x114f406 [0059.245] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.245] GetProcessHeap () returned 0x3a00000 [0059.245] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.245] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.247] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.247] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.248] GetProcessHeap () returned 0x3a00000 [0059.248] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.248] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.248] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.248] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.248] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.248] CloseHandle (hObject=0x430) returned 1 [0059.250] GetProcessHeap () returned 0x3a00000 [0059.250] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.251] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.251] GetProcessHeap () returned 0x3a00000 [0059.251] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.251] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.251] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.251] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.251] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.251] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.251] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.251] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 49 [0059.252] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.252] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.252] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.252] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.252] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.252] GetTickCount () returned 0x114f415 [0059.252] GetTickCount () returned 0x114f415 [0059.252] GetTickCount () returned 0x114f415 [0059.252] GetTickCount () returned 0x114f415 [0059.252] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.252] GetProcessHeap () returned 0x3a00000 [0059.253] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.253] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.261] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.261] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.262] GetProcessHeap () returned 0x3a00000 [0059.262] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.262] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.262] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.262] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.262] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.262] CloseHandle (hObject=0x430) returned 1 [0059.263] GetProcessHeap () returned 0x3a00000 [0059.263] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.263] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.264] GetProcessHeap () returned 0x3a00000 [0059.264] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.264] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.264] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0059.264] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1038\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.264] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1038\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1038\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.265] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.306] CloseHandle (hObject=0x42c) returned 1 [0059.306] GetProcessHeap () returned 0x3a00000 [0059.306] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.306] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1040", cAlternateFileName="")) returned 1 [0059.306] lstrcmpiW (lpString1="1040", lpString2="Windows") returned -1 [0059.306] lstrcmpiW (lpString1="1040", lpString2="$Recycle.bin") returned 1 [0059.306] lstrcmpiW (lpString1="1040", lpString2="System Volume Information") returned -1 [0059.306] lstrcmpiW (lpString1="1040", lpString2="Program Files") returned -1 [0059.306] lstrcmpiW (lpString1="1040", lpString2="Program Files (x86)") returned -1 [0059.306] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040") returned 30 [0059.306] lstrcmpW (lpString1="1040", lpString2=".") returned 1 [0059.307] lstrcmpW (lpString1="1040", lpString2="..") returned 1 [0059.307] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1040", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.307] GetProcessHeap () returned 0x3a00000 [0059.307] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.307] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\*") returned 32 [0059.307] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0059.308] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.308] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.308] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.308] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.308] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.308] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\.") returned 32 [0059.308] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.308] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.308] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.308] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.308] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.308] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.308] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.308] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\..") returned 33 [0059.308] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.308] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.308] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.308] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.308] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.308] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.308] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.308] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.308] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 39 [0059.308] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.308] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.308] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.308] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.309] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.321] GetTickCount () returned 0x114f454 [0059.321] GetTickCount () returned 0x114f454 [0059.321] GetTickCount () returned 0x114f454 [0059.321] GetTickCount () returned 0x114f454 [0059.321] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.321] GetProcessHeap () returned 0x3a00000 [0059.321] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.321] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xe3b, lpOverlapped=0x0) returned 1 [0059.323] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff1c5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.323] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xe3b, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xe3b, lpOverlapped=0x0) returned 1 [0059.323] GetProcessHeap () returned 0x3a00000 [0059.323] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.323] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.323] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.324] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.324] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.324] CloseHandle (hObject=0x430) returned 1 [0059.325] GetProcessHeap () returned 0x3a00000 [0059.325] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.325] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.325] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.327] GetProcessHeap () returned 0x3a00000 [0059.327] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.327] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.327] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.327] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.327] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.327] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.327] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.327] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 48 [0059.327] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.327] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.327] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.327] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.327] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.327] GetTickCount () returned 0x114f454 [0059.327] GetTickCount () returned 0x114f454 [0059.327] GetTickCount () returned 0x114f454 [0059.327] GetTickCount () returned 0x114f454 [0059.327] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.328] GetProcessHeap () returned 0x3a00000 [0059.328] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.328] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.330] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.330] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.330] GetProcessHeap () returned 0x3a00000 [0059.330] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.330] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.330] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.330] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.330] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.330] CloseHandle (hObject=0x430) returned 1 [0059.332] GetProcessHeap () returned 0x3a00000 [0059.332] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.333] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.333] GetProcessHeap () returned 0x3a00000 [0059.333] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.333] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.333] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.333] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 49 [0059.333] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.333] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.333] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.333] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.333] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.335] GetTickCount () returned 0x114f464 [0059.335] GetTickCount () returned 0x114f464 [0059.335] GetTickCount () returned 0x114f464 [0059.335] GetTickCount () returned 0x114f464 [0059.335] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.335] GetProcessHeap () returned 0x3a00000 [0059.335] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.335] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.337] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.337] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.337] GetProcessHeap () returned 0x3a00000 [0059.337] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.337] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.337] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.337] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.338] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.338] CloseHandle (hObject=0x430) returned 1 [0059.339] GetProcessHeap () returned 0x3a00000 [0059.339] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.339] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.339] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.339] GetProcessHeap () returned 0x3a00000 [0059.340] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.340] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.340] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0059.340] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1040\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.340] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1040\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1040\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.340] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.341] CloseHandle (hObject=0x42c) returned 1 [0059.341] GetProcessHeap () returned 0x3a00000 [0059.341] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.341] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1041", cAlternateFileName="")) returned 1 [0059.341] lstrcmpiW (lpString1="1041", lpString2="Windows") returned -1 [0059.341] lstrcmpiW (lpString1="1041", lpString2="$Recycle.bin") returned 1 [0059.341] lstrcmpiW (lpString1="1041", lpString2="System Volume Information") returned -1 [0059.341] lstrcmpiW (lpString1="1041", lpString2="Program Files") returned -1 [0059.341] lstrcmpiW (lpString1="1041", lpString2="Program Files (x86)") returned -1 [0059.341] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041") returned 30 [0059.341] lstrcmpW (lpString1="1041", lpString2=".") returned 1 [0059.341] lstrcmpW (lpString1="1041", lpString2="..") returned 1 [0059.341] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1041", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.341] GetProcessHeap () returned 0x3a00000 [0059.341] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.341] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\*") returned 32 [0059.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0059.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.342] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\.") returned 32 [0059.342] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.342] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.342] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.342] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.342] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.342] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.342] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.342] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\..") returned 33 [0059.342] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.342] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.342] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.342] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.342] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.342] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.342] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.342] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.342] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 39 [0059.342] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.342] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.342] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.342] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.342] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.343] GetTickCount () returned 0x114f464 [0059.343] GetTickCount () returned 0x114f464 [0059.343] GetTickCount () returned 0x114f464 [0059.343] GetTickCount () returned 0x114f464 [0059.343] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.343] GetProcessHeap () returned 0x3a00000 [0059.343] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.343] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x278d, lpOverlapped=0x0) returned 1 [0059.344] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd873, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.344] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x278d, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x278d, lpOverlapped=0x0) returned 1 [0059.345] GetProcessHeap () returned 0x3a00000 [0059.345] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.345] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.345] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.345] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.345] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.345] CloseHandle (hObject=0x430) returned 1 [0059.346] GetProcessHeap () returned 0x3a00000 [0059.346] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.346] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.347] GetProcessHeap () returned 0x3a00000 [0059.347] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.348] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.348] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.348] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.348] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.348] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.348] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.348] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 48 [0059.348] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.348] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.348] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.348] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.348] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.348] GetTickCount () returned 0x114f473 [0059.348] GetTickCount () returned 0x114f473 [0059.348] GetTickCount () returned 0x114f473 [0059.348] GetTickCount () returned 0x114f473 [0059.348] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.348] GetProcessHeap () returned 0x3a00000 [0059.348] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.348] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.350] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.350] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.350] GetProcessHeap () returned 0x3a00000 [0059.350] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.350] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.351] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.351] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.351] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.351] CloseHandle (hObject=0x430) returned 1 [0059.353] GetProcessHeap () returned 0x3a00000 [0059.353] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.353] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.353] GetProcessHeap () returned 0x3a00000 [0059.354] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.354] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.354] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.354] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.354] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.354] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.354] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.354] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 49 [0059.354] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.354] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.354] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.354] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.354] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.354] GetTickCount () returned 0x114f473 [0059.354] GetTickCount () returned 0x114f473 [0059.354] GetTickCount () returned 0x114f473 [0059.354] GetTickCount () returned 0x114f473 [0059.354] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.354] GetProcessHeap () returned 0x3a00000 [0059.354] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.354] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.356] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.357] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.357] GetProcessHeap () returned 0x3a00000 [0059.357] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.357] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.357] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.357] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.357] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.357] CloseHandle (hObject=0x430) returned 1 [0059.368] GetProcessHeap () returned 0x3a00000 [0059.368] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.369] GetProcessHeap () returned 0x3a00000 [0059.369] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.369] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.369] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0059.370] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1041\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.370] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1041\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1041\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.370] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.371] CloseHandle (hObject=0x42c) returned 1 [0059.372] GetProcessHeap () returned 0x3a00000 [0059.372] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.372] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1042", cAlternateFileName="")) returned 1 [0059.372] lstrcmpiW (lpString1="1042", lpString2="Windows") returned -1 [0059.372] lstrcmpiW (lpString1="1042", lpString2="$Recycle.bin") returned 1 [0059.372] lstrcmpiW (lpString1="1042", lpString2="System Volume Information") returned -1 [0059.372] lstrcmpiW (lpString1="1042", lpString2="Program Files") returned -1 [0059.372] lstrcmpiW (lpString1="1042", lpString2="Program Files (x86)") returned -1 [0059.372] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042") returned 30 [0059.372] lstrcmpW (lpString1="1042", lpString2=".") returned 1 [0059.372] lstrcmpW (lpString1="1042", lpString2="..") returned 1 [0059.372] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1042", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.372] GetProcessHeap () returned 0x3a00000 [0059.372] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.372] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\*") returned 32 [0059.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0059.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.373] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.373] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.373] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.373] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.373] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\.") returned 32 [0059.373] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.373] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.373] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.373] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.373] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.373] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.373] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.373] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\..") returned 33 [0059.373] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.373] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.373] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.373] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.373] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.373] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.373] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.373] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.373] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 39 [0059.374] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.374] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.374] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.374] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.374] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.374] GetTickCount () returned 0x114f483 [0059.374] GetTickCount () returned 0x114f483 [0059.374] GetTickCount () returned 0x114f483 [0059.374] GetTickCount () returned 0x114f483 [0059.374] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.374] GetProcessHeap () returned 0x3a00000 [0059.375] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.375] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.377] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.377] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.378] GetProcessHeap () returned 0x3a00000 [0059.378] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.378] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.378] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.378] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.378] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.378] CloseHandle (hObject=0x430) returned 1 [0059.380] GetProcessHeap () returned 0x3a00000 [0059.380] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.380] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.382] GetProcessHeap () returned 0x3a00000 [0059.382] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.382] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.382] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.382] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.383] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.383] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.383] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.383] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 48 [0059.383] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.383] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.383] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.383] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.383] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.383] GetTickCount () returned 0x114f492 [0059.383] GetTickCount () returned 0x114f492 [0059.383] GetTickCount () returned 0x114f492 [0059.383] GetTickCount () returned 0x114f492 [0059.383] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.384] GetProcessHeap () returned 0x3a00000 [0059.384] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.384] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.386] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.386] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.386] GetProcessHeap () returned 0x3a00000 [0059.387] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.387] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.387] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.387] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.387] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.387] CloseHandle (hObject=0x430) returned 1 [0059.390] GetProcessHeap () returned 0x3a00000 [0059.390] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.390] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.390] GetProcessHeap () returned 0x3a00000 [0059.390] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.391] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.391] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.391] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.391] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.391] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.391] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.391] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 49 [0059.391] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.391] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.391] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.391] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.391] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.392] GetTickCount () returned 0x114f4a2 [0059.392] GetTickCount () returned 0x114f4a2 [0059.392] GetTickCount () returned 0x114f4a2 [0059.392] GetTickCount () returned 0x114f4a2 [0059.392] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.392] GetProcessHeap () returned 0x3a00000 [0059.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.392] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.395] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.395] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.395] GetProcessHeap () returned 0x3a00000 [0059.395] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.395] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.395] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.395] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.395] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.395] CloseHandle (hObject=0x430) returned 1 [0059.396] GetProcessHeap () returned 0x3a00000 [0059.396] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.397] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.397] GetProcessHeap () returned 0x3a00000 [0059.397] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.397] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.397] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0059.397] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1042\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.397] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1042\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1042\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.397] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.398] CloseHandle (hObject=0x42c) returned 1 [0059.398] GetProcessHeap () returned 0x3a00000 [0059.399] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.399] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1043", cAlternateFileName="")) returned 1 [0059.399] lstrcmpiW (lpString1="1043", lpString2="Windows") returned -1 [0059.399] lstrcmpiW (lpString1="1043", lpString2="$Recycle.bin") returned 1 [0059.399] lstrcmpiW (lpString1="1043", lpString2="System Volume Information") returned -1 [0059.399] lstrcmpiW (lpString1="1043", lpString2="Program Files") returned -1 [0059.399] lstrcmpiW (lpString1="1043", lpString2="Program Files (x86)") returned -1 [0059.399] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043") returned 30 [0059.399] lstrcmpW (lpString1="1043", lpString2=".") returned 1 [0059.399] lstrcmpW (lpString1="1043", lpString2="..") returned 1 [0059.399] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1043", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.399] GetProcessHeap () returned 0x3a00000 [0059.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.399] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\*") returned 32 [0059.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0059.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.399] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\.") returned 32 [0059.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.399] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.400] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.400] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.400] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\..") returned 33 [0059.400] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.400] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.400] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.400] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.400] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.400] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.400] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.400] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.400] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 39 [0059.400] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.400] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.400] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.400] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.400] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.401] GetTickCount () returned 0x114f4a2 [0059.401] GetTickCount () returned 0x114f4a2 [0059.401] GetTickCount () returned 0x114f4a2 [0059.401] GetTickCount () returned 0x114f4a2 [0059.401] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.401] GetProcessHeap () returned 0x3a00000 [0059.401] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.401] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xdda, lpOverlapped=0x0) returned 1 [0059.402] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff226, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.402] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xdda, lpOverlapped=0x0) returned 1 [0059.402] GetProcessHeap () returned 0x3a00000 [0059.402] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.402] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.402] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.403] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.403] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.403] CloseHandle (hObject=0x430) returned 1 [0059.403] GetProcessHeap () returned 0x3a00000 [0059.403] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.403] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.413] GetProcessHeap () returned 0x3a00000 [0059.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.413] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.413] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.413] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.413] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.413] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.413] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.413] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 48 [0059.413] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.413] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.413] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.413] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.413] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.413] GetTickCount () returned 0x114f4b2 [0059.413] GetTickCount () returned 0x114f4b2 [0059.413] GetTickCount () returned 0x114f4b2 [0059.413] GetTickCount () returned 0x114f4b2 [0059.413] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.414] GetProcessHeap () returned 0x3a00000 [0059.414] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.414] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.416] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.416] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.416] GetProcessHeap () returned 0x3a00000 [0059.416] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.416] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.416] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.416] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.416] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.416] CloseHandle (hObject=0x430) returned 1 [0059.419] GetProcessHeap () returned 0x3a00000 [0059.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.419] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.419] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.419] GetProcessHeap () returned 0x3a00000 [0059.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.419] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.419] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.419] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.419] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.419] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.419] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.419] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 49 [0059.419] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.419] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.419] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.420] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.420] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.420] GetTickCount () returned 0x114f4b2 [0059.420] GetTickCount () returned 0x114f4b2 [0059.420] GetTickCount () returned 0x114f4b2 [0059.420] GetTickCount () returned 0x114f4b2 [0059.420] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.420] GetProcessHeap () returned 0x3a00000 [0059.420] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.420] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.422] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.422] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.423] GetProcessHeap () returned 0x3a00000 [0059.423] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.423] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.423] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.423] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.423] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.423] CloseHandle (hObject=0x430) returned 1 [0059.424] GetProcessHeap () returned 0x3a00000 [0059.424] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.424] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.424] GetProcessHeap () returned 0x3a00000 [0059.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.425] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.425] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0059.425] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1043\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.425] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1043\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1043\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.425] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.426] CloseHandle (hObject=0x42c) returned 1 [0059.427] GetProcessHeap () returned 0x3a00000 [0059.427] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.427] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1044", cAlternateFileName="")) returned 1 [0059.427] lstrcmpiW (lpString1="1044", lpString2="Windows") returned -1 [0059.427] lstrcmpiW (lpString1="1044", lpString2="$Recycle.bin") returned 1 [0059.427] lstrcmpiW (lpString1="1044", lpString2="System Volume Information") returned -1 [0059.427] lstrcmpiW (lpString1="1044", lpString2="Program Files") returned -1 [0059.427] lstrcmpiW (lpString1="1044", lpString2="Program Files (x86)") returned -1 [0059.427] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044") returned 30 [0059.427] lstrcmpW (lpString1="1044", lpString2=".") returned 1 [0059.427] lstrcmpW (lpString1="1044", lpString2="..") returned 1 [0059.427] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1044", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.427] GetProcessHeap () returned 0x3a00000 [0059.427] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.427] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\*") returned 32 [0059.427] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0059.428] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.428] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.428] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.428] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.428] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.428] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\.") returned 32 [0059.428] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.428] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.428] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.428] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.428] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.428] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.428] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.428] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\..") returned 33 [0059.428] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.428] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.428] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.428] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.428] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.428] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.428] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.428] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.428] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 39 [0059.428] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.428] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.428] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.428] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.428] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.429] GetTickCount () returned 0x114f4c1 [0059.429] GetTickCount () returned 0x114f4c1 [0059.429] GetTickCount () returned 0x114f4c1 [0059.429] GetTickCount () returned 0x114f4c1 [0059.429] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.429] GetProcessHeap () returned 0x3a00000 [0059.429] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.429] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xbe6, lpOverlapped=0x0) returned 1 [0059.430] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff41a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.430] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xbe6, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xbe6, lpOverlapped=0x0) returned 1 [0059.430] GetProcessHeap () returned 0x3a00000 [0059.430] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.430] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.430] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.430] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.431] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.431] CloseHandle (hObject=0x430) returned 1 [0059.431] GetProcessHeap () returned 0x3a00000 [0059.431] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.431] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.433] GetProcessHeap () returned 0x3a00000 [0059.433] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.433] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.433] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 48 [0059.433] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.433] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.433] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.433] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.433] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.433] GetTickCount () returned 0x114f4c1 [0059.433] GetTickCount () returned 0x114f4c1 [0059.433] GetTickCount () returned 0x114f4c1 [0059.433] GetTickCount () returned 0x114f4c1 [0059.434] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.434] GetProcessHeap () returned 0x3a00000 [0059.434] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.434] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.435] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.436] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.436] GetProcessHeap () returned 0x3a00000 [0059.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.436] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.436] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.436] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.436] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.436] CloseHandle (hObject=0x430) returned 1 [0059.438] GetProcessHeap () returned 0x3a00000 [0059.438] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.438] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.438] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.439] GetProcessHeap () returned 0x3a00000 [0059.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.439] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.439] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.439] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.439] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.439] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.439] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.439] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 49 [0059.439] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.439] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.439] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.439] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.439] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.439] GetTickCount () returned 0x114f4d1 [0059.439] GetTickCount () returned 0x114f4d1 [0059.439] GetTickCount () returned 0x114f4d1 [0059.439] GetTickCount () returned 0x114f4d1 [0059.440] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.440] GetProcessHeap () returned 0x3a00000 [0059.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.440] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.442] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.442] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.442] GetProcessHeap () returned 0x3a00000 [0059.442] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.442] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.442] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.442] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.442] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.442] CloseHandle (hObject=0x430) returned 1 [0059.443] GetProcessHeap () returned 0x3a00000 [0059.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.443] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.444] GetProcessHeap () returned 0x3a00000 [0059.444] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.444] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.444] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0059.444] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1044\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.444] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1044\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1044\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.444] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.445] CloseHandle (hObject=0x42c) returned 1 [0059.446] GetProcessHeap () returned 0x3a00000 [0059.446] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.446] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1045", cAlternateFileName="")) returned 1 [0059.446] lstrcmpiW (lpString1="1045", lpString2="Windows") returned -1 [0059.446] lstrcmpiW (lpString1="1045", lpString2="$Recycle.bin") returned 1 [0059.446] lstrcmpiW (lpString1="1045", lpString2="System Volume Information") returned -1 [0059.446] lstrcmpiW (lpString1="1045", lpString2="Program Files") returned -1 [0059.446] lstrcmpiW (lpString1="1045", lpString2="Program Files (x86)") returned -1 [0059.446] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045") returned 30 [0059.446] lstrcmpW (lpString1="1045", lpString2=".") returned 1 [0059.446] lstrcmpW (lpString1="1045", lpString2="..") returned 1 [0059.446] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1045", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.446] GetProcessHeap () returned 0x3a00000 [0059.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.446] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\*") returned 32 [0059.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0059.447] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.447] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.447] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.447] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.447] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.447] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\.") returned 32 [0059.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.447] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.447] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.447] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.447] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.447] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.447] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.447] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\..") returned 33 [0059.447] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.447] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.447] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.447] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.447] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.447] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.447] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.447] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.447] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 39 [0059.447] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.447] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.447] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.447] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.447] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.448] GetTickCount () returned 0x114f4d1 [0059.448] GetTickCount () returned 0x114f4d1 [0059.448] GetTickCount () returned 0x114f4d1 [0059.448] GetTickCount () returned 0x114f4d1 [0059.448] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.448] GetProcessHeap () returned 0x3a00000 [0059.448] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.448] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xfc8, lpOverlapped=0x0) returned 1 [0059.452] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff038, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.452] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xfc8, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xfc8, lpOverlapped=0x0) returned 1 [0059.452] GetProcessHeap () returned 0x3a00000 [0059.452] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.452] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.452] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.452] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.452] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.452] CloseHandle (hObject=0x430) returned 1 [0059.453] GetProcessHeap () returned 0x3a00000 [0059.453] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.453] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.455] GetProcessHeap () returned 0x3a00000 [0059.455] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.456] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.456] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.456] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.456] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.456] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.456] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.456] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 48 [0059.456] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.456] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.456] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.456] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.456] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.456] GetTickCount () returned 0x114f4e1 [0059.456] GetTickCount () returned 0x114f4e1 [0059.456] GetTickCount () returned 0x114f4e1 [0059.456] GetTickCount () returned 0x114f4e1 [0059.456] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.456] GetProcessHeap () returned 0x3a00000 [0059.456] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.456] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.458] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.458] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.458] GetProcessHeap () returned 0x3a00000 [0059.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.458] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.459] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.459] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.459] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.459] CloseHandle (hObject=0x430) returned 1 [0059.461] GetProcessHeap () returned 0x3a00000 [0059.461] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.461] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.462] GetProcessHeap () returned 0x3a00000 [0059.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.462] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.462] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.462] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.462] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.462] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.462] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.462] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 49 [0059.462] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.462] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.462] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.462] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.462] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.463] GetTickCount () returned 0x114f4e1 [0059.463] GetTickCount () returned 0x114f4e1 [0059.463] GetTickCount () returned 0x114f4e1 [0059.463] GetTickCount () returned 0x114f4e1 [0059.463] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.463] GetProcessHeap () returned 0x3a00000 [0059.463] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.463] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.465] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.465] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.465] GetProcessHeap () returned 0x3a00000 [0059.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.465] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.465] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.465] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.465] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.465] CloseHandle (hObject=0x430) returned 1 [0059.466] GetProcessHeap () returned 0x3a00000 [0059.466] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.466] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.471] GetProcessHeap () returned 0x3a00000 [0059.471] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.471] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.471] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0059.471] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1045\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.471] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1045\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1045\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.471] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.472] CloseHandle (hObject=0x42c) returned 1 [0059.472] GetProcessHeap () returned 0x3a00000 [0059.472] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.472] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1046", cAlternateFileName="")) returned 1 [0059.472] lstrcmpiW (lpString1="1046", lpString2="Windows") returned -1 [0059.472] lstrcmpiW (lpString1="1046", lpString2="$Recycle.bin") returned 1 [0059.472] lstrcmpiW (lpString1="1046", lpString2="System Volume Information") returned -1 [0059.472] lstrcmpiW (lpString1="1046", lpString2="Program Files") returned -1 [0059.472] lstrcmpiW (lpString1="1046", lpString2="Program Files (x86)") returned -1 [0059.472] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046") returned 30 [0059.472] lstrcmpW (lpString1="1046", lpString2=".") returned 1 [0059.472] lstrcmpW (lpString1="1046", lpString2="..") returned 1 [0059.472] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1046", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.472] GetProcessHeap () returned 0x3a00000 [0059.472] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.472] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\*") returned 32 [0059.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0059.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.473] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\.") returned 32 [0059.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.473] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.473] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.473] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.473] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.474] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\..") returned 33 [0059.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.474] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.474] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.474] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.474] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.474] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.474] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.474] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 39 [0059.474] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.474] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.474] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.474] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.474] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.474] GetTickCount () returned 0x114f4f0 [0059.474] GetTickCount () returned 0x114f4f0 [0059.474] GetTickCount () returned 0x114f4f0 [0059.474] GetTickCount () returned 0x114f4f0 [0059.474] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.474] GetProcessHeap () returned 0x3a00000 [0059.474] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.474] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xe63, lpOverlapped=0x0) returned 1 [0059.476] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff19d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.476] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xe63, lpOverlapped=0x0) returned 1 [0059.476] GetProcessHeap () returned 0x3a00000 [0059.476] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.476] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.476] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.476] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.476] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.476] CloseHandle (hObject=0x430) returned 1 [0059.477] GetProcessHeap () returned 0x3a00000 [0059.477] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.477] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.479] GetProcessHeap () returned 0x3a00000 [0059.479] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.479] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.479] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.479] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.479] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.479] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.479] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.479] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 48 [0059.479] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.479] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.479] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.479] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.480] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.480] GetTickCount () returned 0x114f4f0 [0059.480] GetTickCount () returned 0x114f4f0 [0059.480] GetTickCount () returned 0x114f4f0 [0059.480] GetTickCount () returned 0x114f4f0 [0059.480] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.480] GetProcessHeap () returned 0x3a00000 [0059.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.480] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.483] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.483] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.483] GetProcessHeap () returned 0x3a00000 [0059.483] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.483] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.483] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.483] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.483] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.483] CloseHandle (hObject=0x430) returned 1 [0059.486] GetProcessHeap () returned 0x3a00000 [0059.486] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.486] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.486] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.486] GetProcessHeap () returned 0x3a00000 [0059.486] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.486] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.486] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.486] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.486] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.486] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.486] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.486] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 49 [0059.487] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.487] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.487] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.487] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.487] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.487] GetTickCount () returned 0x114f500 [0059.487] GetTickCount () returned 0x114f500 [0059.487] GetTickCount () returned 0x114f500 [0059.487] GetTickCount () returned 0x114f500 [0059.487] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.487] GetProcessHeap () returned 0x3a00000 [0059.487] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.487] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.495] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.496] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.496] GetProcessHeap () returned 0x3a00000 [0059.496] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.496] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.496] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.496] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.496] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.496] CloseHandle (hObject=0x430) returned 1 [0059.497] GetProcessHeap () returned 0x3a00000 [0059.497] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.497] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.498] GetProcessHeap () returned 0x3a00000 [0059.498] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.498] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.498] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0059.498] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1046\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.498] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1046\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1046\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.498] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.499] CloseHandle (hObject=0x42c) returned 1 [0059.499] GetProcessHeap () returned 0x3a00000 [0059.500] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.500] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1049", cAlternateFileName="")) returned 1 [0059.500] lstrcmpiW (lpString1="1049", lpString2="Windows") returned -1 [0059.500] lstrcmpiW (lpString1="1049", lpString2="$Recycle.bin") returned 1 [0059.500] lstrcmpiW (lpString1="1049", lpString2="System Volume Information") returned -1 [0059.500] lstrcmpiW (lpString1="1049", lpString2="Program Files") returned -1 [0059.500] lstrcmpiW (lpString1="1049", lpString2="Program Files (x86)") returned -1 [0059.500] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049") returned 30 [0059.500] lstrcmpW (lpString1="1049", lpString2=".") returned 1 [0059.500] lstrcmpW (lpString1="1049", lpString2="..") returned 1 [0059.500] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1049", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.500] GetProcessHeap () returned 0x3a00000 [0059.500] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.500] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\*") returned 32 [0059.500] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0059.500] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.500] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.500] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.500] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.501] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.501] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\.") returned 32 [0059.501] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.501] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.501] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.501] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.501] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.501] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.501] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.501] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\..") returned 33 [0059.501] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.501] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.501] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.501] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.501] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.501] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.501] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.501] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.501] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 39 [0059.501] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.501] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.501] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.501] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.501] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.502] GetTickCount () returned 0x114f50f [0059.502] GetTickCount () returned 0x114f50f [0059.502] GetTickCount () returned 0x114f50f [0059.502] GetTickCount () returned 0x114f50f [0059.502] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.502] GetProcessHeap () returned 0x3a00000 [0059.502] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.502] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.504] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.504] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.504] GetProcessHeap () returned 0x3a00000 [0059.504] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.504] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.504] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.505] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.505] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.505] CloseHandle (hObject=0x430) returned 1 [0059.507] GetProcessHeap () returned 0x3a00000 [0059.507] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.507] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.509] GetProcessHeap () returned 0x3a00000 [0059.509] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.509] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.509] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.509] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.509] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.509] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.509] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.509] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 48 [0059.509] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.509] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.509] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.509] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.509] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.509] GetTickCount () returned 0x114f50f [0059.509] GetTickCount () returned 0x114f50f [0059.509] GetTickCount () returned 0x114f50f [0059.509] GetTickCount () returned 0x114f50f [0059.509] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.509] GetProcessHeap () returned 0x3a00000 [0059.509] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.509] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.512] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.512] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.512] GetProcessHeap () returned 0x3a00000 [0059.512] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.512] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.512] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.512] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.512] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.513] CloseHandle (hObject=0x430) returned 1 [0059.515] GetProcessHeap () returned 0x3a00000 [0059.515] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.515] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.515] GetProcessHeap () returned 0x3a00000 [0059.515] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.515] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.515] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.515] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.516] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.516] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.516] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.516] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 49 [0059.516] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.516] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.516] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.516] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.516] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.516] GetTickCount () returned 0x114f51f [0059.516] GetTickCount () returned 0x114f51f [0059.516] GetTickCount () returned 0x114f51f [0059.517] GetTickCount () returned 0x114f51f [0059.517] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.517] GetProcessHeap () returned 0x3a00000 [0059.517] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.517] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.519] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.519] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.519] GetProcessHeap () returned 0x3a00000 [0059.519] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.519] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.519] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.519] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.519] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.519] CloseHandle (hObject=0x430) returned 1 [0059.521] GetProcessHeap () returned 0x3a00000 [0059.521] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.521] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.521] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.521] GetProcessHeap () returned 0x3a00000 [0059.521] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.521] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.521] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0059.521] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1049\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.521] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1049\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1049\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.522] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.523] CloseHandle (hObject=0x42c) returned 1 [0059.524] GetProcessHeap () returned 0x3a00000 [0059.524] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.524] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1053", cAlternateFileName="")) returned 1 [0059.524] lstrcmpiW (lpString1="1053", lpString2="Windows") returned -1 [0059.524] lstrcmpiW (lpString1="1053", lpString2="$Recycle.bin") returned 1 [0059.524] lstrcmpiW (lpString1="1053", lpString2="System Volume Information") returned -1 [0059.524] lstrcmpiW (lpString1="1053", lpString2="Program Files") returned -1 [0059.524] lstrcmpiW (lpString1="1053", lpString2="Program Files (x86)") returned -1 [0059.524] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053") returned 30 [0059.524] lstrcmpW (lpString1="1053", lpString2=".") returned 1 [0059.524] lstrcmpW (lpString1="1053", lpString2="..") returned 1 [0059.524] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1053", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.524] GetProcessHeap () returned 0x3a00000 [0059.524] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.524] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\*") returned 32 [0059.524] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0059.525] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.525] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.525] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.525] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.525] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.525] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\.") returned 32 [0059.525] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.525] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.525] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.525] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.525] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.525] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.525] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.525] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\..") returned 33 [0059.525] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.525] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.525] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.525] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.525] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.525] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.525] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.525] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.525] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 39 [0059.525] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.525] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.525] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.525] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.525] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.526] GetTickCount () returned 0x114f51f [0059.526] GetTickCount () returned 0x114f51f [0059.526] GetTickCount () returned 0x114f51f [0059.526] GetTickCount () returned 0x114f51f [0059.526] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.526] GetProcessHeap () returned 0x3a00000 [0059.526] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.526] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xf19, lpOverlapped=0x0) returned 1 [0059.529] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff0e7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.530] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xf19, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xf19, lpOverlapped=0x0) returned 1 [0059.530] GetProcessHeap () returned 0x3a00000 [0059.530] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.530] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.530] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.530] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.530] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.530] CloseHandle (hObject=0x430) returned 1 [0059.531] GetProcessHeap () returned 0x3a00000 [0059.531] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.531] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.538] GetProcessHeap () returned 0x3a00000 [0059.538] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.538] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.538] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.538] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.538] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.538] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.538] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.538] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 48 [0059.538] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.538] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.538] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.538] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.538] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.539] GetTickCount () returned 0x114f52f [0059.539] GetTickCount () returned 0x114f52f [0059.539] GetTickCount () returned 0x114f52f [0059.539] GetTickCount () returned 0x114f52f [0059.539] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.539] GetProcessHeap () returned 0x3a00000 [0059.539] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.539] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.552] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.553] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.554] GetProcessHeap () returned 0x3a00000 [0059.554] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.554] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.554] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.554] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.555] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.555] CloseHandle (hObject=0x430) returned 1 [0059.558] GetProcessHeap () returned 0x3a00000 [0059.558] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.558] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.560] GetProcessHeap () returned 0x3a00000 [0059.560] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.560] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.560] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.560] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.560] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.560] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.560] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.560] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 49 [0059.560] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.560] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.560] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.560] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.560] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.560] GetTickCount () returned 0x114f54e [0059.560] GetTickCount () returned 0x114f54e [0059.560] GetTickCount () returned 0x114f54e [0059.560] GetTickCount () returned 0x114f54e [0059.561] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.561] GetProcessHeap () returned 0x3a00000 [0059.561] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.561] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.563] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.563] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.563] GetProcessHeap () returned 0x3a00000 [0059.563] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.563] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.563] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.563] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.563] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.563] CloseHandle (hObject=0x430) returned 1 [0059.565] GetProcessHeap () returned 0x3a00000 [0059.565] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.565] GetProcessHeap () returned 0x3a00000 [0059.565] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.565] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.566] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0059.566] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1053\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.566] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1053\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1053\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.566] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.567] CloseHandle (hObject=0x42c) returned 1 [0059.567] GetProcessHeap () returned 0x3a00000 [0059.567] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.568] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1055", cAlternateFileName="")) returned 1 [0059.568] lstrcmpiW (lpString1="1055", lpString2="Windows") returned -1 [0059.568] lstrcmpiW (lpString1="1055", lpString2="$Recycle.bin") returned 1 [0059.568] lstrcmpiW (lpString1="1055", lpString2="System Volume Information") returned -1 [0059.568] lstrcmpiW (lpString1="1055", lpString2="Program Files") returned -1 [0059.568] lstrcmpiW (lpString1="1055", lpString2="Program Files (x86)") returned -1 [0059.568] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055") returned 30 [0059.568] lstrcmpW (lpString1="1055", lpString2=".") returned 1 [0059.568] lstrcmpW (lpString1="1055", lpString2="..") returned 1 [0059.568] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\1055", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.568] GetProcessHeap () returned 0x3a00000 [0059.568] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.568] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\*") returned 32 [0059.568] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0059.568] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.568] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.568] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.568] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.568] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.568] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\.") returned 32 [0059.568] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.568] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.568] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.568] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.568] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.568] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.568] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.568] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\..") returned 33 [0059.569] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.569] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.569] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.569] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.569] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.569] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.569] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.569] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.569] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 39 [0059.569] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.569] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.569] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.569] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.569] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.569] GetTickCount () returned 0x114f54e [0059.569] GetTickCount () returned 0x114f54e [0059.569] GetTickCount () returned 0x114f54e [0059.569] GetTickCount () returned 0x114f54e [0059.569] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.569] GetProcessHeap () returned 0x3a00000 [0059.569] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.569] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xf13, lpOverlapped=0x0) returned 1 [0059.571] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff0ed, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.571] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xf13, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xf13, lpOverlapped=0x0) returned 1 [0059.571] GetProcessHeap () returned 0x3a00000 [0059.571] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.571] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.571] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.571] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.572] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.572] CloseHandle (hObject=0x430) returned 1 [0059.572] GetProcessHeap () returned 0x3a00000 [0059.572] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.572] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.609] GetProcessHeap () returned 0x3a00000 [0059.609] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.609] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.609] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.609] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.609] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.609] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.609] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.609] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 48 [0059.609] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.609] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.609] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.609] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.609] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.611] GetTickCount () returned 0x114f57d [0059.611] GetTickCount () returned 0x114f57d [0059.611] GetTickCount () returned 0x114f57d [0059.611] GetTickCount () returned 0x114f57d [0059.611] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.611] GetProcessHeap () returned 0x3a00000 [0059.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.611] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.613] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.613] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.613] GetProcessHeap () returned 0x3a00000 [0059.613] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.613] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.613] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.613] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.613] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.614] CloseHandle (hObject=0x430) returned 1 [0059.616] GetProcessHeap () returned 0x3a00000 [0059.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.616] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.617] GetProcessHeap () returned 0x3a00000 [0059.617] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.617] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.617] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.617] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.617] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.617] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.617] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.618] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 49 [0059.618] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.618] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.618] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.618] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.618] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.618] GetTickCount () returned 0x114f57d [0059.618] GetTickCount () returned 0x114f57d [0059.618] GetTickCount () returned 0x114f57d [0059.618] GetTickCount () returned 0x114f57d [0059.618] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.618] GetProcessHeap () returned 0x3a00000 [0059.618] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.618] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.620] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.620] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.620] GetProcessHeap () returned 0x3a00000 [0059.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.620] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.620] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.621] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.621] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.621] CloseHandle (hObject=0x430) returned 1 [0059.622] GetProcessHeap () returned 0x3a00000 [0059.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.622] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.622] GetProcessHeap () returned 0x3a00000 [0059.623] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.623] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.623] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0059.623] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\1055\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.623] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\1055\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\1055\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.623] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.624] CloseHandle (hObject=0x42c) returned 1 [0059.624] GetProcessHeap () returned 0x3a00000 [0059.624] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.624] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2052", cAlternateFileName="")) returned 1 [0059.624] lstrcmpiW (lpString1="2052", lpString2="Windows") returned -1 [0059.624] lstrcmpiW (lpString1="2052", lpString2="$Recycle.bin") returned 1 [0059.624] lstrcmpiW (lpString1="2052", lpString2="System Volume Information") returned -1 [0059.624] lstrcmpiW (lpString1="2052", lpString2="Program Files") returned -1 [0059.624] lstrcmpiW (lpString1="2052", lpString2="Program Files (x86)") returned -1 [0059.624] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052") returned 30 [0059.624] lstrcmpW (lpString1="2052", lpString2=".") returned 1 [0059.624] lstrcmpW (lpString1="2052", lpString2="..") returned 1 [0059.624] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\2052", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.624] GetProcessHeap () returned 0x3a00000 [0059.624] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.624] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\*") returned 32 [0059.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0059.625] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.625] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.625] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.625] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.625] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.625] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\.") returned 32 [0059.625] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.625] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.625] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.625] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.625] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.625] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\..") returned 33 [0059.625] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.625] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.625] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.626] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.626] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.626] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.626] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.626] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.626] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 39 [0059.626] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.626] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.626] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.626] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.626] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.626] GetTickCount () returned 0x114f58c [0059.626] GetTickCount () returned 0x114f58c [0059.626] GetTickCount () returned 0x114f58c [0059.626] GetTickCount () returned 0x114f58c [0059.626] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.626] GetProcessHeap () returned 0x3a00000 [0059.626] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.626] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x16c3, lpOverlapped=0x0) returned 1 [0059.628] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffe93d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.628] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x16c3, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x16c3, lpOverlapped=0x0) returned 1 [0059.628] GetProcessHeap () returned 0x3a00000 [0059.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.628] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.628] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.628] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.628] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.628] CloseHandle (hObject=0x430) returned 1 [0059.629] GetProcessHeap () returned 0x3a00000 [0059.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.629] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.631] GetProcessHeap () returned 0x3a00000 [0059.631] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.631] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.631] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.631] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.631] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.631] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.631] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.631] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 48 [0059.631] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.631] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.631] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.631] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.631] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.631] GetTickCount () returned 0x114f58c [0059.631] GetTickCount () returned 0x114f58c [0059.631] GetTickCount () returned 0x114f58c [0059.631] GetTickCount () returned 0x114f58c [0059.631] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.632] GetProcessHeap () returned 0x3a00000 [0059.632] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.632] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.634] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.634] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.634] GetProcessHeap () returned 0x3a00000 [0059.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.634] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.634] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.634] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.634] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.635] CloseHandle (hObject=0x430) returned 1 [0059.636] GetProcessHeap () returned 0x3a00000 [0059.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.637] GetProcessHeap () returned 0x3a00000 [0059.637] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.637] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.637] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.637] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.637] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.637] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.637] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.637] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 49 [0059.637] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.637] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.637] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.637] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.637] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.638] GetTickCount () returned 0x114f58c [0059.638] GetTickCount () returned 0x114f58c [0059.638] GetTickCount () returned 0x114f58c [0059.638] GetTickCount () returned 0x114f58c [0059.638] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.638] GetProcessHeap () returned 0x3a00000 [0059.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.638] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.640] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.640] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.640] GetProcessHeap () returned 0x3a00000 [0059.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.640] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.640] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.640] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.640] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.640] CloseHandle (hObject=0x430) returned 1 [0059.642] GetProcessHeap () returned 0x3a00000 [0059.642] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.642] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.642] GetProcessHeap () returned 0x3a00000 [0059.642] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.642] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.642] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0059.642] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2052\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.642] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2052\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\2052\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.643] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.645] CloseHandle (hObject=0x42c) returned 1 [0059.645] GetProcessHeap () returned 0x3a00000 [0059.645] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.645] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2070", cAlternateFileName="")) returned 1 [0059.645] lstrcmpiW (lpString1="2070", lpString2="Windows") returned -1 [0059.645] lstrcmpiW (lpString1="2070", lpString2="$Recycle.bin") returned 1 [0059.645] lstrcmpiW (lpString1="2070", lpString2="System Volume Information") returned -1 [0059.645] lstrcmpiW (lpString1="2070", lpString2="Program Files") returned -1 [0059.645] lstrcmpiW (lpString1="2070", lpString2="Program Files (x86)") returned -1 [0059.645] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070") returned 30 [0059.645] lstrcmpW (lpString1="2070", lpString2=".") returned 1 [0059.645] lstrcmpW (lpString1="2070", lpString2="..") returned 1 [0059.645] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\2070", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.645] GetProcessHeap () returned 0x3a00000 [0059.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.645] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\*") returned 32 [0059.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0059.645] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.645] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.646] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.646] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.646] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.646] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\.") returned 32 [0059.646] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.646] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.646] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.646] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.646] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.646] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.646] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.646] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\..") returned 33 [0059.646] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.646] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.646] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.646] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.646] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.646] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.646] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.646] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.646] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 39 [0059.646] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.646] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.646] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.646] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.646] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.695] GetTickCount () returned 0x114f5cb [0059.695] GetTickCount () returned 0x114f5cb [0059.695] GetTickCount () returned 0x114f5cb [0059.695] GetTickCount () returned 0x114f5cb [0059.695] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.695] GetProcessHeap () returned 0x3a00000 [0059.695] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.695] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xfaf, lpOverlapped=0x0) returned 1 [0059.697] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff051, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.697] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xfaf, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xfaf, lpOverlapped=0x0) returned 1 [0059.697] GetProcessHeap () returned 0x3a00000 [0059.697] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.697] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.697] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.697] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.697] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.697] CloseHandle (hObject=0x430) returned 1 [0059.698] GetProcessHeap () returned 0x3a00000 [0059.698] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.698] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.700] GetProcessHeap () returned 0x3a00000 [0059.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.700] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.700] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.700] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.700] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.700] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.700] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.700] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 48 [0059.701] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.701] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.701] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.701] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.701] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.701] GetTickCount () returned 0x114f5cb [0059.701] GetTickCount () returned 0x114f5cb [0059.701] GetTickCount () returned 0x114f5cb [0059.701] GetTickCount () returned 0x114f5cb [0059.701] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.701] GetProcessHeap () returned 0x3a00000 [0059.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.701] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.703] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.704] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.704] GetProcessHeap () returned 0x3a00000 [0059.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.704] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.704] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.704] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.704] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.704] CloseHandle (hObject=0x430) returned 1 [0059.707] GetProcessHeap () returned 0x3a00000 [0059.707] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.707] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.707] GetProcessHeap () returned 0x3a00000 [0059.707] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.707] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.708] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.708] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.708] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.708] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.708] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.708] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 49 [0059.708] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.708] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.708] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.708] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.708] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.708] GetTickCount () returned 0x114f5db [0059.708] GetTickCount () returned 0x114f5db [0059.708] GetTickCount () returned 0x114f5db [0059.708] GetTickCount () returned 0x114f5db [0059.708] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.708] GetProcessHeap () returned 0x3a00000 [0059.708] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.708] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.710] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.710] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.710] GetProcessHeap () returned 0x3a00000 [0059.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.710] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.710] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.710] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.711] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.711] CloseHandle (hObject=0x430) returned 1 [0059.712] GetProcessHeap () returned 0x3a00000 [0059.712] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.712] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.712] GetProcessHeap () returned 0x3a00000 [0059.712] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.712] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.712] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0059.712] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\2070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.713] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\2070\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\2070\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.713] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.714] CloseHandle (hObject=0x42c) returned 1 [0059.714] GetProcessHeap () returned 0x3a00000 [0059.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.714] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3076", cAlternateFileName="")) returned 1 [0059.714] lstrcmpiW (lpString1="3076", lpString2="Windows") returned -1 [0059.714] lstrcmpiW (lpString1="3076", lpString2="$Recycle.bin") returned 1 [0059.714] lstrcmpiW (lpString1="3076", lpString2="System Volume Information") returned -1 [0059.714] lstrcmpiW (lpString1="3076", lpString2="Program Files") returned -1 [0059.714] lstrcmpiW (lpString1="3076", lpString2="Program Files (x86)") returned -1 [0059.714] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076") returned 30 [0059.714] lstrcmpW (lpString1="3076", lpString2=".") returned 1 [0059.714] lstrcmpW (lpString1="3076", lpString2="..") returned 1 [0059.714] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\3076", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.714] GetProcessHeap () returned 0x3a00000 [0059.714] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.714] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\*") returned 32 [0059.714] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0059.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.714] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.715] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.715] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.715] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\.") returned 32 [0059.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.715] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.715] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\..") returned 33 [0059.715] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.715] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.715] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.715] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.715] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.715] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.715] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.715] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 39 [0059.715] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.715] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.715] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.715] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.715] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.715] GetTickCount () returned 0x114f5db [0059.715] GetTickCount () returned 0x114f5db [0059.715] GetTickCount () returned 0x114f5db [0059.716] GetTickCount () returned 0x114f5db [0059.716] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.716] GetProcessHeap () returned 0x3a00000 [0059.716] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.716] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0059.717] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffe75b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.717] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x18a5, lpOverlapped=0x0) returned 1 [0059.717] GetProcessHeap () returned 0x3a00000 [0059.717] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.717] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.718] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.718] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.718] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.718] CloseHandle (hObject=0x430) returned 1 [0059.718] GetProcessHeap () returned 0x3a00000 [0059.719] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.719] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.721] GetProcessHeap () returned 0x3a00000 [0059.721] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.721] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.721] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.721] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 48 [0059.721] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.721] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.721] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.721] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.721] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.721] GetTickCount () returned 0x114f5ea [0059.721] GetTickCount () returned 0x114f5ea [0059.721] GetTickCount () returned 0x114f5ea [0059.721] GetTickCount () returned 0x114f5ea [0059.721] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.721] GetProcessHeap () returned 0x3a00000 [0059.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.721] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.724] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.724] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.724] GetProcessHeap () returned 0x3a00000 [0059.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.724] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.724] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.724] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.724] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.724] CloseHandle (hObject=0x430) returned 1 [0059.726] GetProcessHeap () returned 0x3a00000 [0059.726] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.726] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.727] GetProcessHeap () returned 0x3a00000 [0059.727] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.727] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.727] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.727] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.727] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.727] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.727] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.727] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 49 [0059.727] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.727] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.727] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.727] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.727] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.727] GetTickCount () returned 0x114f5ea [0059.727] GetTickCount () returned 0x114f5ea [0059.727] GetTickCount () returned 0x114f5ea [0059.727] GetTickCount () returned 0x114f5ea [0059.728] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.728] GetProcessHeap () returned 0x3a00000 [0059.728] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.728] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.730] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.730] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.730] GetProcessHeap () returned 0x3a00000 [0059.730] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.730] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.730] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.730] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.730] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.730] CloseHandle (hObject=0x430) returned 1 [0059.731] GetProcessHeap () returned 0x3a00000 [0059.731] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.731] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.732] GetProcessHeap () returned 0x3a00000 [0059.732] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.732] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.732] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0059.732] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3076\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.732] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3076\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\3076\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.732] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.733] CloseHandle (hObject=0x42c) returned 1 [0059.734] GetProcessHeap () returned 0x3a00000 [0059.734] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.734] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3082", cAlternateFileName="")) returned 1 [0059.734] lstrcmpiW (lpString1="3082", lpString2="Windows") returned -1 [0059.734] lstrcmpiW (lpString1="3082", lpString2="$Recycle.bin") returned 1 [0059.734] lstrcmpiW (lpString1="3082", lpString2="System Volume Information") returned -1 [0059.734] lstrcmpiW (lpString1="3082", lpString2="Program Files") returned -1 [0059.734] lstrcmpiW (lpString1="3082", lpString2="Program Files (x86)") returned -1 [0059.734] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082") returned 30 [0059.734] lstrcmpW (lpString1="3082", lpString2=".") returned 1 [0059.734] lstrcmpW (lpString1="3082", lpString2="..") returned 1 [0059.734] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\3082", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.734] GetProcessHeap () returned 0x3a00000 [0059.734] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.734] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\*") returned 32 [0059.734] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0059.734] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.734] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.734] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.734] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.734] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.734] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\.") returned 32 [0059.734] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.734] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.734] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.734] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.734] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.734] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.734] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.736] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\..") returned 33 [0059.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.737] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.737] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0059.737] lstrcmpiW (lpString1="eula.rtf", lpString2="Windows") returned -1 [0059.737] lstrcmpiW (lpString1="eula.rtf", lpString2="$Recycle.bin") returned 1 [0059.737] lstrcmpiW (lpString1="eula.rtf", lpString2="System Volume Information") returned -1 [0059.737] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files") returned -1 [0059.737] lstrcmpiW (lpString1="eula.rtf", lpString2="Program Files (x86)") returned -1 [0059.737] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 39 [0059.737] StrStrIW (lpFirst="eula.rtf", lpSrch=".ebal") returned 0x0 [0059.737] lstrcmpW (lpString1="eula.rtf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.737] lstrcmpW (lpString1="eula.rtf", lpString2="taridd") returned -1 [0059.737] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.737] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.737] GetTickCount () returned 0x114f5fa [0059.737] GetTickCount () returned 0x114f5fa [0059.737] GetTickCount () returned 0x114f5fa [0059.737] GetTickCount () returned 0x114f5fa [0059.737] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.737] GetProcessHeap () returned 0x3a00000 [0059.737] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.737] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0xbfd, lpOverlapped=0x0) returned 1 [0059.739] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffff403, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.739] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xbfd, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0xbfd, lpOverlapped=0x0) returned 1 [0059.739] GetProcessHeap () returned 0x3a00000 [0059.739] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.739] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.739] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.739] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.739] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.739] CloseHandle (hObject=0x430) returned 1 [0059.740] GetProcessHeap () returned 0x3a00000 [0059.740] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.740] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{8ew5f6}.ebal") returned 58 [0059.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf_r00t_{8ew5f6}.ebal")) returned 1 [0059.743] GetProcessHeap () returned 0x3a00000 [0059.743] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.743] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0059.743] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Windows") returned -1 [0059.743] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$Recycle.bin") returned 1 [0059.743] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="System Volume Information") returned -1 [0059.743] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files") returned -1 [0059.743] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="Program Files (x86)") returned -1 [0059.743] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 48 [0059.743] StrStrIW (lpFirst="LocalizedData.xml", lpSrch=".ebal") returned 0x0 [0059.743] lstrcmpW (lpString1="LocalizedData.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.743] lstrcmpW (lpString1="LocalizedData.xml", lpString2="taridd") returned -1 [0059.743] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.743] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.744] GetTickCount () returned 0x114f5fa [0059.744] GetTickCount () returned 0x114f5fa [0059.744] GetTickCount () returned 0x114f5fa [0059.744] GetTickCount () returned 0x114f5fa [0059.744] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.744] GetProcessHeap () returned 0x3a00000 [0059.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.744] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.746] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.746] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.746] GetProcessHeap () returned 0x3a00000 [0059.746] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.746] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.746] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.746] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.747] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.747] CloseHandle (hObject=0x430) returned 1 [0059.749] GetProcessHeap () returned 0x3a00000 [0059.749] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.749] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml_r00t_{8ew5f6}.ebal") returned 67 [0059.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\LocalizedData.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.750] GetProcessHeap () returned 0x3a00000 [0059.750] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.750] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0059.750] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Windows") returned -1 [0059.750] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$Recycle.bin") returned 1 [0059.750] lstrcmpiW (lpString1="SetupResources.dll", lpString2="System Volume Information") returned -1 [0059.750] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files") returned 1 [0059.750] lstrcmpiW (lpString1="SetupResources.dll", lpString2="Program Files (x86)") returned 1 [0059.750] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 49 [0059.750] StrStrIW (lpFirst="SetupResources.dll", lpSrch=".ebal") returned 0x0 [0059.750] lstrcmpW (lpString1="SetupResources.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.750] lstrcmpW (lpString1="SetupResources.dll", lpString2="taridd") returned -1 [0059.750] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.750] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.750] GetTickCount () returned 0x114f609 [0059.750] GetTickCount () returned 0x114f609 [0059.750] GetTickCount () returned 0x114f609 [0059.750] GetTickCount () returned 0x114f609 [0059.750] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.751] GetProcessHeap () returned 0x3a00000 [0059.751] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.751] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.754] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.754] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.754] GetProcessHeap () returned 0x3a00000 [0059.754] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.754] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.754] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.754] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.754] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.754] CloseHandle (hObject=0x430) returned 1 [0059.756] GetProcessHeap () returned 0x3a00000 [0059.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.756] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll_r00t_{8ew5f6}.ebal") returned 68 [0059.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\SetupResources.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll_r00t_{8ew5f6}.ebal")) returned 1 [0059.756] GetProcessHeap () returned 0x3a00000 [0059.756] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.756] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0059.756] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0059.756] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0059.756] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\3082\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\3082\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.757] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.758] CloseHandle (hObject=0x42c) returned 1 [0059.758] GetProcessHeap () returned 0x3a00000 [0059.758] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.758] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Client", cAlternateFileName="")) returned 1 [0059.758] lstrcmpiW (lpString1="Client", lpString2="Windows") returned -1 [0059.758] lstrcmpiW (lpString1="Client", lpString2="$Recycle.bin") returned 1 [0059.758] lstrcmpiW (lpString1="Client", lpString2="System Volume Information") returned -1 [0059.758] lstrcmpiW (lpString1="Client", lpString2="Program Files") returned -1 [0059.758] lstrcmpiW (lpString1="Client", lpString2="Program Files (x86)") returned -1 [0059.758] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client") returned 32 [0059.758] lstrcmpW (lpString1="Client", lpString2=".") returned 1 [0059.758] lstrcmpW (lpString1="Client", lpString2="..") returned 1 [0059.758] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Client", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.758] GetProcessHeap () returned 0x3a00000 [0059.758] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.758] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\*") returned 34 [0059.758] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0059.762] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.762] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.762] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.762] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.762] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.762] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\.") returned 34 [0059.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.762] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.762] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.762] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.762] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.762] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.762] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\..") returned 35 [0059.763] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.763] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.763] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0059.763] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Windows") returned -1 [0059.763] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$Recycle.bin") returned 1 [0059.763] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="System Volume Information") returned -1 [0059.763] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files") returned -1 [0059.763] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files (x86)") returned -1 [0059.763] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 50 [0059.763] StrStrIW (lpFirst="Parameterinfo.xml", lpSrch=".ebal") returned 0x0 [0059.763] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.763] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="taridd") returned -1 [0059.763] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.763] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.764] GetTickCount () returned 0x114f609 [0059.764] GetTickCount () returned 0x114f609 [0059.764] GetTickCount () returned 0x114f609 [0059.764] GetTickCount () returned 0x114f609 [0059.764] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.764] GetProcessHeap () returned 0x3a00000 [0059.764] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.764] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.768] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.768] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.769] GetProcessHeap () returned 0x3a00000 [0059.769] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.769] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.769] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.769] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.769] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.769] CloseHandle (hObject=0x430) returned 1 [0059.778] GetProcessHeap () returned 0x3a00000 [0059.778] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml_r00t_{8ew5f6}.ebal") returned 69 [0059.778] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.786] GetProcessHeap () returned 0x3a00000 [0059.786] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.786] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0059.786] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0059.786] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0059.786] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0059.786] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0059.786] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0059.786] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 43 [0059.786] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".ebal") returned 0x0 [0059.786] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.786] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0059.786] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.786] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.798] GetTickCount () returned 0x114f648 [0059.798] GetTickCount () returned 0x114f648 [0059.798] GetTickCount () returned 0x114f648 [0059.798] GetTickCount () returned 0x114f648 [0059.798] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.799] GetProcessHeap () returned 0x3a00000 [0059.799] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.799] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.800] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.800] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.801] GetProcessHeap () returned 0x3a00000 [0059.801] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.801] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.801] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.801] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.801] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.801] CloseHandle (hObject=0x430) returned 1 [0059.802] GetProcessHeap () returned 0x3a00000 [0059.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.802] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml_r00t_{8ew5f6}.ebal") returned 62 [0059.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\UiInfo.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.803] GetProcessHeap () returned 0x3a00000 [0059.803] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.803] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0059.803] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0059.803] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0059.803] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Client\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\client\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.805] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.806] CloseHandle (hObject=0x42c) returned 1 [0059.806] GetProcessHeap () returned 0x3a00000 [0059.806] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.806] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0059.806] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Windows") returned -1 [0059.806] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="$Recycle.bin") returned 1 [0059.806] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="System Volume Information") returned -1 [0059.806] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Program Files") returned -1 [0059.806] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="Program Files (x86)") returned -1 [0059.806] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 42 [0059.806] StrStrIW (lpFirst="DHtmlHeader.html", lpSrch=".ebal") returned 0x0 [0059.806] lstrcmpW (lpString1="DHtmlHeader.html", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.806] lstrcmpW (lpString1="DHtmlHeader.html", lpString2="taridd") returned -1 [0059.806] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.806] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.807] GetTickCount () returned 0x114f648 [0059.807] GetTickCount () returned 0x114f648 [0059.807] GetTickCount () returned 0x114f648 [0059.807] GetTickCount () returned 0x114f648 [0059.807] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0059.807] GetProcessHeap () returned 0x3a00000 [0059.807] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.807] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0059.809] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.809] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0059.809] GetProcessHeap () returned 0x3a00000 [0059.809] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.809] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.809] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0059.809] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0059.809] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0059.809] CloseHandle (hObject=0x42c) returned 1 [0059.810] GetProcessHeap () returned 0x3a00000 [0059.810] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.810] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html_r00t_{8ew5f6}.ebal") returned 61 [0059.810] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DHtmlHeader.html_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html_r00t_{8ew5f6}.ebal")) returned 1 [0059.811] GetProcessHeap () returned 0x3a00000 [0059.811] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.811] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0059.811] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Windows") returned -1 [0059.811] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="$Recycle.bin") returned 1 [0059.811] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="System Volume Information") returned -1 [0059.811] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Program Files") returned -1 [0059.811] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="Program Files (x86)") returned -1 [0059.811] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 41 [0059.811] StrStrIW (lpFirst="DisplayIcon.ico", lpSrch=".ebal") returned 0x0 [0059.811] lstrcmpW (lpString1="DisplayIcon.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.811] lstrcmpW (lpString1="DisplayIcon.ico", lpString2="taridd") returned -1 [0059.811] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.811] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.812] GetTickCount () returned 0x114f648 [0059.812] GetTickCount () returned 0x114f648 [0059.812] GetTickCount () returned 0x114f648 [0059.812] GetTickCount () returned 0x114f648 [0059.812] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0059.812] GetProcessHeap () returned 0x3a00000 [0059.812] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.812] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0059.816] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.816] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0059.816] GetProcessHeap () returned 0x3a00000 [0059.816] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.816] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.816] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0059.816] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0059.816] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0059.816] CloseHandle (hObject=0x42c) returned 1 [0059.819] GetProcessHeap () returned 0x3a00000 [0059.819] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.819] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico_r00t_{8ew5f6}.ebal") returned 60 [0059.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\DisplayIcon.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.819] GetProcessHeap () returned 0x3a00000 [0059.819] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.819] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Extended", cAlternateFileName="")) returned 1 [0059.819] lstrcmpiW (lpString1="Extended", lpString2="Windows") returned -1 [0059.819] lstrcmpiW (lpString1="Extended", lpString2="$Recycle.bin") returned 1 [0059.820] lstrcmpiW (lpString1="Extended", lpString2="System Volume Information") returned -1 [0059.820] lstrcmpiW (lpString1="Extended", lpString2="Program Files") returned -1 [0059.820] lstrcmpiW (lpString1="Extended", lpString2="Program Files (x86)") returned -1 [0059.820] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended") returned 34 [0059.820] lstrcmpW (lpString1="Extended", lpString2=".") returned 1 [0059.820] lstrcmpW (lpString1="Extended", lpString2="..") returned 1 [0059.820] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Extended", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.820] GetProcessHeap () returned 0x3a00000 [0059.820] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.820] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\*") returned 36 [0059.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0059.820] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.820] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.820] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.820] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.820] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.820] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\.") returned 36 [0059.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.820] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.820] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.820] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.820] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.820] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.820] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.820] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\..") returned 37 [0059.820] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.820] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.820] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0059.820] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Windows") returned -1 [0059.820] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$Recycle.bin") returned 1 [0059.821] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="System Volume Information") returned -1 [0059.821] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files") returned -1 [0059.821] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="Program Files (x86)") returned -1 [0059.821] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 52 [0059.821] StrStrIW (lpFirst="Parameterinfo.xml", lpSrch=".ebal") returned 0x0 [0059.821] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.821] lstrcmpW (lpString1="Parameterinfo.xml", lpString2="taridd") returned -1 [0059.821] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.821] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.821] GetTickCount () returned 0x114f658 [0059.821] GetTickCount () returned 0x114f658 [0059.821] GetTickCount () returned 0x114f658 [0059.821] GetTickCount () returned 0x114f658 [0059.821] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.821] GetProcessHeap () returned 0x3a00000 [0059.821] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.821] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.823] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.824] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.824] GetProcessHeap () returned 0x3a00000 [0059.824] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.824] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.824] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.824] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.824] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.824] CloseHandle (hObject=0x430) returned 1 [0059.827] GetProcessHeap () returned 0x3a00000 [0059.827] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0059.827] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml_r00t_{8ew5f6}.ebal") returned 71 [0059.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.828] GetProcessHeap () returned 0x3a00000 [0059.828] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0059.828] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0059.828] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0059.828] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0059.828] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0059.828] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0059.828] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0059.828] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 45 [0059.828] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".ebal") returned 0x0 [0059.828] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.828] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0059.828] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.828] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.829] GetTickCount () returned 0x114f658 [0059.829] GetTickCount () returned 0x114f658 [0059.829] GetTickCount () returned 0x114f658 [0059.829] GetTickCount () returned 0x114f658 [0059.829] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.829] GetProcessHeap () returned 0x3a00000 [0059.829] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.829] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.831] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.831] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0059.831] GetProcessHeap () returned 0x3a00000 [0059.831] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.831] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.831] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.831] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.831] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.831] CloseHandle (hObject=0x430) returned 1 [0059.833] GetProcessHeap () returned 0x3a00000 [0059.833] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.833] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml_r00t_{8ew5f6}.ebal") returned 64 [0059.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\UiInfo.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml_r00t_{8ew5f6}.ebal")) returned 1 [0059.833] GetProcessHeap () returned 0x3a00000 [0059.833] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.834] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0059.834] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0059.834] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Extended\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0059.834] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Extended\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\extended\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0059.835] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0059.836] CloseHandle (hObject=0x42c) returned 1 [0059.836] GetProcessHeap () returned 0x3a00000 [0059.836] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0059.836] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0059.836] lstrcmpiW (lpString1="Graphics", lpString2="Windows") returned -1 [0059.836] lstrcmpiW (lpString1="Graphics", lpString2="$Recycle.bin") returned 1 [0059.836] lstrcmpiW (lpString1="Graphics", lpString2="System Volume Information") returned -1 [0059.836] lstrcmpiW (lpString1="Graphics", lpString2="Program Files") returned -1 [0059.836] lstrcmpiW (lpString1="Graphics", lpString2="Program Files (x86)") returned -1 [0059.836] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics") returned 34 [0059.836] lstrcmpW (lpString1="Graphics", lpString2=".") returned 1 [0059.837] lstrcmpW (lpString1="Graphics", lpString2="..") returned 1 [0059.837] lstrcmpW (lpString1="\\\\?\\C:\\588bce7c90097ed212\\Graphics", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0059.837] GetProcessHeap () returned 0x3a00000 [0059.837] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0059.837] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\*") returned 36 [0059.837] FindFirstFileW (in: lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0059.924] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0059.924] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0059.925] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0059.925] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0059.925] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0059.925] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\.") returned 36 [0059.925] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0059.925] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0059.925] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0059.925] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0059.925] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0059.925] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0059.925] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0059.925] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\..") returned 37 [0059.925] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0059.925] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0059.925] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0059.925] lstrcmpiW (lpString1="Print.ico", lpString2="Windows") returned -1 [0059.925] lstrcmpiW (lpString1="Print.ico", lpString2="$Recycle.bin") returned 1 [0059.925] lstrcmpiW (lpString1="Print.ico", lpString2="System Volume Information") returned -1 [0059.925] lstrcmpiW (lpString1="Print.ico", lpString2="Program Files") returned -1 [0059.925] lstrcmpiW (lpString1="Print.ico", lpString2="Program Files (x86)") returned -1 [0059.925] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 44 [0059.925] StrStrIW (lpFirst="Print.ico", lpSrch=".ebal") returned 0x0 [0059.925] lstrcmpW (lpString1="Print.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.925] lstrcmpW (lpString1="Print.ico", lpString2="taridd") returned -1 [0059.925] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.925] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.926] GetTickCount () returned 0x114f6c5 [0059.926] GetTickCount () returned 0x114f6c5 [0059.926] GetTickCount () returned 0x114f6c5 [0059.926] GetTickCount () returned 0x114f6c5 [0059.926] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.926] GetProcessHeap () returned 0x3a00000 [0059.927] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.927] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0059.928] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.928] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0059.928] GetProcessHeap () returned 0x3a00000 [0059.929] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.929] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.929] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.929] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.929] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.929] CloseHandle (hObject=0x430) returned 1 [0059.930] GetProcessHeap () returned 0x3a00000 [0059.930] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.930] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico_r00t_{8ew5f6}.ebal") returned 63 [0059.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Print.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.930] GetProcessHeap () returned 0x3a00000 [0059.930] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.930] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0059.930] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Windows") returned -1 [0059.931] lstrcmpiW (lpString1="Rotate1.ico", lpString2="$Recycle.bin") returned 1 [0059.931] lstrcmpiW (lpString1="Rotate1.ico", lpString2="System Volume Information") returned -1 [0059.931] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Program Files") returned 1 [0059.931] lstrcmpiW (lpString1="Rotate1.ico", lpString2="Program Files (x86)") returned 1 [0059.931] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 46 [0059.931] StrStrIW (lpFirst="Rotate1.ico", lpSrch=".ebal") returned 0x0 [0059.931] lstrcmpW (lpString1="Rotate1.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.931] lstrcmpW (lpString1="Rotate1.ico", lpString2="taridd") returned -1 [0059.931] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.931] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.931] GetTickCount () returned 0x114f6c5 [0059.931] GetTickCount () returned 0x114f6c5 [0059.931] GetTickCount () returned 0x114f6c5 [0059.931] GetTickCount () returned 0x114f6c5 [0059.931] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.931] GetProcessHeap () returned 0x3a00000 [0059.931] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.931] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.933] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.933] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.933] GetProcessHeap () returned 0x3a00000 [0059.933] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.933] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.933] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.933] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.933] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.933] CloseHandle (hObject=0x430) returned 1 [0059.934] GetProcessHeap () returned 0x3a00000 [0059.934] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.934] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.934] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.934] GetProcessHeap () returned 0x3a00000 [0059.934] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.934] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0059.934] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Windows") returned -1 [0059.934] lstrcmpiW (lpString1="Rotate2.ico", lpString2="$Recycle.bin") returned 1 [0059.934] lstrcmpiW (lpString1="Rotate2.ico", lpString2="System Volume Information") returned -1 [0059.934] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Program Files") returned 1 [0059.934] lstrcmpiW (lpString1="Rotate2.ico", lpString2="Program Files (x86)") returned 1 [0059.934] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 46 [0059.934] StrStrIW (lpFirst="Rotate2.ico", lpSrch=".ebal") returned 0x0 [0059.934] lstrcmpW (lpString1="Rotate2.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.934] lstrcmpW (lpString1="Rotate2.ico", lpString2="taridd") returned -1 [0059.934] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.934] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.935] GetTickCount () returned 0x114f6c5 [0059.935] GetTickCount () returned 0x114f6c5 [0059.935] GetTickCount () returned 0x114f6c5 [0059.935] GetTickCount () returned 0x114f6c5 [0059.935] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.935] GetProcessHeap () returned 0x3a00000 [0059.935] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.935] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.936] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.936] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.937] GetProcessHeap () returned 0x3a00000 [0059.937] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.937] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.937] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.937] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.937] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.937] CloseHandle (hObject=0x430) returned 1 [0059.938] GetProcessHeap () returned 0x3a00000 [0059.938] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.938] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.938] GetProcessHeap () returned 0x3a00000 [0059.938] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.938] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0059.938] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Windows") returned -1 [0059.938] lstrcmpiW (lpString1="Rotate3.ico", lpString2="$Recycle.bin") returned 1 [0059.938] lstrcmpiW (lpString1="Rotate3.ico", lpString2="System Volume Information") returned -1 [0059.938] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Program Files") returned 1 [0059.938] lstrcmpiW (lpString1="Rotate3.ico", lpString2="Program Files (x86)") returned 1 [0059.938] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 46 [0059.938] StrStrIW (lpFirst="Rotate3.ico", lpSrch=".ebal") returned 0x0 [0059.938] lstrcmpW (lpString1="Rotate3.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.938] lstrcmpW (lpString1="Rotate3.ico", lpString2="taridd") returned -1 [0059.938] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.938] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.939] GetTickCount () returned 0x114f6d5 [0059.939] GetTickCount () returned 0x114f6d5 [0059.939] GetTickCount () returned 0x114f6d5 [0059.939] GetTickCount () returned 0x114f6d5 [0059.939] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.939] GetProcessHeap () returned 0x3a00000 [0059.939] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.939] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.940] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.941] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.941] GetProcessHeap () returned 0x3a00000 [0059.941] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.941] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.941] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.941] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.941] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.941] CloseHandle (hObject=0x430) returned 1 [0059.942] GetProcessHeap () returned 0x3a00000 [0059.942] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.942] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.942] GetProcessHeap () returned 0x3a00000 [0059.942] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.942] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0059.942] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Windows") returned -1 [0059.942] lstrcmpiW (lpString1="Rotate4.ico", lpString2="$Recycle.bin") returned 1 [0059.942] lstrcmpiW (lpString1="Rotate4.ico", lpString2="System Volume Information") returned -1 [0059.942] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Program Files") returned 1 [0059.942] lstrcmpiW (lpString1="Rotate4.ico", lpString2="Program Files (x86)") returned 1 [0059.943] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 46 [0059.943] StrStrIW (lpFirst="Rotate4.ico", lpSrch=".ebal") returned 0x0 [0059.943] lstrcmpW (lpString1="Rotate4.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.943] lstrcmpW (lpString1="Rotate4.ico", lpString2="taridd") returned -1 [0059.943] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.943] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.943] GetTickCount () returned 0x114f6d5 [0059.943] GetTickCount () returned 0x114f6d5 [0059.943] GetTickCount () returned 0x114f6d5 [0059.943] GetTickCount () returned 0x114f6d5 [0059.943] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.944] GetProcessHeap () returned 0x3a00000 [0059.944] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.944] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.945] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.945] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.945] GetProcessHeap () returned 0x3a00000 [0059.945] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.945] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.945] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.945] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.945] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.945] CloseHandle (hObject=0x430) returned 1 [0059.946] GetProcessHeap () returned 0x3a00000 [0059.946] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.946] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.947] GetProcessHeap () returned 0x3a00000 [0059.947] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.947] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0059.947] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Windows") returned -1 [0059.947] lstrcmpiW (lpString1="Rotate5.ico", lpString2="$Recycle.bin") returned 1 [0059.947] lstrcmpiW (lpString1="Rotate5.ico", lpString2="System Volume Information") returned -1 [0059.947] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Program Files") returned 1 [0059.947] lstrcmpiW (lpString1="Rotate5.ico", lpString2="Program Files (x86)") returned 1 [0059.947] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 46 [0059.947] StrStrIW (lpFirst="Rotate5.ico", lpSrch=".ebal") returned 0x0 [0059.947] lstrcmpW (lpString1="Rotate5.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.947] lstrcmpW (lpString1="Rotate5.ico", lpString2="taridd") returned -1 [0059.947] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.947] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.947] GetTickCount () returned 0x114f6d5 [0059.947] GetTickCount () returned 0x114f6d5 [0059.947] GetTickCount () returned 0x114f6d5 [0059.947] GetTickCount () returned 0x114f6d5 [0059.947] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.947] GetProcessHeap () returned 0x3a00000 [0059.947] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.947] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.949] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.949] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.949] GetProcessHeap () returned 0x3a00000 [0059.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.949] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.949] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.949] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.949] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.949] CloseHandle (hObject=0x430) returned 1 [0059.950] GetProcessHeap () returned 0x3a00000 [0059.950] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.950] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.950] GetProcessHeap () returned 0x3a00000 [0059.950] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.950] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0059.950] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Windows") returned -1 [0059.950] lstrcmpiW (lpString1="Rotate6.ico", lpString2="$Recycle.bin") returned 1 [0059.950] lstrcmpiW (lpString1="Rotate6.ico", lpString2="System Volume Information") returned -1 [0059.950] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Program Files") returned 1 [0059.951] lstrcmpiW (lpString1="Rotate6.ico", lpString2="Program Files (x86)") returned 1 [0059.951] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 46 [0059.951] StrStrIW (lpFirst="Rotate6.ico", lpSrch=".ebal") returned 0x0 [0059.951] lstrcmpW (lpString1="Rotate6.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.951] lstrcmpW (lpString1="Rotate6.ico", lpString2="taridd") returned -1 [0059.951] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.951] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.951] GetTickCount () returned 0x114f6d5 [0059.951] GetTickCount () returned 0x114f6d5 [0059.951] GetTickCount () returned 0x114f6d5 [0059.951] GetTickCount () returned 0x114f6d5 [0059.951] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.951] GetProcessHeap () returned 0x3a00000 [0059.951] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.951] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.953] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.953] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.953] GetProcessHeap () returned 0x3a00000 [0059.953] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.953] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.953] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.953] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.953] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.953] CloseHandle (hObject=0x430) returned 1 [0059.958] GetProcessHeap () returned 0x3a00000 [0059.958] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.958] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.959] GetProcessHeap () returned 0x3a00000 [0059.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.959] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0059.959] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Windows") returned -1 [0059.959] lstrcmpiW (lpString1="Rotate7.ico", lpString2="$Recycle.bin") returned 1 [0059.959] lstrcmpiW (lpString1="Rotate7.ico", lpString2="System Volume Information") returned -1 [0059.959] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Program Files") returned 1 [0059.959] lstrcmpiW (lpString1="Rotate7.ico", lpString2="Program Files (x86)") returned 1 [0059.959] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 46 [0059.959] StrStrIW (lpFirst="Rotate7.ico", lpSrch=".ebal") returned 0x0 [0059.959] lstrcmpW (lpString1="Rotate7.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.959] lstrcmpW (lpString1="Rotate7.ico", lpString2="taridd") returned -1 [0059.959] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.959] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0059.959] GetTickCount () returned 0x114f6e4 [0059.959] GetTickCount () returned 0x114f6e4 [0059.959] GetTickCount () returned 0x114f6e4 [0059.959] GetTickCount () returned 0x114f6e4 [0059.959] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0059.960] GetProcessHeap () returned 0x3a00000 [0059.960] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0059.960] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.961] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0059.961] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0059.961] GetProcessHeap () returned 0x3a00000 [0059.961] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0059.961] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.961] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0059.961] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0059.961] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0059.961] CloseHandle (hObject=0x430) returned 1 [0059.962] GetProcessHeap () returned 0x3a00000 [0059.962] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0059.962] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico_r00t_{8ew5f6}.ebal") returned 65 [0059.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico_r00t_{8ew5f6}.ebal")) returned 1 [0059.963] GetProcessHeap () returned 0x3a00000 [0059.963] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0059.963] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0059.963] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Windows") returned -1 [0059.963] lstrcmpiW (lpString1="Rotate8.ico", lpString2="$Recycle.bin") returned 1 [0059.963] lstrcmpiW (lpString1="Rotate8.ico", lpString2="System Volume Information") returned -1 [0059.963] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Program Files") returned 1 [0059.963] lstrcmpiW (lpString1="Rotate8.ico", lpString2="Program Files (x86)") returned 1 [0059.963] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 46 [0059.963] StrStrIW (lpFirst="Rotate8.ico", lpSrch=".ebal") returned 0x0 [0059.963] lstrcmpW (lpString1="Rotate8.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0059.963] lstrcmpW (lpString1="Rotate8.ico", lpString2="taridd") returned -1 [0059.963] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0059.963] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.203] GetTickCount () returned 0x114f7cf [0060.203] GetTickCount () returned 0x114f7cf [0060.203] GetTickCount () returned 0x114f7cf [0060.203] GetTickCount () returned 0x114f7cf [0060.203] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.203] GetProcessHeap () returned 0x3a00000 [0060.203] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.203] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.205] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.205] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x37e, lpOverlapped=0x0) returned 1 [0060.205] GetProcessHeap () returned 0x3a00000 [0060.205] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.205] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.205] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.206] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.206] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.206] CloseHandle (hObject=0x430) returned 1 [0060.207] GetProcessHeap () returned 0x3a00000 [0060.207] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.207] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico_r00t_{8ew5f6}.ebal") returned 65 [0060.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.207] GetProcessHeap () returned 0x3a00000 [0060.207] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.207] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0060.207] lstrcmpiW (lpString1="Save.ico", lpString2="Windows") returned -1 [0060.207] lstrcmpiW (lpString1="Save.ico", lpString2="$Recycle.bin") returned 1 [0060.207] lstrcmpiW (lpString1="Save.ico", lpString2="System Volume Information") returned -1 [0060.207] lstrcmpiW (lpString1="Save.ico", lpString2="Program Files") returned 1 [0060.207] lstrcmpiW (lpString1="Save.ico", lpString2="Program Files (x86)") returned 1 [0060.207] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 43 [0060.207] StrStrIW (lpFirst="Save.ico", lpSrch=".ebal") returned 0x0 [0060.207] lstrcmpW (lpString1="Save.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.208] lstrcmpW (lpString1="Save.ico", lpString2="taridd") returned -1 [0060.208] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.208] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.208] GetTickCount () returned 0x114f7cf [0060.208] GetTickCount () returned 0x114f7cf [0060.208] GetTickCount () returned 0x114f7cf [0060.208] GetTickCount () returned 0x114f7cf [0060.208] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.208] GetProcessHeap () returned 0x3a00000 [0060.208] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.208] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.209] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.209] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.210] GetProcessHeap () returned 0x3a00000 [0060.210] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.210] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.210] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.210] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.210] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.210] CloseHandle (hObject=0x430) returned 1 [0060.211] GetProcessHeap () returned 0x3a00000 [0060.211] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.211] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico_r00t_{8ew5f6}.ebal") returned 62 [0060.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Save.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.212] GetProcessHeap () returned 0x3a00000 [0060.212] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.212] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0060.212] lstrcmpiW (lpString1="Setup.ico", lpString2="Windows") returned -1 [0060.212] lstrcmpiW (lpString1="Setup.ico", lpString2="$Recycle.bin") returned 1 [0060.212] lstrcmpiW (lpString1="Setup.ico", lpString2="System Volume Information") returned -1 [0060.212] lstrcmpiW (lpString1="Setup.ico", lpString2="Program Files") returned 1 [0060.212] lstrcmpiW (lpString1="Setup.ico", lpString2="Program Files (x86)") returned 1 [0060.212] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 44 [0060.212] StrStrIW (lpFirst="Setup.ico", lpSrch=".ebal") returned 0x0 [0060.212] lstrcmpW (lpString1="Setup.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.212] lstrcmpW (lpString1="Setup.ico", lpString2="taridd") returned -1 [0060.212] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.212] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.212] GetTickCount () returned 0x114f7de [0060.212] GetTickCount () returned 0x114f7de [0060.212] GetTickCount () returned 0x114f7de [0060.212] GetTickCount () returned 0x114f7de [0060.212] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.213] GetProcessHeap () returned 0x3a00000 [0060.213] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.213] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.214] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.215] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0060.215] GetProcessHeap () returned 0x3a00000 [0060.215] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.215] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.215] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.215] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.215] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.215] CloseHandle (hObject=0x430) returned 1 [0060.217] GetProcessHeap () returned 0x3a00000 [0060.217] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.217] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico_r00t_{8ew5f6}.ebal") returned 63 [0060.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\Setup.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.217] GetProcessHeap () returned 0x3a00000 [0060.217] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.217] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0060.217] lstrcmpiW (lpString1="stop.ico", lpString2="Windows") returned -1 [0060.217] lstrcmpiW (lpString1="stop.ico", lpString2="$Recycle.bin") returned 1 [0060.218] lstrcmpiW (lpString1="stop.ico", lpString2="System Volume Information") returned -1 [0060.218] lstrcmpiW (lpString1="stop.ico", lpString2="Program Files") returned 1 [0060.218] lstrcmpiW (lpString1="stop.ico", lpString2="Program Files (x86)") returned 1 [0060.218] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 43 [0060.218] StrStrIW (lpFirst="stop.ico", lpSrch=".ebal") returned 0x0 [0060.218] lstrcmpW (lpString1="stop.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.218] lstrcmpW (lpString1="stop.ico", lpString2="taridd") returned -1 [0060.218] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.218] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.218] GetTickCount () returned 0x114f7de [0060.218] GetTickCount () returned 0x114f7de [0060.218] GetTickCount () returned 0x114f7de [0060.218] GetTickCount () returned 0x114f7de [0060.218] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.218] GetProcessHeap () returned 0x3a00000 [0060.218] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.218] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.220] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.220] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.220] GetProcessHeap () returned 0x3a00000 [0060.220] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.220] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.220] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.220] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.220] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.220] CloseHandle (hObject=0x430) returned 1 [0060.221] GetProcessHeap () returned 0x3a00000 [0060.221] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.221] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico_r00t_{8ew5f6}.ebal") returned 62 [0060.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\stop.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.221] GetProcessHeap () returned 0x3a00000 [0060.221] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.221] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0060.221] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Windows") returned -1 [0060.222] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="$Recycle.bin") returned 1 [0060.222] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="System Volume Information") returned -1 [0060.222] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Program Files") returned 1 [0060.222] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="Program Files (x86)") returned 1 [0060.222] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 48 [0060.222] StrStrIW (lpFirst="SysReqMet.ico", lpSrch=".ebal") returned 0x0 [0060.222] lstrcmpW (lpString1="SysReqMet.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.222] lstrcmpW (lpString1="SysReqMet.ico", lpString2="taridd") returned -1 [0060.222] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.222] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.222] GetTickCount () returned 0x114f7de [0060.222] GetTickCount () returned 0x114f7de [0060.222] GetTickCount () returned 0x114f7de [0060.222] GetTickCount () returned 0x114f7de [0060.222] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.222] GetProcessHeap () returned 0x3a00000 [0060.222] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.222] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.224] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.224] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.224] GetProcessHeap () returned 0x3a00000 [0060.224] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.224] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.224] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.224] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.224] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.224] CloseHandle (hObject=0x430) returned 1 [0060.225] GetProcessHeap () returned 0x3a00000 [0060.225] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.225] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico_r00t_{8ew5f6}.ebal") returned 67 [0060.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.225] GetProcessHeap () returned 0x3a00000 [0060.225] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.225] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0060.225] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Windows") returned -1 [0060.226] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="$Recycle.bin") returned 1 [0060.226] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="System Volume Information") returned -1 [0060.226] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Program Files") returned 1 [0060.226] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="Program Files (x86)") returned 1 [0060.226] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 51 [0060.226] StrStrIW (lpFirst="SysReqNotMet.ico", lpSrch=".ebal") returned 0x0 [0060.226] lstrcmpW (lpString1="SysReqNotMet.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.226] lstrcmpW (lpString1="SysReqNotMet.ico", lpString2="taridd") returned -1 [0060.226] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.226] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.226] GetTickCount () returned 0x114f7ee [0060.226] GetTickCount () returned 0x114f7ee [0060.227] GetTickCount () returned 0x114f7ee [0060.227] GetTickCount () returned 0x114f7ee [0060.227] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.227] GetProcessHeap () returned 0x3a00000 [0060.227] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.227] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.228] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffb82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.228] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x47e, lpOverlapped=0x0) returned 1 [0060.228] GetProcessHeap () returned 0x3a00000 [0060.228] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.228] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.228] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.229] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.229] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.229] CloseHandle (hObject=0x430) returned 1 [0060.229] GetProcessHeap () returned 0x3a00000 [0060.229] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.229] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico_r00t_{8ew5f6}.ebal") returned 70 [0060.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.230] GetProcessHeap () returned 0x3a00000 [0060.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.230] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0060.230] lstrcmpiW (lpString1="warn.ico", lpString2="Windows") returned -1 [0060.230] lstrcmpiW (lpString1="warn.ico", lpString2="$Recycle.bin") returned 1 [0060.230] lstrcmpiW (lpString1="warn.ico", lpString2="System Volume Information") returned 1 [0060.230] lstrcmpiW (lpString1="warn.ico", lpString2="Program Files") returned 1 [0060.230] lstrcmpiW (lpString1="warn.ico", lpString2="Program Files (x86)") returned 1 [0060.230] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 43 [0060.230] StrStrIW (lpFirst="warn.ico", lpSrch=".ebal") returned 0x0 [0060.230] lstrcmpW (lpString1="warn.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.230] lstrcmpW (lpString1="warn.ico", lpString2="taridd") returned 1 [0060.230] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.230] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0060.231] GetTickCount () returned 0x114f7ee [0060.231] GetTickCount () returned 0x114f7ee [0060.231] GetTickCount () returned 0x114f7ee [0060.231] GetTickCount () returned 0x114f7ee [0060.231] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0060.231] GetProcessHeap () returned 0x3a00000 [0060.231] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.231] ReadFile (in: hFile=0x430, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65af7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.232] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd86a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.232] WriteFile (in: hFile=0x430, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65af7e4*=0x2796, lpOverlapped=0x0) returned 1 [0060.233] GetProcessHeap () returned 0x3a00000 [0060.233] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.233] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.233] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0060.233] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0060.233] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0060.233] CloseHandle (hObject=0x430) returned 1 [0060.234] GetProcessHeap () returned 0x3a00000 [0060.234] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0060.234] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico_r00t_{8ew5f6}.ebal") returned 62 [0060.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\warn.ico_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico_r00t_{8ew5f6}.ebal")) returned 1 [0060.234] GetProcessHeap () returned 0x3a00000 [0060.234] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0060.234] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0060.234] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0060.234] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0060.234] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Graphics\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\graphics\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.235] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0060.236] CloseHandle (hObject=0x42c) returned 1 [0060.237] GetProcessHeap () returned 0x3a00000 [0060.237] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0060.237] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0060.237] lstrcmpiW (lpString1="header.bmp", lpString2="Windows") returned -1 [0060.237] lstrcmpiW (lpString1="header.bmp", lpString2="$Recycle.bin") returned 1 [0060.237] lstrcmpiW (lpString1="header.bmp", lpString2="System Volume Information") returned -1 [0060.237] lstrcmpiW (lpString1="header.bmp", lpString2="Program Files") returned -1 [0060.237] lstrcmpiW (lpString1="header.bmp", lpString2="Program Files (x86)") returned -1 [0060.237] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\header.bmp") returned 36 [0060.237] StrStrIW (lpFirst="header.bmp", lpSrch=".ebal") returned 0x0 [0060.237] lstrcmpW (lpString1="header.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.237] lstrcmpW (lpString1="header.bmp", lpString2="taridd") returned -1 [0060.237] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\header.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.237] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.238] GetTickCount () returned 0x114f7ee [0060.238] GetTickCount () returned 0x114f7ee [0060.238] GetTickCount () returned 0x114f7ee [0060.238] GetTickCount () returned 0x114f7ee [0060.238] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0060.238] GetProcessHeap () returned 0x3a00000 [0060.238] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.238] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0xe2c, lpOverlapped=0x0) returned 1 [0060.246] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffff1d4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.246] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0xe2c, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0xe2c, lpOverlapped=0x0) returned 1 [0060.246] GetProcessHeap () returned 0x3a00000 [0060.246] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.246] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.247] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.247] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.247] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.247] CloseHandle (hObject=0x42c) returned 1 [0060.248] GetProcessHeap () returned 0x3a00000 [0060.248] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0060.248] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\header.bmp_r00t_{8ew5f6}.ebal") returned 55 [0060.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\header.bmp_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\header.bmp_r00t_{8ew5f6}.ebal")) returned 1 [0060.249] GetProcessHeap () returned 0x3a00000 [0060.249] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0060.249] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0060.249] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Windows") returned -1 [0060.249] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="$Recycle.bin") returned 1 [0060.249] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="System Volume Information") returned -1 [0060.249] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Program Files") returned -1 [0060.249] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="Program Files (x86)") returned -1 [0060.249] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 40 [0060.249] StrStrIW (lpFirst="netfx_Core.mzz", lpSrch=".ebal") returned 0x0 [0060.249] lstrcmpW (lpString1="netfx_Core.mzz", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.249] lstrcmpW (lpString1="netfx_Core.mzz", lpString2="taridd") returned -1 [0060.249] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.249] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.249] GetTickCount () returned 0x114f7fd [0060.249] GetTickCount () returned 0x114f7fd [0060.249] GetTickCount () returned 0x114f7fd [0060.249] GetTickCount () returned 0x114f7fd [0060.249] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0060.249] GetProcessHeap () returned 0x3a00000 [0060.249] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.249] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.262] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.262] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.262] GetProcessHeap () returned 0x3a00000 [0060.263] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.263] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.263] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.264] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.264] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.264] CloseHandle (hObject=0x42c) returned 1 [0060.701] GetProcessHeap () returned 0x3a00000 [0060.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0060.701] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz_r00t_{8ew5f6}.ebal") returned 59 [0060.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core.mzz_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz_r00t_{8ew5f6}.ebal")) returned 1 [0060.702] GetProcessHeap () returned 0x3a00000 [0060.702] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0060.702] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0060.702] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Windows") returned -1 [0060.702] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="$Recycle.bin") returned 1 [0060.702] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="System Volume Information") returned -1 [0060.702] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Program Files") returned -1 [0060.702] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="Program Files (x86)") returned -1 [0060.702] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 44 [0060.702] StrStrIW (lpFirst="netfx_Core_x64.msi", lpSrch=".ebal") returned 0x0 [0060.702] lstrcmpW (lpString1="netfx_Core_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.702] lstrcmpW (lpString1="netfx_Core_x64.msi", lpString2="taridd") returned -1 [0060.702] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.702] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.703] GetTickCount () returned 0x114f9c3 [0060.703] GetTickCount () returned 0x114f9c3 [0060.703] GetTickCount () returned 0x114f9c3 [0060.703] GetTickCount () returned 0x114f9c3 [0060.703] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0060.703] GetProcessHeap () returned 0x3a00000 [0060.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.703] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.706] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.706] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.706] GetProcessHeap () returned 0x3a00000 [0060.706] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.706] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.706] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.707] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.707] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.708] CloseHandle (hObject=0x42c) returned 1 [0060.781] GetProcessHeap () returned 0x3a00000 [0060.781] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0060.781] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi_r00t_{8ew5f6}.ebal") returned 63 [0060.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0060.782] GetProcessHeap () returned 0x3a00000 [0060.782] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0060.782] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0060.782] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Windows") returned -1 [0060.782] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="$Recycle.bin") returned 1 [0060.782] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="System Volume Information") returned -1 [0060.782] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Program Files") returned -1 [0060.782] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="Program Files (x86)") returned -1 [0060.782] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 44 [0060.782] StrStrIW (lpFirst="netfx_Core_x86.msi", lpSrch=".ebal") returned 0x0 [0060.782] lstrcmpW (lpString1="netfx_Core_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.782] lstrcmpW (lpString1="netfx_Core_x86.msi", lpString2="taridd") returned -1 [0060.782] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.782] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.783] GetTickCount () returned 0x114fa11 [0060.783] GetTickCount () returned 0x114fa11 [0060.783] GetTickCount () returned 0x114fa11 [0060.783] GetTickCount () returned 0x114fa11 [0060.783] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0060.783] GetProcessHeap () returned 0x3a00000 [0060.783] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.783] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.785] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.785] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.785] GetProcessHeap () returned 0x3a00000 [0060.785] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.785] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.785] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0060.787] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0060.788] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0060.788] CloseHandle (hObject=0x42c) returned 1 [0060.817] GetProcessHeap () returned 0x3a00000 [0060.817] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0060.817] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi_r00t_{8ew5f6}.ebal") returned 63 [0060.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Core_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0060.817] GetProcessHeap () returned 0x3a00000 [0060.817] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0060.817] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0060.817] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Windows") returned -1 [0060.817] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="$Recycle.bin") returned 1 [0060.817] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="System Volume Information") returned -1 [0060.817] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Program Files") returned -1 [0060.817] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="Program Files (x86)") returned -1 [0060.817] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 44 [0060.817] StrStrIW (lpFirst="netfx_Extended.mzz", lpSrch=".ebal") returned 0x0 [0060.818] lstrcmpW (lpString1="netfx_Extended.mzz", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0060.818] lstrcmpW (lpString1="netfx_Extended.mzz", lpString2="taridd") returned -1 [0060.818] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0060.818] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0060.818] GetTickCount () returned 0x114fa30 [0060.818] GetTickCount () returned 0x114fa30 [0060.818] GetTickCount () returned 0x114fa30 [0060.818] GetTickCount () returned 0x114fa30 [0060.818] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0060.818] GetProcessHeap () returned 0x3a00000 [0060.818] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0060.818] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.821] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0060.821] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0060.821] GetProcessHeap () returned 0x3a00000 [0060.821] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0060.821] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.821] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.052] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.052] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.052] CloseHandle (hObject=0x42c) returned 1 [0061.507] GetProcessHeap () returned 0x3a00000 [0061.507] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.507] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz_r00t_{8ew5f6}.ebal") returned 63 [0061.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended.mzz_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz_r00t_{8ew5f6}.ebal")) returned 1 [0061.507] GetProcessHeap () returned 0x3a00000 [0061.507] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.508] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0061.508] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Windows") returned -1 [0061.508] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="$Recycle.bin") returned 1 [0061.508] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="System Volume Information") returned -1 [0061.508] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Program Files") returned -1 [0061.508] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="Program Files (x86)") returned -1 [0061.508] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 48 [0061.508] StrStrIW (lpFirst="netfx_Extended_x64.msi", lpSrch=".ebal") returned 0x0 [0061.508] lstrcmpW (lpString1="netfx_Extended_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.508] lstrcmpW (lpString1="netfx_Extended_x64.msi", lpString2="taridd") returned -1 [0061.508] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.508] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.509] GetTickCount () returned 0x114fcef [0061.509] GetTickCount () returned 0x114fcef [0061.509] GetTickCount () returned 0x114fcef [0061.509] GetTickCount () returned 0x114fcef [0061.509] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.509] GetProcessHeap () returned 0x3a00000 [0061.509] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.509] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.511] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.511] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.511] GetProcessHeap () returned 0x3a00000 [0061.511] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.511] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.511] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.512] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.512] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.512] CloseHandle (hObject=0x42c) returned 1 [0061.532] GetProcessHeap () returned 0x3a00000 [0061.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.532] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi_r00t_{8ew5f6}.ebal") returned 67 [0061.533] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0061.533] GetProcessHeap () returned 0x3a00000 [0061.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.533] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0061.534] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Windows") returned -1 [0061.534] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="$Recycle.bin") returned 1 [0061.534] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="System Volume Information") returned -1 [0061.534] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Program Files") returned -1 [0061.534] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="Program Files (x86)") returned -1 [0061.534] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 48 [0061.534] StrStrIW (lpFirst="netfx_Extended_x86.msi", lpSrch=".ebal") returned 0x0 [0061.534] lstrcmpW (lpString1="netfx_Extended_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.534] lstrcmpW (lpString1="netfx_Extended_x86.msi", lpString2="taridd") returned -1 [0061.534] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.534] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.534] GetTickCount () returned 0x114fcff [0061.534] GetTickCount () returned 0x114fcff [0061.534] GetTickCount () returned 0x114fcff [0061.534] GetTickCount () returned 0x114fcff [0061.534] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.534] GetProcessHeap () returned 0x3a00000 [0061.534] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.534] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.536] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.536] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.537] GetProcessHeap () returned 0x3a00000 [0061.537] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.537] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.537] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.537] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.537] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.538] CloseHandle (hObject=0x42c) returned 1 [0061.548] GetProcessHeap () returned 0x3a00000 [0061.548] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.549] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi_r00t_{8ew5f6}.ebal") returned 67 [0061.549] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\netfx_Extended_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0061.549] GetProcessHeap () returned 0x3a00000 [0061.549] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.549] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0061.549] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Windows") returned -1 [0061.549] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="$Recycle.bin") returned 1 [0061.549] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="System Volume Information") returned -1 [0061.549] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Program Files") returned -1 [0061.549] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="Program Files (x86)") returned -1 [0061.549] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 43 [0061.549] StrStrIW (lpFirst="ParameterInfo.xml", lpSrch=".ebal") returned 0x0 [0061.549] lstrcmpW (lpString1="ParameterInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.549] lstrcmpW (lpString1="ParameterInfo.xml", lpString2="taridd") returned -1 [0061.549] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.550] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.566] GetTickCount () returned 0x114fd1e [0061.566] GetTickCount () returned 0x114fd1e [0061.566] GetTickCount () returned 0x114fd1e [0061.566] GetTickCount () returned 0x114fd1e [0061.566] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.566] GetProcessHeap () returned 0x3a00000 [0061.566] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.566] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.569] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.569] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.569] GetProcessHeap () returned 0x3a00000 [0061.569] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.569] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.569] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.572] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.572] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.572] CloseHandle (hObject=0x42c) returned 1 [0061.578] GetProcessHeap () returned 0x3a00000 [0061.578] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.579] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml_r00t_{8ew5f6}.ebal") returned 62 [0061.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\ParameterInfo.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml_r00t_{8ew5f6}.ebal")) returned 1 [0061.579] GetProcessHeap () returned 0x3a00000 [0061.579] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.579] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0061.579] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Windows") returned -1 [0061.579] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="$Recycle.bin") returned 1 [0061.580] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="System Volume Information") returned -1 [0061.580] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Program Files") returned 1 [0061.580] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="Program Files (x86)") returned 1 [0061.580] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 42 [0061.580] StrStrIW (lpFirst="RGB9RAST_x64.msi", lpSrch=".ebal") returned 0x0 [0061.580] lstrcmpW (lpString1="RGB9RAST_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.580] lstrcmpW (lpString1="RGB9RAST_x64.msi", lpString2="taridd") returned -1 [0061.580] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.580] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.580] GetTickCount () returned 0x114fd2e [0061.580] GetTickCount () returned 0x114fd2e [0061.580] GetTickCount () returned 0x114fd2e [0061.580] GetTickCount () returned 0x114fd2e [0061.580] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.580] GetProcessHeap () returned 0x3a00000 [0061.580] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.580] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.582] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.582] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.582] GetProcessHeap () returned 0x3a00000 [0061.583] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.583] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.583] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.583] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.583] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.583] CloseHandle (hObject=0x42c) returned 1 [0061.588] GetProcessHeap () returned 0x3a00000 [0061.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.589] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi_r00t_{8ew5f6}.ebal") returned 61 [0061.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9RAST_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0061.589] GetProcessHeap () returned 0x3a00000 [0061.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.589] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0061.589] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Windows") returned -1 [0061.589] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="$Recycle.bin") returned 1 [0061.589] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="System Volume Information") returned -1 [0061.589] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Program Files") returned 1 [0061.589] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="Program Files (x86)") returned 1 [0061.589] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 42 [0061.589] StrStrIW (lpFirst="RGB9Rast_x86.msi", lpSrch=".ebal") returned 0x0 [0061.589] lstrcmpW (lpString1="RGB9Rast_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.589] lstrcmpW (lpString1="RGB9Rast_x86.msi", lpString2="taridd") returned -1 [0061.589] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.589] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.590] GetTickCount () returned 0x114fd3d [0061.590] GetTickCount () returned 0x114fd3d [0061.590] GetTickCount () returned 0x114fd3d [0061.590] GetTickCount () returned 0x114fd3d [0061.590] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.590] GetProcessHeap () returned 0x3a00000 [0061.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.590] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.592] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.592] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.592] GetProcessHeap () returned 0x3a00000 [0061.592] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.592] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.592] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.592] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.592] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.592] CloseHandle (hObject=0x42c) returned 1 [0061.595] GetProcessHeap () returned 0x3a00000 [0061.595] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.595] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi_r00t_{8ew5f6}.ebal") returned 61 [0061.595] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\RGB9Rast_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0061.595] GetProcessHeap () returned 0x3a00000 [0061.595] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.596] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0061.596] lstrcmpiW (lpString1="Setup.exe", lpString2="Windows") returned -1 [0061.596] lstrcmpiW (lpString1="Setup.exe", lpString2="$Recycle.bin") returned 1 [0061.596] lstrcmpiW (lpString1="Setup.exe", lpString2="System Volume Information") returned -1 [0061.596] lstrcmpiW (lpString1="Setup.exe", lpString2="Program Files") returned 1 [0061.596] lstrcmpiW (lpString1="Setup.exe", lpString2="Program Files (x86)") returned 1 [0061.596] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe") returned 35 [0061.596] StrStrIW (lpFirst="Setup.exe", lpSrch=".ebal") returned 0x0 [0061.596] lstrcmpW (lpString1="Setup.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.596] lstrcmpW (lpString1="Setup.exe", lpString2="taridd") returned -1 [0061.596] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.596] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.596] GetTickCount () returned 0x114fd3d [0061.596] GetTickCount () returned 0x114fd3d [0061.596] GetTickCount () returned 0x114fd3d [0061.596] GetTickCount () returned 0x114fd3d [0061.596] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.596] GetProcessHeap () returned 0x3a00000 [0061.596] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.596] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.600] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.600] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.600] GetProcessHeap () returned 0x3a00000 [0061.600] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.600] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.600] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.600] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.600] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.600] CloseHandle (hObject=0x42c) returned 1 [0061.605] GetProcessHeap () returned 0x3a00000 [0061.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.605] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe_r00t_{8ew5f6}.ebal") returned 54 [0061.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Setup.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\setup.exe_r00t_{8ew5f6}.ebal")) returned 1 [0061.606] GetProcessHeap () returned 0x3a00000 [0061.606] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.606] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0061.606] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Windows") returned -1 [0061.606] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="$Recycle.bin") returned 1 [0061.606] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="System Volume Information") returned -1 [0061.606] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Program Files") returned 1 [0061.606] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="Program Files (x86)") returned 1 [0061.606] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll") returned 41 [0061.606] StrStrIW (lpFirst="SetupEngine.dll", lpSrch=".ebal") returned 0x0 [0061.606] lstrcmpW (lpString1="SetupEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.606] lstrcmpW (lpString1="SetupEngine.dll", lpString2="taridd") returned -1 [0061.606] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.606] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.607] GetTickCount () returned 0x114fd4d [0061.607] GetTickCount () returned 0x114fd4d [0061.607] GetTickCount () returned 0x114fd4d [0061.607] GetTickCount () returned 0x114fd4d [0061.607] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.607] GetProcessHeap () returned 0x3a00000 [0061.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.607] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.611] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.611] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.611] GetProcessHeap () returned 0x3a00000 [0061.611] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.611] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.611] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.613] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.613] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.613] CloseHandle (hObject=0x42c) returned 1 [0061.635] GetProcessHeap () returned 0x3a00000 [0061.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.635] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll_r00t_{8ew5f6}.ebal") returned 60 [0061.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupEngine.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll_r00t_{8ew5f6}.ebal")) returned 1 [0061.635] GetProcessHeap () returned 0x3a00000 [0061.635] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.635] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0061.635] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Windows") returned -1 [0061.635] lstrcmpiW (lpString1="SetupUi.dll", lpString2="$Recycle.bin") returned 1 [0061.636] lstrcmpiW (lpString1="SetupUi.dll", lpString2="System Volume Information") returned -1 [0061.636] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Program Files") returned 1 [0061.636] lstrcmpiW (lpString1="SetupUi.dll", lpString2="Program Files (x86)") returned 1 [0061.636] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll") returned 37 [0061.636] StrStrIW (lpFirst="SetupUi.dll", lpSrch=".ebal") returned 0x0 [0061.636] lstrcmpW (lpString1="SetupUi.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.636] lstrcmpW (lpString1="SetupUi.dll", lpString2="taridd") returned -1 [0061.636] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.636] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.636] GetTickCount () returned 0x114fd6c [0061.636] GetTickCount () returned 0x114fd6c [0061.636] GetTickCount () returned 0x114fd6c [0061.636] GetTickCount () returned 0x114fd6c [0061.636] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.636] GetProcessHeap () returned 0x3a00000 [0061.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.636] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.638] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.638] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.638] GetProcessHeap () returned 0x3a00000 [0061.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.638] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.639] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.640] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.640] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.640] CloseHandle (hObject=0x42c) returned 1 [0061.646] GetProcessHeap () returned 0x3a00000 [0061.646] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.646] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll_r00t_{8ew5f6}.ebal") returned 56 [0061.646] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\setupui.dll_r00t_{8ew5f6}.ebal")) returned 1 [0061.647] GetProcessHeap () returned 0x3a00000 [0061.647] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.647] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0061.647] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Windows") returned -1 [0061.647] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="$Recycle.bin") returned 1 [0061.647] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="System Volume Information") returned -1 [0061.647] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Program Files") returned 1 [0061.647] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="Program Files (x86)") returned 1 [0061.647] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd") returned 37 [0061.647] StrStrIW (lpFirst="SetupUi.xsd", lpSrch=".ebal") returned 0x0 [0061.647] lstrcmpW (lpString1="SetupUi.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.647] lstrcmpW (lpString1="SetupUi.xsd", lpString2="taridd") returned -1 [0061.647] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.647] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.647] GetTickCount () returned 0x114fd6c [0061.647] GetTickCount () returned 0x114fd6c [0061.647] GetTickCount () returned 0x114fd6c [0061.647] GetTickCount () returned 0x114fd6c [0061.647] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.647] GetProcessHeap () returned 0x3a00000 [0061.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.647] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.649] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.649] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.649] GetProcessHeap () returned 0x3a00000 [0061.649] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.649] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.650] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.653] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.653] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.653] CloseHandle (hObject=0x42c) returned 1 [0061.678] GetProcessHeap () returned 0x3a00000 [0061.678] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.678] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd_r00t_{8ew5f6}.ebal") returned 56 [0061.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUi.xsd_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd_r00t_{8ew5f6}.ebal")) returned 1 [0061.678] GetProcessHeap () returned 0x3a00000 [0061.678] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.678] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0061.678] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Windows") returned -1 [0061.679] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="$Recycle.bin") returned 1 [0061.679] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="System Volume Information") returned -1 [0061.679] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Program Files") returned 1 [0061.679] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="Program Files (x86)") returned 1 [0061.679] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe") returned 42 [0061.679] StrStrIW (lpFirst="SetupUtility.exe", lpSrch=".ebal") returned 0x0 [0061.679] lstrcmpW (lpString1="SetupUtility.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.679] lstrcmpW (lpString1="SetupUtility.exe", lpString2="taridd") returned -1 [0061.679] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.682] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.682] GetTickCount () returned 0x114fd9b [0061.682] GetTickCount () returned 0x114fd9b [0061.682] GetTickCount () returned 0x114fd9b [0061.682] GetTickCount () returned 0x114fd9b [0061.682] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.682] GetProcessHeap () returned 0x3a00000 [0061.682] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.682] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.684] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.685] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.685] GetProcessHeap () returned 0x3a00000 [0061.685] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.685] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.685] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.685] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.685] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.685] CloseHandle (hObject=0x42c) returned 1 [0061.688] GetProcessHeap () returned 0x3a00000 [0061.688] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.688] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe_r00t_{8ew5f6}.ebal") returned 61 [0061.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SetupUtility.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe_r00t_{8ew5f6}.ebal")) returned 1 [0061.688] GetProcessHeap () returned 0x3a00000 [0061.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.688] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0061.689] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Windows") returned -1 [0061.689] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="$Recycle.bin") returned 1 [0061.689] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="System Volume Information") returned -1 [0061.689] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Program Files") returned 1 [0061.689] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="Program Files (x86)") returned 1 [0061.689] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 42 [0061.689] StrStrIW (lpFirst="SplashScreen.bmp", lpSrch=".ebal") returned 0x0 [0061.689] lstrcmpW (lpString1="SplashScreen.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.689] lstrcmpW (lpString1="SplashScreen.bmp", lpString2="taridd") returned -1 [0061.689] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.689] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.689] GetTickCount () returned 0x114fd9b [0061.689] GetTickCount () returned 0x114fd9b [0061.689] GetTickCount () returned 0x114fd9b [0061.689] GetTickCount () returned 0x114fd9b [0061.689] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.689] GetProcessHeap () returned 0x3a00000 [0061.689] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.689] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.692] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.692] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.692] GetProcessHeap () returned 0x3a00000 [0061.692] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.692] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.692] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.692] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.692] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.692] CloseHandle (hObject=0x42c) returned 1 [0061.694] GetProcessHeap () returned 0x3a00000 [0061.694] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.694] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp_r00t_{8ew5f6}.ebal") returned 61 [0061.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\SplashScreen.bmp_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp_r00t_{8ew5f6}.ebal")) returned 1 [0061.694] GetProcessHeap () returned 0x3a00000 [0061.694] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.694] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0061.694] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Windows") returned -1 [0061.694] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$Recycle.bin") returned 1 [0061.694] lstrcmpiW (lpString1="sqmapi.dll", lpString2="System Volume Information") returned -1 [0061.694] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Program Files") returned 1 [0061.694] lstrcmpiW (lpString1="sqmapi.dll", lpString2="Program Files (x86)") returned 1 [0061.694] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll") returned 36 [0061.707] StrStrIW (lpFirst="sqmapi.dll", lpSrch=".ebal") returned 0x0 [0061.707] lstrcmpW (lpString1="sqmapi.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.707] lstrcmpW (lpString1="sqmapi.dll", lpString2="taridd") returned -1 [0061.707] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.707] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.707] GetTickCount () returned 0x114fdab [0061.707] GetTickCount () returned 0x114fdab [0061.707] GetTickCount () returned 0x114fdab [0061.707] GetTickCount () returned 0x114fdab [0061.707] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.707] GetProcessHeap () returned 0x3a00000 [0061.708] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.708] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.709] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.710] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.710] GetProcessHeap () returned 0x3a00000 [0061.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.710] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.711] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.711] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.711] CloseHandle (hObject=0x42c) returned 1 [0061.715] GetProcessHeap () returned 0x3a00000 [0061.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.715] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll_r00t_{8ew5f6}.ebal") returned 55 [0061.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\sqmapi.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll_r00t_{8ew5f6}.ebal")) returned 1 [0061.715] GetProcessHeap () returned 0x3a00000 [0061.715] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.715] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0061.715] lstrcmpiW (lpString1="Strings.xml", lpString2="Windows") returned -1 [0061.715] lstrcmpiW (lpString1="Strings.xml", lpString2="$Recycle.bin") returned 1 [0061.715] lstrcmpiW (lpString1="Strings.xml", lpString2="System Volume Information") returned -1 [0061.715] lstrcmpiW (lpString1="Strings.xml", lpString2="Program Files") returned 1 [0061.715] lstrcmpiW (lpString1="Strings.xml", lpString2="Program Files (x86)") returned 1 [0061.715] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml") returned 37 [0061.715] StrStrIW (lpFirst="Strings.xml", lpSrch=".ebal") returned 0x0 [0061.715] lstrcmpW (lpString1="Strings.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.715] lstrcmpW (lpString1="Strings.xml", lpString2="taridd") returned -1 [0061.716] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.716] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.716] GetTickCount () returned 0x114fdba [0061.716] GetTickCount () returned 0x114fdba [0061.716] GetTickCount () returned 0x114fdba [0061.716] GetTickCount () returned 0x114fdba [0061.716] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.716] GetProcessHeap () returned 0x3a00000 [0061.716] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.716] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.718] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.718] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.718] GetProcessHeap () returned 0x3a00000 [0061.718] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.718] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.718] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.719] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.719] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.719] CloseHandle (hObject=0x42c) returned 1 [0061.720] GetProcessHeap () returned 0x3a00000 [0061.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.720] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml_r00t_{8ew5f6}.ebal") returned 56 [0061.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Strings.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\strings.xml_r00t_{8ew5f6}.ebal")) returned 1 [0061.720] GetProcessHeap () returned 0x3a00000 [0061.720] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.720] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0061.720] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Windows") returned -1 [0061.721] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$Recycle.bin") returned 1 [0061.721] lstrcmpiW (lpString1="UiInfo.xml", lpString2="System Volume Information") returned 1 [0061.721] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files") returned 1 [0061.721] lstrcmpiW (lpString1="UiInfo.xml", lpString2="Program Files (x86)") returned 1 [0061.721] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml") returned 36 [0061.721] StrStrIW (lpFirst="UiInfo.xml", lpSrch=".ebal") returned 0x0 [0061.721] lstrcmpW (lpString1="UiInfo.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.721] lstrcmpW (lpString1="UiInfo.xml", lpString2="taridd") returned 1 [0061.721] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.721] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.721] GetTickCount () returned 0x114fdba [0061.721] GetTickCount () returned 0x114fdba [0061.721] GetTickCount () returned 0x114fdba [0061.721] GetTickCount () returned 0x114fdba [0061.721] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.721] GetProcessHeap () returned 0x3a00000 [0061.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.721] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.723] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.723] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.723] GetProcessHeap () returned 0x3a00000 [0061.723] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.723] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.723] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.724] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.724] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.724] CloseHandle (hObject=0x42c) returned 1 [0061.725] GetProcessHeap () returned 0x3a00000 [0061.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.725] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml_r00t_{8ew5f6}.ebal") returned 55 [0061.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\UiInfo.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml_r00t_{8ew5f6}.ebal")) returned 1 [0061.726] GetProcessHeap () returned 0x3a00000 [0061.726] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.726] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0061.726] lstrcmpiW (lpString1="watermark.bmp", lpString2="Windows") returned -1 [0061.726] lstrcmpiW (lpString1="watermark.bmp", lpString2="$Recycle.bin") returned 1 [0061.726] lstrcmpiW (lpString1="watermark.bmp", lpString2="System Volume Information") returned 1 [0061.726] lstrcmpiW (lpString1="watermark.bmp", lpString2="Program Files") returned 1 [0061.726] lstrcmpiW (lpString1="watermark.bmp", lpString2="Program Files (x86)") returned 1 [0061.726] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp") returned 39 [0061.726] StrStrIW (lpFirst="watermark.bmp", lpSrch=".ebal") returned 0x0 [0061.726] lstrcmpW (lpString1="watermark.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.726] lstrcmpW (lpString1="watermark.bmp", lpString2="taridd") returned 1 [0061.726] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.726] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.727] GetTickCount () returned 0x114fdca [0061.727] GetTickCount () returned 0x114fdca [0061.727] GetTickCount () returned 0x114fdca [0061.727] GetTickCount () returned 0x114fdca [0061.727] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.727] GetProcessHeap () returned 0x3a00000 [0061.727] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.727] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.729] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.729] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.729] GetProcessHeap () returned 0x3a00000 [0061.729] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.729] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.729] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.729] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.729] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.729] CloseHandle (hObject=0x42c) returned 1 [0061.742] GetProcessHeap () returned 0x3a00000 [0061.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0061.742] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp_r00t_{8ew5f6}.ebal") returned 58 [0061.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\watermark.bmp_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp_r00t_{8ew5f6}.ebal")) returned 1 [0061.743] GetProcessHeap () returned 0x3a00000 [0061.743] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0061.743] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0061.743] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Windows") returned 1 [0061.743] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="$Recycle.bin") returned 1 [0061.743] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="System Volume Information") returned 1 [0061.743] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Program Files") returned 1 [0061.743] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="Program Files (x86)") returned 1 [0061.743] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 59 [0061.743] StrStrIW (lpFirst="Windows6.0-KB956250-v6001-x64.msu", lpSrch=".ebal") returned 0x0 [0061.743] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0061.743] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="taridd") returned 1 [0061.743] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0061.743] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0061.744] GetTickCount () returned 0x114fdd9 [0061.744] GetTickCount () returned 0x114fdd9 [0061.744] GetTickCount () returned 0x114fdd9 [0061.744] GetTickCount () returned 0x114fdd9 [0061.744] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0061.744] GetProcessHeap () returned 0x3a00000 [0061.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0061.744] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.746] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0061.746] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0061.747] GetProcessHeap () returned 0x3a00000 [0061.747] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0061.747] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.747] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0061.748] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0061.748] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0061.748] CloseHandle (hObject=0x42c) returned 1 [0062.035] GetProcessHeap () returned 0x3a00000 [0062.038] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.040] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu_r00t_{8ew5f6}.ebal") returned 78 [0062.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu_r00t_{8ew5f6}.ebal")) returned 1 [0062.041] GetProcessHeap () returned 0x3a00000 [0062.041] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.041] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0062.041] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Windows") returned 1 [0062.041] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="$Recycle.bin") returned 1 [0062.041] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="System Volume Information") returned 1 [0062.041] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Program Files") returned 1 [0062.041] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="Program Files (x86)") returned 1 [0062.041] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 59 [0062.041] StrStrIW (lpFirst="Windows6.0-KB956250-v6001-x86.msu", lpSrch=".ebal") returned 0x0 [0062.041] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.042] lstrcmpW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="taridd") returned 1 [0062.042] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.042] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.042] GetTickCount () returned 0x114ff02 [0062.042] GetTickCount () returned 0x114ff02 [0062.042] GetTickCount () returned 0x114ff02 [0062.042] GetTickCount () returned 0x114ff02 [0062.042] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0062.042] GetProcessHeap () returned 0x3a00000 [0062.042] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0062.042] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.045] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.045] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.046] GetProcessHeap () returned 0x3a00000 [0062.046] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0062.046] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.046] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.049] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.049] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.049] CloseHandle (hObject=0x42c) returned 1 [0062.143] GetProcessHeap () returned 0x3a00000 [0062.143] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.143] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu_r00t_{8ew5f6}.ebal") returned 78 [0062.144] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu_r00t_{8ew5f6}.ebal")) returned 1 [0062.144] GetProcessHeap () returned 0x3a00000 [0062.144] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.144] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0062.144] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Windows") returned 1 [0062.144] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="$Recycle.bin") returned 1 [0062.144] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="System Volume Information") returned 1 [0062.144] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Program Files") returned 1 [0062.144] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="Program Files (x86)") returned 1 [0062.144] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 59 [0062.145] StrStrIW (lpFirst="Windows6.1-KB958488-v6001-x64.msu", lpSrch=".ebal") returned 0x0 [0062.145] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.145] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="taridd") returned 1 [0062.145] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.145] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.145] GetTickCount () returned 0x114ff60 [0062.145] GetTickCount () returned 0x114ff60 [0062.145] GetTickCount () returned 0x114ff60 [0062.145] GetTickCount () returned 0x114ff60 [0062.145] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0062.145] GetProcessHeap () returned 0x3a00000 [0062.145] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0062.145] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.155] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.155] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.155] GetProcessHeap () returned 0x3a00000 [0062.155] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0062.155] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.155] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.157] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.157] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.157] CloseHandle (hObject=0x42c) returned 1 [0062.349] GetProcessHeap () returned 0x3a00000 [0062.349] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.349] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu_r00t_{8ew5f6}.ebal") returned 78 [0062.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu_r00t_{8ew5f6}.ebal")) returned 1 [0062.349] GetProcessHeap () returned 0x3a00000 [0062.349] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.349] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0062.349] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Windows") returned 1 [0062.349] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="$Recycle.bin") returned 1 [0062.350] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="System Volume Information") returned 1 [0062.350] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Program Files") returned 1 [0062.350] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="Program Files (x86)") returned 1 [0062.350] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 59 [0062.350] StrStrIW (lpFirst="Windows6.1-KB958488-v6001-x86.msu", lpSrch=".ebal") returned 0x0 [0062.350] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.350] lstrcmpW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="taridd") returned 1 [0062.350] StrCmpNW (lpStr1="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.350] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.350] GetTickCount () returned 0x115002b [0062.350] GetTickCount () returned 0x115002b [0062.350] GetTickCount () returned 0x115002b [0062.350] GetTickCount () returned 0x115002b [0062.350] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0062.350] GetProcessHeap () returned 0x3a00000 [0062.350] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0062.350] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.353] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.353] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.353] GetProcessHeap () returned 0x3a00000 [0062.353] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0062.353] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.353] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.356] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.356] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.356] CloseHandle (hObject=0x42c) returned 1 [0062.434] GetProcessHeap () returned 0x3a00000 [0062.434] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.434] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu_r00t_{8ew5f6}.ebal") returned 78 [0062.434] MoveFileW (lpExistingFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="\\\\?\\C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu_r00t_{8ew5f6}.ebal" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu_r00t_{8ew5f6}.ebal")) returned 1 [0062.435] GetProcessHeap () returned 0x3a00000 [0062.435] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.435] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0062.435] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0062.435] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\588bce7c90097ed212\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0062.435] CreateFileW (lpFileName="\\\\?\\C:\\588bce7c90097ed212\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\588bce7c90097ed212\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0062.436] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0062.437] CloseHandle (hObject=0x428) returned 1 [0062.437] GetProcessHeap () returned 0x3a00000 [0062.437] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0062.437] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0062.437] lstrcmpiW (lpString1="Boot", lpString2="Windows") returned -1 [0062.438] lstrcmpiW (lpString1="Boot", lpString2="$Recycle.bin") returned 1 [0062.438] lstrcmpiW (lpString1="Boot", lpString2="System Volume Information") returned -1 [0062.438] lstrcmpiW (lpString1="Boot", lpString2="Program Files") returned -1 [0062.438] lstrcmpiW (lpString1="Boot", lpString2="Program Files (x86)") returned -1 [0062.438] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot") returned 11 [0062.438] lstrcmpW (lpString1="Boot", lpString2=".") returned 1 [0062.438] lstrcmpW (lpString1="Boot", lpString2="..") returned 1 [0062.438] lstrcmpW (lpString1="\\\\?\\C:\\Boot", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.438] GetProcessHeap () returned 0x3a00000 [0062.438] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0062.438] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\*") returned 13 [0062.438] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0062.439] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.439] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.439] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.439] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.439] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.439] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\.") returned 13 [0062.439] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.439] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0062.439] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0062.439] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0062.439] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.439] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\." (normalized: "c:\\boot\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.439] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.440] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.440] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.440] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.440] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.440] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.440] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\..") returned 14 [0062.440] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.440] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.440] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0062.440] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0062.440] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0062.441] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.441] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.441] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xac3efa99, ftLastAccessTime.dwHighDateTime=0x1d4d5d3, ftLastWriteTime.dwLowDateTime=0xac3efa99, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD", cAlternateFileName="")) returned 1 [0062.441] lstrcmpiW (lpString1="BCD", lpString2="Windows") returned -1 [0062.441] lstrcmpiW (lpString1="BCD", lpString2="$Recycle.bin") returned 1 [0062.441] lstrcmpiW (lpString1="BCD", lpString2="System Volume Information") returned -1 [0062.441] lstrcmpiW (lpString1="BCD", lpString2="Program Files") returned -1 [0062.441] lstrcmpiW (lpString1="BCD", lpString2="Program Files (x86)") returned -1 [0062.441] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD") returned 15 [0062.441] StrStrIW (lpFirst="BCD", lpSrch=".ebal") returned 0x0 [0062.441] lstrcmpW (lpString1="BCD", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.441] lstrcmpW (lpString1="BCD", lpString2="taridd") returned -1 [0062.441] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.441] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.441] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0062.441] lstrcmpiW (lpString1="BCD.LOG", lpString2="Windows") returned -1 [0062.441] lstrcmpiW (lpString1="BCD.LOG", lpString2="$Recycle.bin") returned 1 [0062.441] lstrcmpiW (lpString1="BCD.LOG", lpString2="System Volume Information") returned -1 [0062.441] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files") returned -1 [0062.441] lstrcmpiW (lpString1="BCD.LOG", lpString2="Program Files (x86)") returned -1 [0062.441] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG") returned 19 [0062.441] StrStrIW (lpFirst="BCD.LOG", lpSrch=".ebal") returned 0x0 [0062.441] lstrcmpW (lpString1="BCD.LOG", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.442] lstrcmpW (lpString1="BCD.LOG", lpString2="taridd") returned -1 [0062.442] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.442] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.442] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0062.442] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Windows") returned -1 [0062.442] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$Recycle.bin") returned 1 [0062.442] lstrcmpiW (lpString1="BCD.LOG1", lpString2="System Volume Information") returned -1 [0062.442] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files") returned -1 [0062.442] lstrcmpiW (lpString1="BCD.LOG1", lpString2="Program Files (x86)") returned -1 [0062.442] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1") returned 20 [0062.442] StrStrIW (lpFirst="BCD.LOG1", lpSrch=".ebal") returned 0x0 [0062.442] lstrcmpW (lpString1="BCD.LOG1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.442] lstrcmpW (lpString1="BCD.LOG1", lpString2="taridd") returned -1 [0062.442] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.442] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.442] GetTickCount () returned 0x1150089 [0062.442] GetTickCount () returned 0x1150089 [0062.442] GetTickCount () returned 0x1150089 [0062.442] GetTickCount () returned 0x1150089 [0062.442] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0062.443] GetProcessHeap () returned 0x3a00000 [0062.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0062.443] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x0, lpOverlapped=0x0) returned 1 [0062.443] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x0, lpOverlapped=0x0) returned 1 [0062.443] GetProcessHeap () returned 0x3a00000 [0062.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0062.443] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.443] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.444] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.444] CloseHandle (hObject=0x42c) returned 1 [0062.449] GetProcessHeap () returned 0x3a00000 [0062.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.449] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG1_r00t_{8ew5f6}.ebal") returned 39 [0062.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG1_r00t_{8ew5f6}.ebal" (normalized: "c:\\boot\\bcd.log1_r00t_{8ew5f6}.ebal")) returned 1 [0062.450] GetProcessHeap () returned 0x3a00000 [0062.450] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.450] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0062.450] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Windows") returned -1 [0062.450] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$Recycle.bin") returned 1 [0062.450] lstrcmpiW (lpString1="BCD.LOG2", lpString2="System Volume Information") returned -1 [0062.450] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files") returned -1 [0062.450] lstrcmpiW (lpString1="BCD.LOG2", lpString2="Program Files (x86)") returned -1 [0062.450] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2") returned 20 [0062.450] StrStrIW (lpFirst="BCD.LOG2", lpSrch=".ebal") returned 0x0 [0062.450] lstrcmpW (lpString1="BCD.LOG2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.450] lstrcmpW (lpString1="BCD.LOG2", lpString2="taridd") returned -1 [0062.450] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BCD.LOG2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.450] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.450] GetTickCount () returned 0x1150099 [0062.450] GetTickCount () returned 0x1150099 [0062.450] GetTickCount () returned 0x1150099 [0062.450] GetTickCount () returned 0x1150099 [0062.450] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0062.450] GetProcessHeap () returned 0x3a00000 [0062.450] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0062.450] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x0, lpOverlapped=0x0) returned 1 [0062.450] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.451] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x0, lpOverlapped=0x0) returned 1 [0062.451] GetProcessHeap () returned 0x3a00000 [0062.451] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0062.451] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.451] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.452] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.452] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.452] CloseHandle (hObject=0x42c) returned 1 [0062.452] GetProcessHeap () returned 0x3a00000 [0062.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.452] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BCD.LOG2_r00t_{8ew5f6}.ebal") returned 39 [0062.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="\\\\?\\C:\\Boot\\BCD.LOG2_r00t_{8ew5f6}.ebal" (normalized: "c:\\boot\\bcd.log2_r00t_{8ew5f6}.ebal")) returned 1 [0062.453] GetProcessHeap () returned 0x3a00000 [0062.453] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.453] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0062.453] lstrcmpiW (lpString1="bg-BG", lpString2="Windows") returned -1 [0062.453] lstrcmpiW (lpString1="bg-BG", lpString2="$Recycle.bin") returned 1 [0062.453] lstrcmpiW (lpString1="bg-BG", lpString2="System Volume Information") returned -1 [0062.453] lstrcmpiW (lpString1="bg-BG", lpString2="Program Files") returned -1 [0062.453] lstrcmpiW (lpString1="bg-BG", lpString2="Program Files (x86)") returned -1 [0062.453] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG") returned 17 [0062.453] lstrcmpW (lpString1="bg-BG", lpString2=".") returned 1 [0062.453] lstrcmpW (lpString1="bg-BG", lpString2="..") returned 1 [0062.453] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\bg-BG", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.453] GetProcessHeap () returned 0x3a00000 [0062.453] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.453] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\*") returned 19 [0062.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\bg-BG\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0062.453] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.453] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.454] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.454] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\.") returned 19 [0062.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.454] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.454] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.454] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.454] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.454] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.454] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.454] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\..") returned 20 [0062.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.454] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.454] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.454] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 33 [0062.454] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.454] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.454] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.454] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.454] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.455] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.455] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0062.455] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bg-BG\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.455] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bg-BG\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\bg-bg\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.456] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.456] CloseHandle (hObject=0x42c) returned 1 [0062.457] GetProcessHeap () returned 0x3a00000 [0062.457] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.457] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0062.457] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Windows") returned -1 [0062.457] lstrcmpiW (lpString1="bootspaces.dll", lpString2="$Recycle.bin") returned 1 [0062.457] lstrcmpiW (lpString1="bootspaces.dll", lpString2="System Volume Information") returned -1 [0062.457] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Program Files") returned -1 [0062.457] lstrcmpiW (lpString1="bootspaces.dll", lpString2="Program Files (x86)") returned -1 [0062.457] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bootspaces.dll") returned 26 [0062.457] StrStrIW (lpFirst="bootspaces.dll", lpSrch=".ebal") returned 0x0 [0062.457] lstrcmpW (lpString1="bootspaces.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.457] lstrcmpW (lpString1="bootspaces.dll", lpString2="taridd") returned -1 [0062.457] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bootspaces.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.457] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.458] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0062.458] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Windows") returned -1 [0062.458] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$Recycle.bin") returned 1 [0062.458] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="System Volume Information") returned -1 [0062.458] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files") returned -1 [0062.458] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="Program Files (x86)") returned -1 [0062.459] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT") returned 24 [0062.459] StrStrIW (lpFirst="BOOTSTAT.DAT", lpSrch=".ebal") returned 0x0 [0062.459] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.459] lstrcmpW (lpString1="BOOTSTAT.DAT", lpString2="taridd") returned -1 [0062.459] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\BOOTSTAT.DAT", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.459] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.460] GetTickCount () returned 0x1150099 [0062.460] GetTickCount () returned 0x1150099 [0062.460] GetTickCount () returned 0x1150099 [0062.460] GetTickCount () returned 0x1150099 [0062.460] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0062.460] GetProcessHeap () returned 0x3a00000 [0062.460] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0062.460] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.462] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0062.462] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0062.462] GetProcessHeap () returned 0x3a00000 [0062.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0062.462] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.462] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0062.463] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0062.463] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0062.463] CloseHandle (hObject=0x42c) returned 1 [0062.465] GetProcessHeap () returned 0x3a00000 [0062.465] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.465] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_r00t_{8ew5f6}.ebal") returned 43 [0062.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="\\\\?\\C:\\Boot\\BOOTSTAT.DAT_r00t_{8ew5f6}.ebal" (normalized: "c:\\boot\\bootstat.dat_r00t_{8ew5f6}.ebal")) returned 1 [0062.465] GetProcessHeap () returned 0x3a00000 [0062.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.465] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0062.465] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Windows") returned -1 [0062.465] lstrcmpiW (lpString1="bootvhd.dll", lpString2="$Recycle.bin") returned 1 [0062.465] lstrcmpiW (lpString1="bootvhd.dll", lpString2="System Volume Information") returned -1 [0062.465] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Program Files") returned -1 [0062.465] lstrcmpiW (lpString1="bootvhd.dll", lpString2="Program Files (x86)") returned -1 [0062.465] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\bootvhd.dll") returned 23 [0062.465] StrStrIW (lpFirst="bootvhd.dll", lpSrch=".ebal") returned 0x0 [0062.465] lstrcmpW (lpString1="bootvhd.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.465] lstrcmpW (lpString1="bootvhd.dll", lpString2="taridd") returned -1 [0062.465] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\bootvhd.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.465] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.508] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0062.508] lstrcmpiW (lpString1="cs-CZ", lpString2="Windows") returned -1 [0062.508] lstrcmpiW (lpString1="cs-CZ", lpString2="$Recycle.bin") returned 1 [0062.508] lstrcmpiW (lpString1="cs-CZ", lpString2="System Volume Information") returned -1 [0062.508] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files") returned -1 [0062.508] lstrcmpiW (lpString1="cs-CZ", lpString2="Program Files (x86)") returned -1 [0062.508] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ") returned 17 [0062.508] lstrcmpW (lpString1="cs-CZ", lpString2=".") returned 1 [0062.508] lstrcmpW (lpString1="cs-CZ", lpString2="..") returned 1 [0062.508] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\cs-CZ", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.508] GetProcessHeap () returned 0x3a00000 [0062.508] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.508] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\*") returned 19 [0062.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0062.508] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.508] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.508] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.508] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.508] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.508] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\.") returned 19 [0062.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.509] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.509] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\..") returned 20 [0062.509] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.509] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.509] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.509] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.509] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.509] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.509] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.509] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.509] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 33 [0062.509] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.509] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.509] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.509] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.509] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.509] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.509] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.509] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.509] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.509] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.509] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.509] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 33 [0062.509] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.509] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.510] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.510] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.510] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.510] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.510] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0062.510] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.510] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\cs-CZ\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\cs-cz\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.526] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.527] CloseHandle (hObject=0x42c) returned 1 [0062.527] GetProcessHeap () returned 0x3a00000 [0062.527] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.527] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0062.527] lstrcmpiW (lpString1="da-DK", lpString2="Windows") returned -1 [0062.527] lstrcmpiW (lpString1="da-DK", lpString2="$Recycle.bin") returned 1 [0062.527] lstrcmpiW (lpString1="da-DK", lpString2="System Volume Information") returned -1 [0062.527] lstrcmpiW (lpString1="da-DK", lpString2="Program Files") returned -1 [0062.527] lstrcmpiW (lpString1="da-DK", lpString2="Program Files (x86)") returned -1 [0062.527] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK") returned 17 [0062.527] lstrcmpW (lpString1="da-DK", lpString2=".") returned 1 [0062.527] lstrcmpW (lpString1="da-DK", lpString2="..") returned 1 [0062.527] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\da-DK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.527] GetProcessHeap () returned 0x3a00000 [0062.527] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.527] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\*") returned 19 [0062.527] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\da-DK\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0062.570] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.570] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.570] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.570] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\.") returned 19 [0062.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.570] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.571] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.571] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.571] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.571] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\..") returned 20 [0062.571] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.571] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.571] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.571] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 33 [0062.571] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.571] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.571] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.571] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.571] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.571] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.571] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.571] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.571] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.571] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.571] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.571] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui") returned 33 [0062.571] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.571] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.572] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.572] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.572] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.572] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.572] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0062.572] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.572] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\da-DK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\da-dk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.574] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.575] CloseHandle (hObject=0x42c) returned 1 [0062.575] GetProcessHeap () returned 0x3a00000 [0062.575] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.575] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0062.575] lstrcmpiW (lpString1="de-DE", lpString2="Windows") returned -1 [0062.575] lstrcmpiW (lpString1="de-DE", lpString2="$Recycle.bin") returned 1 [0062.575] lstrcmpiW (lpString1="de-DE", lpString2="System Volume Information") returned -1 [0062.575] lstrcmpiW (lpString1="de-DE", lpString2="Program Files") returned -1 [0062.575] lstrcmpiW (lpString1="de-DE", lpString2="Program Files (x86)") returned -1 [0062.575] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE") returned 17 [0062.575] lstrcmpW (lpString1="de-DE", lpString2=".") returned 1 [0062.575] lstrcmpW (lpString1="de-DE", lpString2="..") returned 1 [0062.575] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\de-DE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.575] GetProcessHeap () returned 0x3a00000 [0062.575] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.575] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\*") returned 19 [0062.575] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\de-DE\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0062.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.576] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.576] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.576] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\.") returned 19 [0062.576] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.576] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.576] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.576] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.576] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.576] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.576] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.576] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\..") returned 20 [0062.576] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.576] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.576] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.576] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.576] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 33 [0062.576] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.576] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.576] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.577] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.577] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.577] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.577] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui") returned 33 [0062.577] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.577] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.577] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.577] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.577] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.578] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.578] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0062.578] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.578] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\de-DE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\de-de\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.580] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.581] CloseHandle (hObject=0x42c) returned 1 [0062.581] GetProcessHeap () returned 0x3a00000 [0062.581] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.581] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0062.581] lstrcmpiW (lpString1="el-GR", lpString2="Windows") returned -1 [0062.581] lstrcmpiW (lpString1="el-GR", lpString2="$Recycle.bin") returned 1 [0062.581] lstrcmpiW (lpString1="el-GR", lpString2="System Volume Information") returned -1 [0062.581] lstrcmpiW (lpString1="el-GR", lpString2="Program Files") returned -1 [0062.581] lstrcmpiW (lpString1="el-GR", lpString2="Program Files (x86)") returned -1 [0062.581] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR") returned 17 [0062.581] lstrcmpW (lpString1="el-GR", lpString2=".") returned 1 [0062.581] lstrcmpW (lpString1="el-GR", lpString2="..") returned 1 [0062.581] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\el-GR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.581] GetProcessHeap () returned 0x3a00000 [0062.581] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.581] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\*") returned 19 [0062.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\el-GR\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0062.581] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.581] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.581] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.581] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.582] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\.") returned 19 [0062.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.582] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.582] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.582] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.582] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.582] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.582] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.582] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\..") returned 20 [0062.582] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.582] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.582] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.582] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.582] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 33 [0062.582] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.582] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.582] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.582] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.582] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.582] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.582] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.582] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.582] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.582] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.582] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.582] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui") returned 33 [0062.583] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.583] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.583] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.583] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.583] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.583] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.583] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0062.583] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.583] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\el-GR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\el-gr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.585] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.586] CloseHandle (hObject=0x42c) returned 1 [0062.586] GetProcessHeap () returned 0x3a00000 [0062.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.586] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0062.586] lstrcmpiW (lpString1="en-GB", lpString2="Windows") returned -1 [0062.586] lstrcmpiW (lpString1="en-GB", lpString2="$Recycle.bin") returned 1 [0062.586] lstrcmpiW (lpString1="en-GB", lpString2="System Volume Information") returned -1 [0062.586] lstrcmpiW (lpString1="en-GB", lpString2="Program Files") returned -1 [0062.587] lstrcmpiW (lpString1="en-GB", lpString2="Program Files (x86)") returned -1 [0062.587] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB") returned 17 [0062.587] lstrcmpW (lpString1="en-GB", lpString2=".") returned 1 [0062.587] lstrcmpW (lpString1="en-GB", lpString2="..") returned 1 [0062.587] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-GB", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.587] GetProcessHeap () returned 0x3a00000 [0062.587] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.587] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\*") returned 19 [0062.587] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-GB\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0062.587] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.587] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.587] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.587] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.587] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.587] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\.") returned 19 [0062.587] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.587] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.587] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.587] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.587] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.587] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.587] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.587] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\..") returned 20 [0062.587] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.587] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.587] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.587] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.588] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.588] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.588] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.588] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.588] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 33 [0062.588] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.588] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.588] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.588] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.588] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.588] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0062.588] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-GB\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.588] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-GB\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-gb\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.588] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.589] CloseHandle (hObject=0x42c) returned 1 [0062.589] GetProcessHeap () returned 0x3a00000 [0062.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.589] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0062.589] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0062.589] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0062.589] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0062.589] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0062.590] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0062.590] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US") returned 17 [0062.590] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0062.590] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0062.590] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.590] GetProcessHeap () returned 0x3a00000 [0062.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.590] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\*") returned 19 [0062.590] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\en-US\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0062.590] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.590] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.590] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.590] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.590] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.590] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\.") returned 19 [0062.590] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.590] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.590] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.590] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.590] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.590] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.590] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.590] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\..") returned 20 [0062.590] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.590] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.590] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.591] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.591] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.591] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.591] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.591] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.591] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui") returned 33 [0062.591] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.591] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.591] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.591] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.591] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.591] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.592] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.592] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.592] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.592] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.592] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.592] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui") returned 33 [0062.592] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.592] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.592] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.592] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.592] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.592] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.592] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0062.592] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.592] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.594] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.595] CloseHandle (hObject=0x42c) returned 1 [0062.596] GetProcessHeap () returned 0x3a00000 [0062.596] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.596] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0062.596] lstrcmpiW (lpString1="es-ES", lpString2="Windows") returned -1 [0062.596] lstrcmpiW (lpString1="es-ES", lpString2="$Recycle.bin") returned 1 [0062.596] lstrcmpiW (lpString1="es-ES", lpString2="System Volume Information") returned -1 [0062.596] lstrcmpiW (lpString1="es-ES", lpString2="Program Files") returned -1 [0062.596] lstrcmpiW (lpString1="es-ES", lpString2="Program Files (x86)") returned -1 [0062.596] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES") returned 17 [0062.596] lstrcmpW (lpString1="es-ES", lpString2=".") returned 1 [0062.596] lstrcmpW (lpString1="es-ES", lpString2="..") returned 1 [0062.596] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-ES", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.596] GetProcessHeap () returned 0x3a00000 [0062.596] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.596] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\*") returned 19 [0062.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-ES\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0062.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.596] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\.") returned 19 [0062.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.596] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.597] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.597] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.597] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\..") returned 20 [0062.597] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.597] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.597] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.597] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.597] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.597] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.597] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.597] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.597] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 33 [0062.597] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.597] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.597] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.597] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.597] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.597] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.597] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.597] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.597] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.597] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.597] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.597] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui") returned 33 [0062.597] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.597] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.597] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.597] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.597] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.599] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.599] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0062.599] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.599] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-ES\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-es\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.603] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.604] CloseHandle (hObject=0x42c) returned 1 [0062.604] GetProcessHeap () returned 0x3a00000 [0062.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.604] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0062.604] lstrcmpiW (lpString1="es-MX", lpString2="Windows") returned -1 [0062.604] lstrcmpiW (lpString1="es-MX", lpString2="$Recycle.bin") returned 1 [0062.604] lstrcmpiW (lpString1="es-MX", lpString2="System Volume Information") returned -1 [0062.604] lstrcmpiW (lpString1="es-MX", lpString2="Program Files") returned -1 [0062.604] lstrcmpiW (lpString1="es-MX", lpString2="Program Files (x86)") returned -1 [0062.604] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX") returned 17 [0062.604] lstrcmpW (lpString1="es-MX", lpString2=".") returned 1 [0062.604] lstrcmpW (lpString1="es-MX", lpString2="..") returned 1 [0062.604] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\es-MX", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.604] GetProcessHeap () returned 0x3a00000 [0062.604] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.604] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\*") returned 19 [0062.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\es-MX\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0062.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.605] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\.") returned 19 [0062.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.605] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.605] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\..") returned 20 [0062.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.605] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.605] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 33 [0062.605] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.605] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.605] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.605] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.605] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.606] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.606] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0062.606] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\es-MX\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.606] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\es-MX\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\es-mx\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.606] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.607] CloseHandle (hObject=0x42c) returned 1 [0062.607] GetProcessHeap () returned 0x3a00000 [0062.607] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.607] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0062.607] lstrcmpiW (lpString1="et-EE", lpString2="Windows") returned -1 [0062.607] lstrcmpiW (lpString1="et-EE", lpString2="$Recycle.bin") returned 1 [0062.607] lstrcmpiW (lpString1="et-EE", lpString2="System Volume Information") returned -1 [0062.607] lstrcmpiW (lpString1="et-EE", lpString2="Program Files") returned -1 [0062.607] lstrcmpiW (lpString1="et-EE", lpString2="Program Files (x86)") returned -1 [0062.607] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE") returned 17 [0062.607] lstrcmpW (lpString1="et-EE", lpString2=".") returned 1 [0062.607] lstrcmpW (lpString1="et-EE", lpString2="..") returned 1 [0062.607] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\et-EE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.607] GetProcessHeap () returned 0x3a00000 [0062.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.607] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\*") returned 19 [0062.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\et-EE\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0062.608] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.608] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.608] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.608] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.608] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\.") returned 19 [0062.608] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.608] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.608] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\..") returned 20 [0062.608] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.608] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.608] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.608] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.608] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.608] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.608] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.608] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 33 [0062.608] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.608] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.608] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.608] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.608] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.681] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.681] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0062.681] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\et-EE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.681] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\et-EE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\et-ee\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.682] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.683] CloseHandle (hObject=0x42c) returned 1 [0062.683] GetProcessHeap () returned 0x3a00000 [0062.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.683] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0062.683] lstrcmpiW (lpString1="fi-FI", lpString2="Windows") returned -1 [0062.683] lstrcmpiW (lpString1="fi-FI", lpString2="$Recycle.bin") returned 1 [0062.683] lstrcmpiW (lpString1="fi-FI", lpString2="System Volume Information") returned -1 [0062.683] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files") returned -1 [0062.683] lstrcmpiW (lpString1="fi-FI", lpString2="Program Files (x86)") returned -1 [0062.683] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI") returned 17 [0062.683] lstrcmpW (lpString1="fi-FI", lpString2=".") returned 1 [0062.683] lstrcmpW (lpString1="fi-FI", lpString2="..") returned 1 [0062.683] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fi-FI", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.683] GetProcessHeap () returned 0x3a00000 [0062.683] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.683] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\*") returned 19 [0062.683] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fi-FI\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0062.684] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.684] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.684] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.684] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.684] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.684] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\.") returned 19 [0062.684] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.684] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.684] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\..") returned 20 [0062.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.684] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.684] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.684] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.684] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.684] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.684] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.684] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 33 [0062.684] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.684] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.684] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.684] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.685] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.685] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.685] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.685] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.685] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.685] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.685] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.685] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui") returned 33 [0062.685] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.685] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.685] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.685] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.685] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.685] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.685] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0062.685] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.685] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fi-FI\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fi-fi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.687] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.688] CloseHandle (hObject=0x42c) returned 1 [0062.688] GetProcessHeap () returned 0x3a00000 [0062.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.688] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0062.688] lstrcmpiW (lpString1="Fonts", lpString2="Windows") returned -1 [0062.688] lstrcmpiW (lpString1="Fonts", lpString2="$Recycle.bin") returned 1 [0062.688] lstrcmpiW (lpString1="Fonts", lpString2="System Volume Information") returned -1 [0062.689] lstrcmpiW (lpString1="Fonts", lpString2="Program Files") returned -1 [0062.689] lstrcmpiW (lpString1="Fonts", lpString2="Program Files (x86)") returned -1 [0062.689] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts") returned 17 [0062.689] lstrcmpW (lpString1="Fonts", lpString2=".") returned 1 [0062.689] lstrcmpW (lpString1="Fonts", lpString2="..") returned 1 [0062.689] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Fonts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.689] GetProcessHeap () returned 0x3a00000 [0062.689] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.689] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\*") returned 19 [0062.689] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Fonts\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0062.691] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.691] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.691] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.691] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.691] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.691] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\.") returned 19 [0062.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.691] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.691] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.691] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.691] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\..") returned 20 [0062.691] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.691] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.692] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0062.692] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Windows") returned -1 [0062.692] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.692] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="System Volume Information") returned -1 [0062.692] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files") returned -1 [0062.692] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.692] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf") returned 30 [0062.692] StrStrIW (lpFirst="chs_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.692] lstrcmpW (lpString1="chs_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.692] lstrcmpW (lpString1="chs_boot.ttf", lpString2="taridd") returned -1 [0062.692] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.692] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.692] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0062.693] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Windows") returned -1 [0062.693] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.693] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="System Volume Information") returned -1 [0062.693] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files") returned -1 [0062.693] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.693] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf") returned 30 [0062.693] StrStrIW (lpFirst="cht_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.693] lstrcmpW (lpString1="cht_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.693] lstrcmpW (lpString1="cht_boot.ttf", lpString2="taridd") returned -1 [0062.693] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.693] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.694] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0062.694] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Windows") returned -1 [0062.694] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.694] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="System Volume Information") returned -1 [0062.694] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files") returned -1 [0062.694] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.694] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf") returned 30 [0062.694] StrStrIW (lpFirst="jpn_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.694] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.694] lstrcmpW (lpString1="jpn_boot.ttf", lpString2="taridd") returned -1 [0062.694] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.695] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.697] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0062.697] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Windows") returned -1 [0062.697] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.697] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="System Volume Information") returned -1 [0062.697] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files") returned -1 [0062.697] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.697] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf") returned 30 [0062.697] StrStrIW (lpFirst="kor_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.697] lstrcmpW (lpString1="kor_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.697] lstrcmpW (lpString1="kor_boot.ttf", lpString2="taridd") returned -1 [0062.697] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.697] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.698] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0062.698] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Windows") returned -1 [0062.698] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.698] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="System Volume Information") returned -1 [0062.699] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Program Files") returned -1 [0062.699] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.699] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 34 [0062.699] StrStrIW (lpFirst="malgunn_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.699] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.699] lstrcmpW (lpString1="malgunn_boot.ttf", lpString2="taridd") returned -1 [0062.699] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.699] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.700] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0062.700] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Windows") returned -1 [0062.700] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.700] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="System Volume Information") returned -1 [0062.700] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Program Files") returned -1 [0062.700] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.700] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf") returned 33 [0062.700] StrStrIW (lpFirst="malgun_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.700] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.700] lstrcmpW (lpString1="malgun_boot.ttf", lpString2="taridd") returned -1 [0062.700] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.700] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.702] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0062.702] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Windows") returned -1 [0062.702] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.702] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="System Volume Information") returned -1 [0062.702] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Program Files") returned -1 [0062.702] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.702] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf") returned 34 [0062.702] StrStrIW (lpFirst="meiryon_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.702] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.702] lstrcmpW (lpString1="meiryon_boot.ttf", lpString2="taridd") returned -1 [0062.702] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.702] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.704] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0062.704] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Windows") returned -1 [0062.704] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.704] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="System Volume Information") returned -1 [0062.704] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Program Files") returned -1 [0062.704] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.704] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf") returned 33 [0062.704] StrStrIW (lpFirst="meiryo_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.704] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.704] lstrcmpW (lpString1="meiryo_boot.ttf", lpString2="taridd") returned -1 [0062.704] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.704] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.706] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0062.706] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Windows") returned -1 [0062.706] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.706] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="System Volume Information") returned -1 [0062.706] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Program Files") returned -1 [0062.706] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.706] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf") returned 32 [0062.706] StrStrIW (lpFirst="msjhn_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.706] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.706] lstrcmpW (lpString1="msjhn_boot.ttf", lpString2="taridd") returned -1 [0062.706] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.706] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.706] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0062.706] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Windows") returned -1 [0062.706] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.706] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="System Volume Information") returned -1 [0062.706] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Program Files") returned -1 [0062.706] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.706] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf") returned 31 [0062.706] StrStrIW (lpFirst="msjh_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.707] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.707] lstrcmpW (lpString1="msjh_boot.ttf", lpString2="taridd") returned -1 [0062.707] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.707] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.707] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0062.707] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Windows") returned -1 [0062.707] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.707] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="System Volume Information") returned -1 [0062.707] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Program Files") returned -1 [0062.707] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.707] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 32 [0062.707] StrStrIW (lpFirst="msyhn_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.707] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.707] lstrcmpW (lpString1="msyhn_boot.ttf", lpString2="taridd") returned -1 [0062.707] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.708] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.708] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0062.708] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Windows") returned -1 [0062.708] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.708] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="System Volume Information") returned -1 [0062.708] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Program Files") returned -1 [0062.708] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="Program Files (x86)") returned -1 [0062.708] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf") returned 31 [0062.708] StrStrIW (lpFirst="msyh_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.708] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.708] lstrcmpW (lpString1="msyh_boot.ttf", lpString2="taridd") returned -1 [0062.708] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.708] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.708] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0062.708] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Windows") returned -1 [0062.708] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.708] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="System Volume Information") returned -1 [0062.708] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Program Files") returned 1 [0062.708] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="Program Files (x86)") returned 1 [0062.708] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf") returned 34 [0062.708] StrStrIW (lpFirst="segmono_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.708] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.708] lstrcmpW (lpString1="segmono_boot.ttf", lpString2="taridd") returned -1 [0062.708] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.708] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.709] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0062.709] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Windows") returned -1 [0062.709] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="$Recycle.bin") returned 1 [0062.709] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="System Volume Information") returned -1 [0062.709] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Program Files") returned 1 [0062.709] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="Program Files (x86)") returned 1 [0062.709] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 35 [0062.709] StrStrIW (lpFirst="segoen_slboot.ttf", lpSrch=".ebal") returned 0x0 [0062.709] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.709] lstrcmpW (lpString1="segoen_slboot.ttf", lpString2="taridd") returned -1 [0062.709] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.709] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.709] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0062.709] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Windows") returned -1 [0062.710] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="$Recycle.bin") returned 1 [0062.710] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="System Volume Information") returned -1 [0062.710] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Program Files") returned 1 [0062.710] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="Program Files (x86)") returned 1 [0062.710] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 34 [0062.710] StrStrIW (lpFirst="segoe_slboot.ttf", lpSrch=".ebal") returned 0x0 [0062.710] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.710] lstrcmpW (lpString1="segoe_slboot.ttf", lpString2="taridd") returned -1 [0062.710] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.710] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.710] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0062.710] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Windows") returned -1 [0062.710] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$Recycle.bin") returned 1 [0062.710] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="System Volume Information") returned 1 [0062.710] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files") returned 1 [0062.710] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="Program Files (x86)") returned 1 [0062.710] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 31 [0062.710] StrStrIW (lpFirst="wgl4_boot.ttf", lpSrch=".ebal") returned 0x0 [0062.710] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.710] lstrcmpW (lpString1="wgl4_boot.ttf", lpString2="taridd") returned 1 [0062.710] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.710] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.710] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0062.710] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0062.711] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.711] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Fonts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fonts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.723] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.724] CloseHandle (hObject=0x42c) returned 1 [0062.724] GetProcessHeap () returned 0x3a00000 [0062.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.724] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0062.724] lstrcmpiW (lpString1="fr-CA", lpString2="Windows") returned -1 [0062.724] lstrcmpiW (lpString1="fr-CA", lpString2="$Recycle.bin") returned 1 [0062.724] lstrcmpiW (lpString1="fr-CA", lpString2="System Volume Information") returned -1 [0062.724] lstrcmpiW (lpString1="fr-CA", lpString2="Program Files") returned -1 [0062.724] lstrcmpiW (lpString1="fr-CA", lpString2="Program Files (x86)") returned -1 [0062.724] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA") returned 17 [0062.724] lstrcmpW (lpString1="fr-CA", lpString2=".") returned 1 [0062.724] lstrcmpW (lpString1="fr-CA", lpString2="..") returned 1 [0062.724] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-CA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.724] GetProcessHeap () returned 0x3a00000 [0062.724] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.724] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\*") returned 19 [0062.724] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-CA\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0062.772] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.772] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.772] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.772] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.772] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.772] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\.") returned 19 [0062.772] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.772] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.772] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.772] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.772] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.772] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.772] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.773] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\..") returned 20 [0062.773] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.773] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.773] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.773] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.773] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.773] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.773] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.773] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.773] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui") returned 33 [0062.773] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.773] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.773] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.773] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.773] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.773] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.773] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0062.773] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-CA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.773] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-CA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-ca\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.774] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.775] CloseHandle (hObject=0x42c) returned 1 [0062.775] GetProcessHeap () returned 0x3a00000 [0062.775] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.775] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0062.775] lstrcmpiW (lpString1="fr-FR", lpString2="Windows") returned -1 [0062.775] lstrcmpiW (lpString1="fr-FR", lpString2="$Recycle.bin") returned 1 [0062.775] lstrcmpiW (lpString1="fr-FR", lpString2="System Volume Information") returned -1 [0062.775] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files") returned -1 [0062.775] lstrcmpiW (lpString1="fr-FR", lpString2="Program Files (x86)") returned -1 [0062.775] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR") returned 17 [0062.775] lstrcmpW (lpString1="fr-FR", lpString2=".") returned 1 [0062.775] lstrcmpW (lpString1="fr-FR", lpString2="..") returned 1 [0062.775] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\fr-FR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.775] GetProcessHeap () returned 0x3a00000 [0062.775] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.775] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\*") returned 19 [0062.775] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\fr-FR\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0062.776] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.776] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.776] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.776] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.776] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.776] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\.") returned 19 [0062.776] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.776] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.776] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.776] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.776] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.776] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.776] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.776] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\..") returned 20 [0062.776] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.776] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.776] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.776] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.776] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.776] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.776] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.776] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.776] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned 33 [0062.776] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.776] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.776] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.776] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.777] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.777] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.777] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.777] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.777] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.777] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.777] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.777] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui") returned 33 [0062.777] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.777] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.777] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.777] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.777] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.778] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.778] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0062.778] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.778] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\fr-FR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\fr-fr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.779] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.780] CloseHandle (hObject=0x42c) returned 1 [0062.781] GetProcessHeap () returned 0x3a00000 [0062.781] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.781] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0062.781] lstrcmpiW (lpString1="hr-HR", lpString2="Windows") returned -1 [0062.781] lstrcmpiW (lpString1="hr-HR", lpString2="$Recycle.bin") returned 1 [0062.781] lstrcmpiW (lpString1="hr-HR", lpString2="System Volume Information") returned -1 [0062.781] lstrcmpiW (lpString1="hr-HR", lpString2="Program Files") returned -1 [0062.781] lstrcmpiW (lpString1="hr-HR", lpString2="Program Files (x86)") returned -1 [0062.781] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR") returned 17 [0062.781] lstrcmpW (lpString1="hr-HR", lpString2=".") returned 1 [0062.781] lstrcmpW (lpString1="hr-HR", lpString2="..") returned 1 [0062.781] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hr-HR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.781] GetProcessHeap () returned 0x3a00000 [0062.781] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.781] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\*") returned 19 [0062.781] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hr-HR\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0062.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.781] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\.") returned 19 [0062.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.781] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.781] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.782] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.782] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.782] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.782] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.782] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\..") returned 20 [0062.782] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.782] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.782] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.782] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.782] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.782] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.782] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.782] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.782] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui") returned 33 [0062.782] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.782] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.782] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.782] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.782] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.782] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.782] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0062.782] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hr-HR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.782] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hr-HR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hr-hr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.783] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.783] CloseHandle (hObject=0x42c) returned 1 [0062.784] GetProcessHeap () returned 0x3a00000 [0062.784] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.784] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0062.784] lstrcmpiW (lpString1="hu-HU", lpString2="Windows") returned -1 [0062.784] lstrcmpiW (lpString1="hu-HU", lpString2="$Recycle.bin") returned 1 [0062.784] lstrcmpiW (lpString1="hu-HU", lpString2="System Volume Information") returned -1 [0062.784] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files") returned -1 [0062.784] lstrcmpiW (lpString1="hu-HU", lpString2="Program Files (x86)") returned -1 [0062.784] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU") returned 17 [0062.784] lstrcmpW (lpString1="hu-HU", lpString2=".") returned 1 [0062.784] lstrcmpW (lpString1="hu-HU", lpString2="..") returned 1 [0062.784] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\hu-HU", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.784] GetProcessHeap () returned 0x3a00000 [0062.784] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.784] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\*") returned 19 [0062.784] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\hu-HU\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0062.784] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.784] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.784] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.784] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.784] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.784] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\.") returned 19 [0062.784] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.784] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.784] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.784] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.785] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.785] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.785] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.785] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\..") returned 20 [0062.785] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.785] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.785] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.785] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.785] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 33 [0062.785] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.785] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.785] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.785] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.785] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.786] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.786] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.786] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.786] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.786] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.786] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.786] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui") returned 33 [0062.786] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.786] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.786] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.786] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.786] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.786] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.786] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0062.786] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.786] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\hu-HU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\hu-hu\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.788] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.790] CloseHandle (hObject=0x42c) returned 1 [0062.790] GetProcessHeap () returned 0x3a00000 [0062.790] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0062.790] lstrcmpiW (lpString1="it-IT", lpString2="Windows") returned -1 [0062.790] lstrcmpiW (lpString1="it-IT", lpString2="$Recycle.bin") returned 1 [0062.790] lstrcmpiW (lpString1="it-IT", lpString2="System Volume Information") returned -1 [0062.790] lstrcmpiW (lpString1="it-IT", lpString2="Program Files") returned -1 [0062.790] lstrcmpiW (lpString1="it-IT", lpString2="Program Files (x86)") returned -1 [0062.790] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT") returned 17 [0062.790] lstrcmpW (lpString1="it-IT", lpString2=".") returned 1 [0062.790] lstrcmpW (lpString1="it-IT", lpString2="..") returned 1 [0062.790] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\it-IT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.790] GetProcessHeap () returned 0x3a00000 [0062.790] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.790] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\*") returned 19 [0062.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\it-IT\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0062.790] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.790] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.790] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.790] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.791] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.791] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\.") returned 19 [0062.791] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.791] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.791] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.791] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.791] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.791] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.791] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.791] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\..") returned 20 [0062.791] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.791] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.791] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.791] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.791] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.791] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.791] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.791] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.791] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 33 [0062.791] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.791] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.791] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.791] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.791] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.791] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.791] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.791] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.791] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.791] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.792] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.792] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui") returned 33 [0062.792] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.792] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.792] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.792] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.792] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.792] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.792] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0062.792] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.793] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\it-IT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\it-it\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.794] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.795] CloseHandle (hObject=0x42c) returned 1 [0062.795] GetProcessHeap () returned 0x3a00000 [0062.795] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.795] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0062.795] lstrcmpiW (lpString1="ja-JP", lpString2="Windows") returned -1 [0062.795] lstrcmpiW (lpString1="ja-JP", lpString2="$Recycle.bin") returned 1 [0062.795] lstrcmpiW (lpString1="ja-JP", lpString2="System Volume Information") returned -1 [0062.795] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files") returned -1 [0062.795] lstrcmpiW (lpString1="ja-JP", lpString2="Program Files (x86)") returned -1 [0062.796] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP") returned 17 [0062.796] lstrcmpW (lpString1="ja-JP", lpString2=".") returned 1 [0062.796] lstrcmpW (lpString1="ja-JP", lpString2="..") returned 1 [0062.796] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ja-JP", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.796] GetProcessHeap () returned 0x3a00000 [0062.796] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.796] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\*") returned 19 [0062.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ja-JP\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0062.796] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.796] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.796] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.796] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.796] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.796] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\.") returned 19 [0062.796] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.796] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.796] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.796] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.796] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.796] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.796] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.796] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\..") returned 20 [0062.796] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.796] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.796] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.796] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.797] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.797] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.797] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.797] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 33 [0062.797] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.797] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.797] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.797] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.797] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.797] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.797] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.797] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.797] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.797] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.797] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.797] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui") returned 33 [0062.797] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.797] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.797] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.797] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.797] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.797] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.797] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0062.798] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.798] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ja-JP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ja-jp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.799] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.800] CloseHandle (hObject=0x42c) returned 1 [0062.800] GetProcessHeap () returned 0x3a00000 [0062.800] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.800] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0062.800] lstrcmpiW (lpString1="ko-KR", lpString2="Windows") returned -1 [0062.800] lstrcmpiW (lpString1="ko-KR", lpString2="$Recycle.bin") returned 1 [0062.800] lstrcmpiW (lpString1="ko-KR", lpString2="System Volume Information") returned -1 [0062.800] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files") returned -1 [0062.800] lstrcmpiW (lpString1="ko-KR", lpString2="Program Files (x86)") returned -1 [0062.800] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR") returned 17 [0062.800] lstrcmpW (lpString1="ko-KR", lpString2=".") returned 1 [0062.800] lstrcmpW (lpString1="ko-KR", lpString2="..") returned 1 [0062.800] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ko-KR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.800] GetProcessHeap () returned 0x3a00000 [0062.800] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.800] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\*") returned 19 [0062.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ko-KR\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0062.801] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.801] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.801] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.801] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.801] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.801] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\.") returned 19 [0062.801] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.801] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.801] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.801] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.801] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.801] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.801] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.801] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\..") returned 20 [0062.802] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.802] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.802] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.802] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.802] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.802] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.802] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.802] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.802] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 33 [0062.802] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.802] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.802] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.802] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.802] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.802] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.802] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.802] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.802] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.802] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.802] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.802] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui") returned 33 [0062.802] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.802] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.802] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.802] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.802] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.802] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.802] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0062.803] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ko-KR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.803] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ko-KR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ko-kr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.804] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.805] CloseHandle (hObject=0x42c) returned 1 [0062.805] GetProcessHeap () returned 0x3a00000 [0062.805] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.805] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0062.805] lstrcmpiW (lpString1="lt-LT", lpString2="Windows") returned -1 [0062.805] lstrcmpiW (lpString1="lt-LT", lpString2="$Recycle.bin") returned 1 [0062.805] lstrcmpiW (lpString1="lt-LT", lpString2="System Volume Information") returned -1 [0062.805] lstrcmpiW (lpString1="lt-LT", lpString2="Program Files") returned -1 [0062.805] lstrcmpiW (lpString1="lt-LT", lpString2="Program Files (x86)") returned -1 [0062.805] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT") returned 17 [0062.805] lstrcmpW (lpString1="lt-LT", lpString2=".") returned 1 [0062.805] lstrcmpW (lpString1="lt-LT", lpString2="..") returned 1 [0062.805] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\lt-LT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.805] GetProcessHeap () returned 0x3a00000 [0062.805] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.806] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\*") returned 19 [0062.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lt-LT\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0062.806] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.806] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.806] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.806] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.806] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.806] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\.") returned 19 [0062.806] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.806] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.806] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.806] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.806] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.806] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.806] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.806] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\..") returned 20 [0062.806] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.806] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.806] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.806] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.806] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.806] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.806] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.806] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.806] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 33 [0062.806] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.806] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.807] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.807] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.807] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.865] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.865] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0062.865] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lt-LT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.866] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lt-LT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\lt-lt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.867] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.868] CloseHandle (hObject=0x42c) returned 1 [0062.868] GetProcessHeap () returned 0x3a00000 [0062.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.868] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0062.868] lstrcmpiW (lpString1="lv-LV", lpString2="Windows") returned -1 [0062.868] lstrcmpiW (lpString1="lv-LV", lpString2="$Recycle.bin") returned 1 [0062.868] lstrcmpiW (lpString1="lv-LV", lpString2="System Volume Information") returned -1 [0062.868] lstrcmpiW (lpString1="lv-LV", lpString2="Program Files") returned -1 [0062.868] lstrcmpiW (lpString1="lv-LV", lpString2="Program Files (x86)") returned -1 [0062.868] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV") returned 17 [0062.868] lstrcmpW (lpString1="lv-LV", lpString2=".") returned 1 [0062.868] lstrcmpW (lpString1="lv-LV", lpString2="..") returned 1 [0062.868] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\lv-LV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.868] GetProcessHeap () returned 0x3a00000 [0062.868] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.868] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\*") returned 19 [0062.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\lv-LV\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0062.868] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.869] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.869] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.869] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.869] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.869] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\.") returned 19 [0062.869] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.869] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.869] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.869] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.869] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.869] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.869] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.869] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\..") returned 20 [0062.869] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.869] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.869] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.869] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.869] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.869] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.869] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.869] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.869] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 33 [0062.869] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.869] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.869] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.869] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.869] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.869] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0062.870] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0062.870] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\lv-LV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.870] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\lv-LV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\lv-lv\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.870] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.871] CloseHandle (hObject=0x42c) returned 1 [0062.871] GetProcessHeap () returned 0x3a00000 [0062.871] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.871] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0062.871] lstrcmpiW (lpString1="memtest.exe", lpString2="Windows") returned -1 [0062.871] lstrcmpiW (lpString1="memtest.exe", lpString2="$Recycle.bin") returned 1 [0062.871] lstrcmpiW (lpString1="memtest.exe", lpString2="System Volume Information") returned -1 [0062.871] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files") returned -1 [0062.871] lstrcmpiW (lpString1="memtest.exe", lpString2="Program Files (x86)") returned -1 [0062.871] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\memtest.exe") returned 23 [0062.871] StrStrIW (lpFirst="memtest.exe", lpSrch=".ebal") returned 0x0 [0062.871] lstrcmpW (lpString1="memtest.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.871] lstrcmpW (lpString1="memtest.exe", lpString2="taridd") returned -1 [0062.871] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\memtest.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.871] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.872] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0062.872] lstrcmpiW (lpString1="nb-NO", lpString2="Windows") returned -1 [0062.872] lstrcmpiW (lpString1="nb-NO", lpString2="$Recycle.bin") returned 1 [0062.872] lstrcmpiW (lpString1="nb-NO", lpString2="System Volume Information") returned -1 [0062.872] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files") returned -1 [0062.872] lstrcmpiW (lpString1="nb-NO", lpString2="Program Files (x86)") returned -1 [0062.872] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO") returned 17 [0062.872] lstrcmpW (lpString1="nb-NO", lpString2=".") returned 1 [0062.872] lstrcmpW (lpString1="nb-NO", lpString2="..") returned 1 [0062.872] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nb-NO", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.872] GetProcessHeap () returned 0x3a00000 [0062.872] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.872] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\*") returned 19 [0062.872] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nb-NO\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0062.873] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.873] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.873] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.873] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.873] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.873] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\.") returned 19 [0062.873] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.873] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.873] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.873] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.873] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.873] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.873] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.873] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\..") returned 20 [0062.873] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.873] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.873] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.873] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.873] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.873] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.873] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.873] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.873] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 33 [0062.873] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.873] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.873] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.873] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.873] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.874] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.874] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.874] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.874] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.874] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.874] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.874] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui") returned 33 [0062.874] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.874] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.874] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.874] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.874] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.874] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.874] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0062.874] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nb-NO\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.874] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nb-NO\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\nb-no\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.876] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.877] CloseHandle (hObject=0x42c) returned 1 [0062.877] GetProcessHeap () returned 0x3a00000 [0062.877] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.877] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0062.877] lstrcmpiW (lpString1="nl-NL", lpString2="Windows") returned -1 [0062.877] lstrcmpiW (lpString1="nl-NL", lpString2="$Recycle.bin") returned 1 [0062.877] lstrcmpiW (lpString1="nl-NL", lpString2="System Volume Information") returned -1 [0062.877] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files") returned -1 [0062.877] lstrcmpiW (lpString1="nl-NL", lpString2="Program Files (x86)") returned -1 [0062.877] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL") returned 17 [0062.877] lstrcmpW (lpString1="nl-NL", lpString2=".") returned 1 [0062.878] lstrcmpW (lpString1="nl-NL", lpString2="..") returned 1 [0062.878] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\nl-NL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.878] GetProcessHeap () returned 0x3a00000 [0062.878] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.878] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\*") returned 19 [0062.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\nl-NL\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0062.878] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.878] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.878] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.878] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.878] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.878] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\.") returned 19 [0062.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.878] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.878] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.878] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.878] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.878] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.878] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.878] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\..") returned 20 [0062.878] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.878] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.878] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.878] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.878] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.878] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.878] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.878] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 33 [0062.879] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.879] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.879] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.879] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.879] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.879] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.879] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.879] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.879] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.879] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.879] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.879] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui") returned 33 [0062.880] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.880] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.880] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.880] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.880] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.880] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.880] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0062.880] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\nl-NL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.880] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\nl-NL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\nl-nl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.881] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.883] CloseHandle (hObject=0x42c) returned 1 [0062.883] GetProcessHeap () returned 0x3a00000 [0062.883] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.883] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0062.883] lstrcmpiW (lpString1="pl-PL", lpString2="Windows") returned -1 [0062.883] lstrcmpiW (lpString1="pl-PL", lpString2="$Recycle.bin") returned 1 [0062.883] lstrcmpiW (lpString1="pl-PL", lpString2="System Volume Information") returned -1 [0062.883] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files") returned -1 [0062.883] lstrcmpiW (lpString1="pl-PL", lpString2="Program Files (x86)") returned -1 [0062.883] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL") returned 17 [0062.883] lstrcmpW (lpString1="pl-PL", lpString2=".") returned 1 [0062.883] lstrcmpW (lpString1="pl-PL", lpString2="..") returned 1 [0062.883] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pl-PL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.884] GetProcessHeap () returned 0x3a00000 [0062.884] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.884] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\*") returned 19 [0062.884] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pl-PL\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0062.884] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.884] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.884] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.884] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.884] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.884] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\.") returned 19 [0062.884] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.884] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.884] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.884] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.884] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.884] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.884] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.884] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\..") returned 20 [0062.884] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.884] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.884] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.884] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.884] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.884] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.884] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.884] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 33 [0062.884] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.885] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.885] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.885] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.885] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.885] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.885] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.885] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.885] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.885] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.885] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.885] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui") returned 33 [0062.885] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.885] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.885] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.885] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.885] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.886] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.886] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0062.886] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pl-PL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.886] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pl-PL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pl-pl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.888] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.889] CloseHandle (hObject=0x42c) returned 1 [0062.889] GetProcessHeap () returned 0x3a00000 [0062.889] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.889] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0062.889] lstrcmpiW (lpString1="pt-BR", lpString2="Windows") returned -1 [0062.889] lstrcmpiW (lpString1="pt-BR", lpString2="$Recycle.bin") returned 1 [0062.889] lstrcmpiW (lpString1="pt-BR", lpString2="System Volume Information") returned -1 [0062.889] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files") returned 1 [0062.889] lstrcmpiW (lpString1="pt-BR", lpString2="Program Files (x86)") returned 1 [0062.889] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR") returned 17 [0062.889] lstrcmpW (lpString1="pt-BR", lpString2=".") returned 1 [0062.889] lstrcmpW (lpString1="pt-BR", lpString2="..") returned 1 [0062.889] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-BR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.889] GetProcessHeap () returned 0x3a00000 [0062.889] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.889] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\*") returned 19 [0062.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-BR\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0062.890] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.890] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.890] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.890] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.890] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.890] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\.") returned 19 [0062.890] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.890] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.890] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.890] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.890] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.890] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.890] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.890] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\..") returned 20 [0062.890] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.890] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.890] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.890] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.890] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.890] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.890] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.890] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.890] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 33 [0062.890] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.890] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.890] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.890] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.890] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.890] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.891] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.891] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.891] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.891] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.891] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.891] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui") returned 33 [0062.891] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.891] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.891] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.891] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.891] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.891] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.891] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0062.891] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-BR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.891] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-BR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pt-br\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.893] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.894] CloseHandle (hObject=0x42c) returned 1 [0062.894] GetProcessHeap () returned 0x3a00000 [0062.894] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.894] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0062.894] lstrcmpiW (lpString1="pt-PT", lpString2="Windows") returned -1 [0062.894] lstrcmpiW (lpString1="pt-PT", lpString2="$Recycle.bin") returned 1 [0062.894] lstrcmpiW (lpString1="pt-PT", lpString2="System Volume Information") returned -1 [0062.894] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files") returned 1 [0062.894] lstrcmpiW (lpString1="pt-PT", lpString2="Program Files (x86)") returned 1 [0062.894] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT") returned 17 [0062.894] lstrcmpW (lpString1="pt-PT", lpString2=".") returned 1 [0062.894] lstrcmpW (lpString1="pt-PT", lpString2="..") returned 1 [0062.894] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\pt-PT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.894] GetProcessHeap () returned 0x3a00000 [0062.894] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.894] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\*") returned 19 [0062.894] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\pt-PT\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0062.895] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.895] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.895] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.895] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.895] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.895] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\.") returned 19 [0062.895] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.895] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.895] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.895] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.895] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.895] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.895] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.895] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\..") returned 20 [0062.895] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.895] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.895] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.895] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.895] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.895] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.895] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.895] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.895] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned 33 [0062.896] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.896] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.896] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.896] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.896] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.896] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0062.896] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0062.896] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.896] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0062.896] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0062.896] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.896] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui") returned 33 [0062.896] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0062.896] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.896] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0062.896] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.896] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0062.896] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0062.896] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0062.896] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\pt-PT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0062.896] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\pt-PT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\pt-pt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0062.898] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0062.899] CloseHandle (hObject=0x42c) returned 1 [0062.899] GetProcessHeap () returned 0x3a00000 [0062.899] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0062.899] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0062.899] lstrcmpiW (lpString1="qps-ploc", lpString2="Windows") returned -1 [0062.899] lstrcmpiW (lpString1="qps-ploc", lpString2="$Recycle.bin") returned 1 [0062.899] lstrcmpiW (lpString1="qps-ploc", lpString2="System Volume Information") returned -1 [0062.900] lstrcmpiW (lpString1="qps-ploc", lpString2="Program Files") returned 1 [0062.900] lstrcmpiW (lpString1="qps-ploc", lpString2="Program Files (x86)") returned 1 [0062.900] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc") returned 20 [0062.900] lstrcmpW (lpString1="qps-ploc", lpString2=".") returned 1 [0062.900] lstrcmpW (lpString1="qps-ploc", lpString2="..") returned 1 [0062.900] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\qps-ploc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0062.900] GetProcessHeap () returned 0x3a00000 [0062.900] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0062.900] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\*") returned 22 [0062.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0062.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0062.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0062.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0062.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0062.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0062.900] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\.") returned 22 [0062.900] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0062.900] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0062.900] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0062.900] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0062.900] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0062.900] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0062.900] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0062.900] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\..") returned 23 [0062.900] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0062.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0062.900] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0062.901] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0062.901] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0062.901] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0062.901] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0062.901] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0062.901] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui") returned 36 [0062.901] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0062.901] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0062.901] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0062.901] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0062.901] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.044] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.044] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.044] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.044] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.044] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.044] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.044] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui") returned 36 [0063.044] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.044] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.044] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.045] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.045] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.045] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.045] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0063.046] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\qps-ploc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 52 [0063.046] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\qps-ploc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\qps-ploc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.049] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.049] CloseHandle (hObject=0x42c) returned 1 [0063.050] GetProcessHeap () returned 0x3a00000 [0063.050] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.050] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0063.050] lstrcmpiW (lpString1="Resources", lpString2="Windows") returned -1 [0063.050] lstrcmpiW (lpString1="Resources", lpString2="$Recycle.bin") returned 1 [0063.050] lstrcmpiW (lpString1="Resources", lpString2="System Volume Information") returned -1 [0063.050] lstrcmpiW (lpString1="Resources", lpString2="Program Files") returned 1 [0063.050] lstrcmpiW (lpString1="Resources", lpString2="Program Files (x86)") returned 1 [0063.050] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources") returned 21 [0063.050] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0063.050] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0063.050] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Resources", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.050] GetProcessHeap () returned 0x3a00000 [0063.050] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.050] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\*") returned 23 [0063.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0063.051] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.051] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.051] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.051] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.051] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.051] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\.") returned 23 [0063.051] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.051] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.051] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.051] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.051] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.051] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.051] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.051] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\..") returned 24 [0063.051] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.051] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.051] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0063.051] lstrcmpiW (lpString1="bootres.dll", lpString2="Windows") returned -1 [0063.051] lstrcmpiW (lpString1="bootres.dll", lpString2="$Recycle.bin") returned 1 [0063.051] lstrcmpiW (lpString1="bootres.dll", lpString2="System Volume Information") returned -1 [0063.051] lstrcmpiW (lpString1="bootres.dll", lpString2="Program Files") returned -1 [0063.051] lstrcmpiW (lpString1="bootres.dll", lpString2="Program Files (x86)") returned -1 [0063.051] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\bootres.dll") returned 33 [0063.051] StrStrIW (lpFirst="bootres.dll", lpSrch=".ebal") returned 0x0 [0063.051] lstrcmpW (lpString1="bootres.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.052] lstrcmpW (lpString1="bootres.dll", lpString2="taridd") returned -1 [0063.052] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Resources\\bootres.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.052] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.052] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0063.052] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0063.052] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0063.052] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0063.052] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0063.052] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0063.052] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US") returned 27 [0063.052] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0063.052] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0063.052] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\Resources\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.052] GetProcessHeap () returned 0x3a00000 [0063.052] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0063.052] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\*") returned 29 [0063.052] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0063.052] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.052] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.052] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.052] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.052] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.052] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\.") returned 29 [0063.052] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.052] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.053] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.053] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.053] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.053] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.053] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.053] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\..") returned 30 [0063.053] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.053] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0063.053] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="Windows") returned -1 [0063.053] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="$Recycle.bin") returned 1 [0063.053] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="System Volume Information") returned -1 [0063.053] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="Program Files") returned -1 [0063.053] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="Program Files (x86)") returned -1 [0063.053] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui") returned 43 [0063.053] StrStrIW (lpFirst="bootres.dll.mui", lpSrch=".ebal") returned 0x0 [0063.053] lstrcmpW (lpString1="bootres.dll.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.053] lstrcmpW (lpString1="bootres.dll.mui", lpString2="taridd") returned -1 [0063.053] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.053] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.053] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0063.053] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0063.053] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 59 [0063.053] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\resources\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0063.054] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0063.055] CloseHandle (hObject=0x430) returned 1 [0063.055] GetProcessHeap () returned 0x3a00000 [0063.055] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0063.055] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 0 [0063.055] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0063.055] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 53 [0063.055] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\resources\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.055] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.056] CloseHandle (hObject=0x42c) returned 1 [0063.056] GetProcessHeap () returned 0x3a00000 [0063.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.057] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0063.057] lstrcmpiW (lpString1="ro-RO", lpString2="Windows") returned -1 [0063.057] lstrcmpiW (lpString1="ro-RO", lpString2="$Recycle.bin") returned 1 [0063.057] lstrcmpiW (lpString1="ro-RO", lpString2="System Volume Information") returned -1 [0063.057] lstrcmpiW (lpString1="ro-RO", lpString2="Program Files") returned 1 [0063.057] lstrcmpiW (lpString1="ro-RO", lpString2="Program Files (x86)") returned 1 [0063.057] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO") returned 17 [0063.057] lstrcmpW (lpString1="ro-RO", lpString2=".") returned 1 [0063.057] lstrcmpW (lpString1="ro-RO", lpString2="..") returned 1 [0063.057] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ro-RO", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.057] GetProcessHeap () returned 0x3a00000 [0063.057] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.057] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\*") returned 19 [0063.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ro-RO\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0063.057] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.057] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.057] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.057] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.057] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.057] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\.") returned 19 [0063.057] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.057] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.057] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.057] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.057] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.057] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.058] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.058] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\..") returned 20 [0063.058] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.058] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.058] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.058] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.058] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.058] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.058] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.058] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.058] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 33 [0063.058] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.058] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.058] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.058] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.058] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.058] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0063.058] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0063.058] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ro-RO\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.058] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ro-RO\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ro-ro\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.058] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.059] CloseHandle (hObject=0x42c) returned 1 [0063.060] GetProcessHeap () returned 0x3a00000 [0063.060] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.060] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0063.060] lstrcmpiW (lpString1="ru-RU", lpString2="Windows") returned -1 [0063.060] lstrcmpiW (lpString1="ru-RU", lpString2="$Recycle.bin") returned 1 [0063.060] lstrcmpiW (lpString1="ru-RU", lpString2="System Volume Information") returned -1 [0063.060] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files") returned 1 [0063.060] lstrcmpiW (lpString1="ru-RU", lpString2="Program Files (x86)") returned 1 [0063.060] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU") returned 17 [0063.060] lstrcmpW (lpString1="ru-RU", lpString2=".") returned 1 [0063.060] lstrcmpW (lpString1="ru-RU", lpString2="..") returned 1 [0063.060] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\ru-RU", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.060] GetProcessHeap () returned 0x3a00000 [0063.060] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.060] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\*") returned 19 [0063.060] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\ru-RU\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0063.061] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.061] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.061] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.061] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.061] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.061] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\.") returned 19 [0063.061] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.061] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.061] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.061] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.061] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.061] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.061] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.061] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\..") returned 20 [0063.061] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.061] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.061] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.061] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 33 [0063.061] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.062] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.062] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.062] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.062] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.062] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.062] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.062] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.062] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.062] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.062] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.062] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui") returned 33 [0063.062] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.062] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.062] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.062] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.062] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.062] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.062] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0063.062] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\ru-RU\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.062] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\ru-RU\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\ru-ru\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.064] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.065] CloseHandle (hObject=0x42c) returned 1 [0063.065] GetProcessHeap () returned 0x3a00000 [0063.065] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.065] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0063.065] lstrcmpiW (lpString1="sk-SK", lpString2="Windows") returned -1 [0063.065] lstrcmpiW (lpString1="sk-SK", lpString2="$Recycle.bin") returned 1 [0063.066] lstrcmpiW (lpString1="sk-SK", lpString2="System Volume Information") returned -1 [0063.066] lstrcmpiW (lpString1="sk-SK", lpString2="Program Files") returned 1 [0063.066] lstrcmpiW (lpString1="sk-SK", lpString2="Program Files (x86)") returned 1 [0063.066] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK") returned 17 [0063.066] lstrcmpW (lpString1="sk-SK", lpString2=".") returned 1 [0063.066] lstrcmpW (lpString1="sk-SK", lpString2="..") returned 1 [0063.066] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sk-SK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.066] GetProcessHeap () returned 0x3a00000 [0063.066] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.066] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\*") returned 19 [0063.066] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sk-SK\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0063.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.066] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.066] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.066] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.066] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.066] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\.") returned 19 [0063.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.066] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.066] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\..") returned 20 [0063.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.066] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.067] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.067] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.067] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.067] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.067] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.067] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 33 [0063.067] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.067] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.067] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.067] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.067] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.067] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0063.067] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0063.068] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sk-SK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.068] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sk-SK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sk-sk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.068] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.069] CloseHandle (hObject=0x42c) returned 1 [0063.069] GetProcessHeap () returned 0x3a00000 [0063.069] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.069] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0063.069] lstrcmpiW (lpString1="sl-SI", lpString2="Windows") returned -1 [0063.069] lstrcmpiW (lpString1="sl-SI", lpString2="$Recycle.bin") returned 1 [0063.069] lstrcmpiW (lpString1="sl-SI", lpString2="System Volume Information") returned -1 [0063.069] lstrcmpiW (lpString1="sl-SI", lpString2="Program Files") returned 1 [0063.069] lstrcmpiW (lpString1="sl-SI", lpString2="Program Files (x86)") returned 1 [0063.069] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI") returned 17 [0063.070] lstrcmpW (lpString1="sl-SI", lpString2=".") returned 1 [0063.070] lstrcmpW (lpString1="sl-SI", lpString2="..") returned 1 [0063.070] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sl-SI", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.070] GetProcessHeap () returned 0x3a00000 [0063.070] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.070] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\*") returned 19 [0063.070] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sl-SI\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0063.070] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.070] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.071] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.071] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.071] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.071] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\.") returned 19 [0063.071] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.071] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.071] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.071] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.071] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.071] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.071] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.071] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\..") returned 20 [0063.071] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.071] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.071] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.071] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.071] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 33 [0063.071] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.071] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.071] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.071] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.071] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.071] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0063.071] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0063.072] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sl-SI\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.072] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sl-SI\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sl-si\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.072] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.073] CloseHandle (hObject=0x42c) returned 1 [0063.073] GetProcessHeap () returned 0x3a00000 [0063.073] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.073] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0063.073] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Windows") returned -1 [0063.073] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$Recycle.bin") returned 1 [0063.073] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="System Volume Information") returned -1 [0063.073] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Program Files") returned 1 [0063.073] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="Program Files (x86)") returned 1 [0063.073] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS") returned 22 [0063.073] lstrcmpW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0063.073] lstrcmpW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0063.073] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sr-Latn-CS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.073] GetProcessHeap () returned 0x3a00000 [0063.073] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.073] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\*") returned 24 [0063.073] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0063.073] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.073] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.074] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.074] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.074] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\.") returned 24 [0063.074] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.074] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.074] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.074] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.074] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.074] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.074] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.074] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\..") returned 25 [0063.074] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.074] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.074] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.074] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.074] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.074] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.074] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.074] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.074] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 38 [0063.074] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.074] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.074] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.074] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.074] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.075] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.075] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.075] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.075] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.075] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.075] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.075] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 38 [0063.075] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.075] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.075] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.075] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.075] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.075] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.075] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0063.075] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-CS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 54 [0063.075] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-CS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sr-latn-cs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.077] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.078] CloseHandle (hObject=0x42c) returned 1 [0063.079] GetProcessHeap () returned 0x3a00000 [0063.079] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.079] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0063.079] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="Windows") returned -1 [0063.079] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="$Recycle.bin") returned 1 [0063.079] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="System Volume Information") returned -1 [0063.079] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="Program Files") returned 1 [0063.079] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="Program Files (x86)") returned 1 [0063.079] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS") returned 22 [0063.079] lstrcmpW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0063.079] lstrcmpW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0063.079] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sr-Latn-RS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.079] GetProcessHeap () returned 0x3a00000 [0063.079] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.079] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\*") returned 24 [0063.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0063.079] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.079] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.079] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.079] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.079] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.079] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\.") returned 24 [0063.079] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.079] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.079] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.079] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.079] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.080] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\..") returned 25 [0063.080] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.080] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.080] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.080] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.080] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 38 [0063.080] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.080] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.080] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.080] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.080] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.080] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0063.080] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0063.080] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sr-Latn-RS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 54 [0063.080] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sr-Latn-RS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sr-latn-rs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.081] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.081] CloseHandle (hObject=0x42c) returned 1 [0063.082] GetProcessHeap () returned 0x3a00000 [0063.082] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.082] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0063.082] lstrcmpiW (lpString1="sv-SE", lpString2="Windows") returned -1 [0063.082] lstrcmpiW (lpString1="sv-SE", lpString2="$Recycle.bin") returned 1 [0063.082] lstrcmpiW (lpString1="sv-SE", lpString2="System Volume Information") returned -1 [0063.082] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files") returned 1 [0063.082] lstrcmpiW (lpString1="sv-SE", lpString2="Program Files (x86)") returned 1 [0063.082] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE") returned 17 [0063.082] lstrcmpW (lpString1="sv-SE", lpString2=".") returned 1 [0063.082] lstrcmpW (lpString1="sv-SE", lpString2="..") returned 1 [0063.082] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\sv-SE", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.082] GetProcessHeap () returned 0x3a00000 [0063.082] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.082] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\*") returned 19 [0063.082] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\sv-SE\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0063.118] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.118] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.118] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.118] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.118] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.118] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\.") returned 19 [0063.118] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.118] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.118] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.118] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.118] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.119] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.119] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.119] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\..") returned 20 [0063.119] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.119] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.119] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.119] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.119] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.119] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.119] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.119] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.119] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 33 [0063.119] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.119] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.119] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.119] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.119] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.119] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.119] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.119] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui") returned 33 [0063.119] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.119] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.119] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.120] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.120] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.120] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.120] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0063.120] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\sv-SE\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.120] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\sv-SE\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\sv-se\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.122] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.123] CloseHandle (hObject=0x42c) returned 1 [0063.123] GetProcessHeap () returned 0x3a00000 [0063.123] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.123] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0063.123] lstrcmpiW (lpString1="tr-TR", lpString2="Windows") returned -1 [0063.123] lstrcmpiW (lpString1="tr-TR", lpString2="$Recycle.bin") returned 1 [0063.123] lstrcmpiW (lpString1="tr-TR", lpString2="System Volume Information") returned 1 [0063.123] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files") returned 1 [0063.123] lstrcmpiW (lpString1="tr-TR", lpString2="Program Files (x86)") returned 1 [0063.123] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR") returned 17 [0063.123] lstrcmpW (lpString1="tr-TR", lpString2=".") returned 1 [0063.123] lstrcmpW (lpString1="tr-TR", lpString2="..") returned 1 [0063.123] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\tr-TR", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.123] GetProcessHeap () returned 0x3a00000 [0063.123] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.123] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\*") returned 19 [0063.123] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\tr-TR\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0063.123] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.123] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.123] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.124] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.124] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.124] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\.") returned 19 [0063.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.124] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.124] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.124] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\..") returned 20 [0063.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.124] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.124] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.124] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 33 [0063.124] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.124] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.124] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.124] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.124] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.125] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.125] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.125] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.125] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.125] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.125] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.125] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui") returned 33 [0063.125] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.125] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.125] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.125] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.125] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.126] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.126] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0063.126] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\tr-TR\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.126] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\tr-TR\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\tr-tr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.127] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.129] CloseHandle (hObject=0x42c) returned 1 [0063.129] GetProcessHeap () returned 0x3a00000 [0063.129] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.129] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0063.129] lstrcmpiW (lpString1="uk-UA", lpString2="Windows") returned -1 [0063.129] lstrcmpiW (lpString1="uk-UA", lpString2="$Recycle.bin") returned 1 [0063.129] lstrcmpiW (lpString1="uk-UA", lpString2="System Volume Information") returned 1 [0063.129] lstrcmpiW (lpString1="uk-UA", lpString2="Program Files") returned 1 [0063.129] lstrcmpiW (lpString1="uk-UA", lpString2="Program Files (x86)") returned 1 [0063.129] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA") returned 17 [0063.129] lstrcmpW (lpString1="uk-UA", lpString2=".") returned 1 [0063.129] lstrcmpW (lpString1="uk-UA", lpString2="..") returned 1 [0063.129] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\uk-UA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.129] GetProcessHeap () returned 0x3a00000 [0063.129] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.129] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\*") returned 19 [0063.129] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\uk-UA\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0063.130] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.130] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.130] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.130] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.130] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.130] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\.") returned 19 [0063.130] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.130] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.130] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.130] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.130] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.130] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.130] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.130] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\..") returned 20 [0063.130] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.130] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.130] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.130] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.130] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 33 [0063.130] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.130] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.130] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.130] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.130] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.130] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0063.130] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0063.131] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\uk-UA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.131] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\uk-UA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\uk-ua\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.132] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.133] CloseHandle (hObject=0x42c) returned 1 [0063.133] GetProcessHeap () returned 0x3a00000 [0063.133] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.133] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0063.133] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="Windows") returned -1 [0063.133] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="$Recycle.bin") returned 1 [0063.133] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="System Volume Information") returned 1 [0063.133] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="Program Files") returned 1 [0063.133] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="Program Files (x86)") returned 1 [0063.133] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b") returned 36 [0063.133] StrStrIW (lpFirst="updaterevokesipolicy.p7b", lpSrch=".ebal") returned 0x0 [0063.133] lstrcmpW (lpString1="updaterevokesipolicy.p7b", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.133] lstrcmpW (lpString1="updaterevokesipolicy.p7b", lpString2="taridd") returned 1 [0063.133] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.133] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.134] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0063.134] lstrcmpiW (lpString1="zh-CN", lpString2="Windows") returned 1 [0063.134] lstrcmpiW (lpString1="zh-CN", lpString2="$Recycle.bin") returned 1 [0063.134] lstrcmpiW (lpString1="zh-CN", lpString2="System Volume Information") returned 1 [0063.134] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files") returned 1 [0063.134] lstrcmpiW (lpString1="zh-CN", lpString2="Program Files (x86)") returned 1 [0063.134] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN") returned 17 [0063.134] lstrcmpW (lpString1="zh-CN", lpString2=".") returned 1 [0063.134] lstrcmpW (lpString1="zh-CN", lpString2="..") returned 1 [0063.134] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-CN", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.134] GetProcessHeap () returned 0x3a00000 [0063.134] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.134] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\*") returned 19 [0063.134] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-CN\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0063.135] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.135] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.135] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.135] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.135] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.135] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\.") returned 19 [0063.135] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.135] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.135] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.135] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.135] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.136] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.136] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.136] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\..") returned 20 [0063.136] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.136] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.136] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.136] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.136] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.136] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.136] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.136] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.136] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 33 [0063.136] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.136] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.136] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.136] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.136] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.136] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.136] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.136] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.136] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.136] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.136] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.136] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui") returned 33 [0063.136] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.136] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.136] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.136] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.137] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.137] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.137] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0063.137] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-CN\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.137] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-CN\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-cn\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.138] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.139] CloseHandle (hObject=0x42c) returned 1 [0063.139] GetProcessHeap () returned 0x3a00000 [0063.140] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.140] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0063.140] lstrcmpiW (lpString1="zh-HK", lpString2="Windows") returned 1 [0063.140] lstrcmpiW (lpString1="zh-HK", lpString2="$Recycle.bin") returned 1 [0063.140] lstrcmpiW (lpString1="zh-HK", lpString2="System Volume Information") returned 1 [0063.140] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files") returned 1 [0063.140] lstrcmpiW (lpString1="zh-HK", lpString2="Program Files (x86)") returned 1 [0063.140] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK") returned 17 [0063.140] lstrcmpW (lpString1="zh-HK", lpString2=".") returned 1 [0063.140] lstrcmpW (lpString1="zh-HK", lpString2="..") returned 1 [0063.140] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-HK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.140] GetProcessHeap () returned 0x3a00000 [0063.140] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.140] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\*") returned 19 [0063.140] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-HK\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0063.140] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.140] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.140] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.140] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.140] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.140] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\.") returned 19 [0063.140] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.140] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.140] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.140] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.140] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.140] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.141] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.141] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\..") returned 20 [0063.141] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.141] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.141] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.141] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.141] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.141] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.141] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.141] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.141] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 33 [0063.141] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.141] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.141] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.141] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.141] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.142] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.142] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.142] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.142] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.142] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.142] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.142] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui") returned 33 [0063.142] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.142] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.142] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.142] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.142] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.142] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.142] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0063.142] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-HK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.142] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-HK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-hk\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.144] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.145] CloseHandle (hObject=0x42c) returned 1 [0063.145] GetProcessHeap () returned 0x3a00000 [0063.145] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.145] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0063.145] lstrcmpiW (lpString1="zh-TW", lpString2="Windows") returned 1 [0063.145] lstrcmpiW (lpString1="zh-TW", lpString2="$Recycle.bin") returned 1 [0063.145] lstrcmpiW (lpString1="zh-TW", lpString2="System Volume Information") returned 1 [0063.145] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files") returned 1 [0063.145] lstrcmpiW (lpString1="zh-TW", lpString2="Program Files (x86)") returned 1 [0063.145] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW") returned 17 [0063.145] lstrcmpW (lpString1="zh-TW", lpString2=".") returned 1 [0063.145] lstrcmpW (lpString1="zh-TW", lpString2="..") returned 1 [0063.145] lstrcmpW (lpString1="\\\\?\\C:\\Boot\\zh-TW", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.145] GetProcessHeap () returned 0x3a00000 [0063.145] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.145] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\*") returned 19 [0063.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Boot\\zh-TW\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0063.146] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.146] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.146] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.146] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.146] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.146] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\.") returned 19 [0063.146] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.146] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.146] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.146] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.146] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.146] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.146] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.146] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\..") returned 20 [0063.146] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.146] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.146] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0063.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Windows") returned -1 [0063.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="System Volume Information") returned -1 [0063.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files") returned -1 [0063.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.146] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 33 [0063.146] StrStrIW (lpFirst="bootmgr.exe.mui", lpSrch=".ebal") returned 0x0 [0063.146] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.146] lstrcmpW (lpString1="bootmgr.exe.mui", lpString2="taridd") returned -1 [0063.146] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.146] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.146] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0063.147] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Windows") returned -1 [0063.147] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$Recycle.bin") returned 1 [0063.147] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="System Volume Information") returned -1 [0063.147] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files") returned -1 [0063.147] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="Program Files (x86)") returned -1 [0063.147] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui") returned 33 [0063.147] StrStrIW (lpFirst="memtest.exe.mui", lpSrch=".ebal") returned 0x0 [0063.147] lstrcmpW (lpString1="memtest.exe.mui", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.147] lstrcmpW (lpString1="memtest.exe.mui", lpString2="taridd") returned -1 [0063.147] StrCmpNW (lpStr1="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.147] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.147] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0063.147] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0063.147] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\zh-TW\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 49 [0063.147] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\zh-TW\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\zh-tw\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.149] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0063.150] CloseHandle (hObject=0x42c) returned 1 [0063.150] GetProcessHeap () returned 0x3a00000 [0063.150] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.150] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0063.150] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0063.150] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Boot\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 43 [0063.150] CreateFileW (lpFileName="\\\\?\\C:\\Boot\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\boot\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0063.151] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0063.152] CloseHandle (hObject=0x428) returned 1 [0063.152] GetProcessHeap () returned 0x3a00000 [0063.152] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0063.152] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0063.152] lstrcmpiW (lpString1="bootmgr", lpString2="Windows") returned -1 [0063.152] lstrcmpiW (lpString1="bootmgr", lpString2="$Recycle.bin") returned 1 [0063.152] lstrcmpiW (lpString1="bootmgr", lpString2="System Volume Information") returned -1 [0063.152] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files") returned -1 [0063.152] lstrcmpiW (lpString1="bootmgr", lpString2="Program Files (x86)") returned -1 [0063.153] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\bootmgr") returned 14 [0063.153] StrStrIW (lpFirst="bootmgr", lpSrch=".ebal") returned 0x0 [0063.153] lstrcmpW (lpString1="bootmgr", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.153] lstrcmpW (lpString1="bootmgr", lpString2="taridd") returned -1 [0063.153] StrCmpNW (lpStr1="\\\\?\\C:\\bootmgr", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.153] CreateFileW (lpFileName="\\\\?\\C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.198] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0063.198] lstrcmpiW (lpString1="BOOTNXT", lpString2="Windows") returned -1 [0063.198] lstrcmpiW (lpString1="BOOTNXT", lpString2="$Recycle.bin") returned 1 [0063.198] lstrcmpiW (lpString1="BOOTNXT", lpString2="System Volume Information") returned -1 [0063.198] lstrcmpiW (lpString1="BOOTNXT", lpString2="Program Files") returned -1 [0063.198] lstrcmpiW (lpString1="BOOTNXT", lpString2="Program Files (x86)") returned -1 [0063.198] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTNXT") returned 14 [0063.198] StrStrIW (lpFirst="BOOTNXT", lpSrch=".ebal") returned 0x0 [0063.198] lstrcmpW (lpString1="BOOTNXT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.198] lstrcmpW (lpString1="BOOTNXT", lpString2="taridd") returned -1 [0063.198] StrCmpNW (lpStr1="\\\\?\\C:\\BOOTNXT", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.198] CreateFileW (lpFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0063.200] GetTickCount () returned 0x1150387 [0063.200] GetTickCount () returned 0x1150387 [0063.200] GetTickCount () returned 0x1150387 [0063.200] GetTickCount () returned 0x1150387 [0063.200] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65afc40*, pdwDataLen=0x65afcf0*=0x2c, dwBufLen=0x80 | out: pbData=0x65afc40*, pdwDataLen=0x65afcf0*=0x80) returned 1 [0063.200] GetProcessHeap () returned 0x3a00000 [0063.200] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.200] ReadFile (in: hFile=0x428, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afcf4*=0x1, lpOverlapped=0x0) returned 1 [0063.201] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0xffffffff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.201] WriteFile (in: hFile=0x428, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afcf4*=0x1, lpOverlapped=0x0) returned 1 [0063.201] GetProcessHeap () returned 0x3a00000 [0063.201] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.201] SetFilePointerEx (in: hFile=0x428, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.201] WriteFile (in: hFile=0x428, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afcf4*=0x300, lpOverlapped=0x0) returned 1 [0063.202] WriteFile (in: hFile=0x428, lpBuffer=0x65afc40*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x65afc40*, lpNumberOfBytesWritten=0x65afcf4*=0x80, lpOverlapped=0x0) returned 1 [0063.202] WriteFile (in: hFile=0x428, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afcf4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afcf4*=0x4, lpOverlapped=0x0) returned 1 [0063.202] CloseHandle (hObject=0x428) returned 1 [0063.203] GetProcessHeap () returned 0x3a00000 [0063.203] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0063.203] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\BOOTNXT_r00t_{8ew5f6}.ebal") returned 33 [0063.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="\\\\?\\C:\\BOOTNXT_r00t_{8ew5f6}.ebal" (normalized: "c:\\bootnxt_r00t_{8ew5f6}.ebal")) returned 1 [0063.204] GetProcessHeap () returned 0x3a00000 [0063.204] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0063.204] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0063.204] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Windows") returned -1 [0063.204] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$Recycle.bin") returned 1 [0063.204] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="System Volume Information") returned -1 [0063.204] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files") returned -1 [0063.204] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="Program Files (x86)") returned -1 [0063.204] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\BOOTSECT.BAK") returned 19 [0063.204] StrStrIW (lpFirst="BOOTSECT.BAK", lpSrch=".ebal") returned 0x0 [0063.204] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.204] lstrcmpW (lpString1="BOOTSECT.BAK", lpString2="taridd") returned -1 [0063.204] StrCmpNW (lpStr1="\\\\?\\C:\\BOOTSECT.BAK", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.204] CreateFileW (lpFileName="\\\\?\\C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.204] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0063.205] lstrcmpiW (lpString1="Documents and Settings", lpString2="Windows") returned -1 [0063.205] lstrcmpiW (lpString1="Documents and Settings", lpString2="$Recycle.bin") returned 1 [0063.205] lstrcmpiW (lpString1="Documents and Settings", lpString2="System Volume Information") returned -1 [0063.205] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files") returned -1 [0063.205] lstrcmpiW (lpString1="Documents and Settings", lpString2="Program Files (x86)") returned -1 [0063.205] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Documents and Settings") returned 29 [0063.205] lstrcmpW (lpString1="Documents and Settings", lpString2=".") returned 1 [0063.205] lstrcmpW (lpString1="Documents and Settings", lpString2="..") returned 1 [0063.205] lstrcmpW (lpString1="\\\\?\\C:\\Documents and Settings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.205] GetProcessHeap () returned 0x3a00000 [0063.205] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0063.205] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Documents and Settings\\*") returned 31 [0063.205] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Documents and Settings\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="吨Σ￿￿扨@￿￿吨Σ\x05")) returned 0xffffffff [0063.206] GetProcessHeap () returned 0x3a00000 [0063.206] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0063.206] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0063.206] lstrcmpiW (lpString1="ESD", lpString2="Windows") returned -1 [0063.206] lstrcmpiW (lpString1="ESD", lpString2="$Recycle.bin") returned 1 [0063.206] lstrcmpiW (lpString1="ESD", lpString2="System Volume Information") returned -1 [0063.206] lstrcmpiW (lpString1="ESD", lpString2="Program Files") returned -1 [0063.206] lstrcmpiW (lpString1="ESD", lpString2="Program Files (x86)") returned -1 [0063.206] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD") returned 10 [0063.206] lstrcmpW (lpString1="ESD", lpString2=".") returned 1 [0063.206] lstrcmpW (lpString1="ESD", lpString2="..") returned 1 [0063.206] lstrcmpW (lpString1="\\\\?\\C:\\ESD", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.206] GetProcessHeap () returned 0x3a00000 [0063.206] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0063.206] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ESD\\*") returned 12 [0063.206] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ESD\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0063.209] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.209] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.209] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.209] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.209] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.209] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD\\.") returned 12 [0063.209] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.209] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.209] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.209] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.209] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.209] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.209] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.209] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD\\..") returned 13 [0063.209] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.209] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.209] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0063.209] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0063.209] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ESD\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 42 [0063.209] CreateFileW (lpFileName="\\\\?\\C:\\ESD\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\esd\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0063.213] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0063.214] CloseHandle (hObject=0x428) returned 1 [0063.214] GetProcessHeap () returned 0x3a00000 [0063.214] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0063.214] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3d7ebe9, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0063.214] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Windows") returned -1 [0063.214] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$Recycle.bin") returned 1 [0063.214] lstrcmpiW (lpString1="hiberfil.sys", lpString2="System Volume Information") returned -1 [0063.214] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files") returned -1 [0063.214] lstrcmpiW (lpString1="hiberfil.sys", lpString2="Program Files (x86)") returned -1 [0063.214] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\hiberfil.sys") returned 19 [0063.214] StrStrIW (lpFirst="hiberfil.sys", lpSrch=".ebal") returned 0x0 [0063.214] lstrcmpW (lpString1="hiberfil.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.214] lstrcmpW (lpString1="hiberfil.sys", lpString2="taridd") returned -1 [0063.214] StrCmpNW (lpStr1="\\\\?\\C:\\hiberfil.sys", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.214] CreateFileW (lpFileName="\\\\?\\C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0063.391] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0063.391] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0063.391] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0063.391] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0063.391] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0063.392] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0063.392] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs") returned 11 [0063.392] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0063.392] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0063.392] lstrcmpW (lpString1="\\\\?\\C:\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0063.392] GetProcessHeap () returned 0x3a00000 [0063.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0063.392] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Logs\\*") returned 13 [0063.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Logs\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0063.398] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0063.398] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0063.398] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0063.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0063.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0063.399] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\.") returned 13 [0063.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0063.399] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0063.403] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0063.403] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0063.403] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0063.403] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0063.403] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0063.403] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\..") returned 14 [0063.403] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0063.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0063.403] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0063.403] lstrcmpiW (lpString1="Application.evtx", lpString2="Windows") returned -1 [0063.403] lstrcmpiW (lpString1="Application.evtx", lpString2="$Recycle.bin") returned 1 [0063.403] lstrcmpiW (lpString1="Application.evtx", lpString2="System Volume Information") returned -1 [0063.403] lstrcmpiW (lpString1="Application.evtx", lpString2="Program Files") returned -1 [0063.403] lstrcmpiW (lpString1="Application.evtx", lpString2="Program Files (x86)") returned -1 [0063.403] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Application.evtx") returned 28 [0063.403] StrStrIW (lpFirst="Application.evtx", lpSrch=".ebal") returned 0x0 [0063.403] lstrcmpW (lpString1="Application.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.403] lstrcmpW (lpString1="Application.evtx", lpString2="taridd") returned -1 [0063.403] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Application.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.403] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.405] GetTickCount () returned 0x1150452 [0063.405] GetTickCount () returned 0x1150452 [0063.405] GetTickCount () returned 0x1150452 [0063.405] GetTickCount () returned 0x1150452 [0063.405] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.406] GetProcessHeap () returned 0x3a00000 [0063.406] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.406] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.407] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.408] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.408] GetProcessHeap () returned 0x3a00000 [0063.408] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.408] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.408] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.408] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.408] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.408] CloseHandle (hObject=0x42c) returned 1 [0063.411] GetProcessHeap () returned 0x3a00000 [0063.411] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.411] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Application.evtx_r00t_{8ew5f6}.ebal") returned 47 [0063.411] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Application.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\application.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.411] GetProcessHeap () returned 0x3a00000 [0063.411] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.411] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0063.412] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="Windows") returned -1 [0063.412] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="$Recycle.bin") returned 1 [0063.412] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="System Volume Information") returned -1 [0063.412] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="Program Files") returned -1 [0063.412] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="Program Files (x86)") returned -1 [0063.412] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\HardwareEvents.evtx") returned 31 [0063.412] StrStrIW (lpFirst="HardwareEvents.evtx", lpSrch=".ebal") returned 0x0 [0063.412] lstrcmpW (lpString1="HardwareEvents.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.412] lstrcmpW (lpString1="HardwareEvents.evtx", lpString2="taridd") returned -1 [0063.412] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\HardwareEvents.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.412] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.412] GetTickCount () returned 0x1150452 [0063.412] GetTickCount () returned 0x1150452 [0063.412] GetTickCount () returned 0x1150452 [0063.412] GetTickCount () returned 0x1150452 [0063.413] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.413] GetProcessHeap () returned 0x3a00000 [0063.413] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.413] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.415] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.415] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.415] GetProcessHeap () returned 0x3a00000 [0063.415] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.415] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.415] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.415] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.415] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.415] CloseHandle (hObject=0x42c) returned 1 [0063.417] GetProcessHeap () returned 0x3a00000 [0063.417] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.417] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\HardwareEvents.evtx_r00t_{8ew5f6}.ebal") returned 50 [0063.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\HardwareEvents.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\hardwareevents.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.418] GetProcessHeap () returned 0x3a00000 [0063.418] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.418] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0063.418] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="Windows") returned -1 [0063.418] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="$Recycle.bin") returned 1 [0063.418] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="System Volume Information") returned -1 [0063.418] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="Program Files") returned -1 [0063.418] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="Program Files (x86)") returned -1 [0063.418] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Internet Explorer.evtx") returned 34 [0063.418] StrStrIW (lpFirst="Internet Explorer.evtx", lpSrch=".ebal") returned 0x0 [0063.418] lstrcmpW (lpString1="Internet Explorer.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.418] lstrcmpW (lpString1="Internet Explorer.evtx", lpString2="taridd") returned -1 [0063.418] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Internet Explorer.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.418] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.431] GetTickCount () returned 0x1150471 [0063.431] GetTickCount () returned 0x1150471 [0063.431] GetTickCount () returned 0x1150471 [0063.431] GetTickCount () returned 0x1150471 [0063.431] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.431] GetProcessHeap () returned 0x3a00000 [0063.431] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.431] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.433] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.433] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.433] GetProcessHeap () returned 0x3a00000 [0063.433] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.433] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.434] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.434] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.434] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.434] CloseHandle (hObject=0x42c) returned 1 [0063.436] GetProcessHeap () returned 0x3a00000 [0063.436] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.436] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Internet Explorer.evtx_r00t_{8ew5f6}.ebal") returned 53 [0063.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Internet Explorer.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\internet explorer.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.436] GetProcessHeap () returned 0x3a00000 [0063.437] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.437] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0063.437] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="Windows") returned -1 [0063.437] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="$Recycle.bin") returned 1 [0063.437] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="System Volume Information") returned -1 [0063.437] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="Program Files") returned -1 [0063.437] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="Program Files (x86)") returned -1 [0063.437] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Key Management Service.evtx") returned 39 [0063.437] StrStrIW (lpFirst="Key Management Service.evtx", lpSrch=".ebal") returned 0x0 [0063.437] lstrcmpW (lpString1="Key Management Service.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.437] lstrcmpW (lpString1="Key Management Service.evtx", lpString2="taridd") returned -1 [0063.437] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Key Management Service.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.437] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.437] GetTickCount () returned 0x1150471 [0063.437] GetTickCount () returned 0x1150471 [0063.437] GetTickCount () returned 0x1150471 [0063.437] GetTickCount () returned 0x1150471 [0063.437] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.437] GetProcessHeap () returned 0x3a00000 [0063.437] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.437] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.439] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.439] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.439] GetProcessHeap () returned 0x3a00000 [0063.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.439] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.440] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.440] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.440] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.440] CloseHandle (hObject=0x42c) returned 1 [0063.442] GetProcessHeap () returned 0x3a00000 [0063.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.442] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Key Management Service.evtx_r00t_{8ew5f6}.ebal") returned 58 [0063.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Key Management Service.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\key management service.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.442] GetProcessHeap () returned 0x3a00000 [0063.442] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.442] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0063.442] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="Windows") returned -1 [0063.442] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0063.443] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="System Volume Information") returned -1 [0063.443] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="Program Files") returned -1 [0063.443] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0063.443] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 59 [0063.443] StrStrIW (lpFirst="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0063.443] lstrcmpW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.443] lstrcmpW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="taridd") returned -1 [0063.443] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.443] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.443] GetTickCount () returned 0x1150471 [0063.443] GetTickCount () returned 0x1150471 [0063.443] GetTickCount () returned 0x1150471 [0063.443] GetTickCount () returned 0x1150471 [0063.443] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.443] GetProcessHeap () returned 0x3a00000 [0063.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.443] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.446] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.447] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.447] GetProcessHeap () returned 0x3a00000 [0063.447] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.447] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.447] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.447] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.447] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.447] CloseHandle (hObject=0x42c) returned 1 [0063.449] GetProcessHeap () returned 0x3a00000 [0063.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.449] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 78 [0063.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.451] GetProcessHeap () returned 0x3a00000 [0063.451] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.451] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0063.451] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="Windows") returned -1 [0063.451] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="$Recycle.bin") returned 1 [0063.451] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="System Volume Information") returned -1 [0063.451] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="Program Files") returned -1 [0063.451] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="Program Files (x86)") returned -1 [0063.451] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 90 [0063.451] StrStrIW (lpFirst="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpSrch=".ebal") returned 0x0 [0063.451] lstrcmpW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.451] lstrcmpW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="taridd") returned -1 [0063.451] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.451] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.452] GetTickCount () returned 0x1150481 [0063.452] GetTickCount () returned 0x1150481 [0063.452] GetTickCount () returned 0x1150481 [0063.452] GetTickCount () returned 0x1150481 [0063.452] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.452] GetProcessHeap () returned 0x3a00000 [0063.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.452] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.454] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.454] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.454] GetProcessHeap () returned 0x3a00000 [0063.454] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.454] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.454] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.455] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.455] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.455] CloseHandle (hObject=0x42c) returned 1 [0063.458] GetProcessHeap () returned 0x3a00000 [0063.458] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.458] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx_r00t_{8ew5f6}.ebal") returned 109 [0063.458] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.459] GetProcessHeap () returned 0x3a00000 [0063.459] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.459] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0063.459] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="Windows") returned -1 [0063.459] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0063.459] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="System Volume Information") returned -1 [0063.459] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="Program Files") returned -1 [0063.459] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0063.460] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 83 [0063.460] StrStrIW (lpFirst="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0063.460] lstrcmpW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.460] lstrcmpW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="taridd") returned -1 [0063.460] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.460] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.461] GetTickCount () returned 0x1150490 [0063.461] GetTickCount () returned 0x1150490 [0063.461] GetTickCount () returned 0x1150490 [0063.461] GetTickCount () returned 0x1150490 [0063.461] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.461] GetProcessHeap () returned 0x3a00000 [0063.461] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.461] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.464] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.464] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.464] GetProcessHeap () returned 0x3a00000 [0063.464] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.464] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.465] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.488] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.488] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.488] CloseHandle (hObject=0x42c) returned 1 [0063.690] GetProcessHeap () returned 0x3a00000 [0063.690] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.690] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 102 [0063.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.691] GetProcessHeap () returned 0x3a00000 [0063.691] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.691] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0063.691] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="Windows") returned -1 [0063.691] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="$Recycle.bin") returned 1 [0063.691] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="System Volume Information") returned -1 [0063.691] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="Program Files") returned -1 [0063.691] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="Program Files (x86)") returned -1 [0063.691] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 57 [0063.691] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpSrch=".ebal") returned 0x0 [0063.691] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.691] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="taridd") returned -1 [0063.691] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.691] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.692] GetTickCount () returned 0x115057b [0063.692] GetTickCount () returned 0x115057b [0063.692] GetTickCount () returned 0x115057b [0063.692] GetTickCount () returned 0x115057b [0063.692] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.692] GetProcessHeap () returned 0x3a00000 [0063.692] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.692] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.694] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.694] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.694] GetProcessHeap () returned 0x3a00000 [0063.694] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.694] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.694] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.695] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.695] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.695] CloseHandle (hObject=0x42c) returned 1 [0063.697] GetProcessHeap () returned 0x3a00000 [0063.697] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.697] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx_r00t_{8ew5f6}.ebal") returned 76 [0063.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.698] GetProcessHeap () returned 0x3a00000 [0063.698] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.698] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0063.698] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="Windows") returned -1 [0063.698] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="$Recycle.bin") returned 1 [0063.698] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="System Volume Information") returned -1 [0063.698] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="Program Files") returned -1 [0063.698] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="Program Files (x86)") returned -1 [0063.698] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 60 [0063.698] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpSrch=".ebal") returned 0x0 [0063.698] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.698] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="taridd") returned -1 [0063.698] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.698] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.698] GetTickCount () returned 0x115057b [0063.698] GetTickCount () returned 0x115057b [0063.698] GetTickCount () returned 0x115057b [0063.698] GetTickCount () returned 0x115057b [0063.698] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.699] GetProcessHeap () returned 0x3a00000 [0063.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.699] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.701] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.701] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.701] GetProcessHeap () returned 0x3a00000 [0063.701] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.701] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.701] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.701] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.701] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.701] CloseHandle (hObject=0x42c) returned 1 [0063.703] GetProcessHeap () returned 0x3a00000 [0063.704] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.704] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx_r00t_{8ew5f6}.ebal") returned 79 [0063.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.704] GetProcessHeap () returned 0x3a00000 [0063.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.704] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0063.704] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="Windows") returned -1 [0063.704] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="$Recycle.bin") returned 1 [0063.704] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="System Volume Information") returned -1 [0063.704] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="Program Files") returned -1 [0063.704] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="Program Files (x86)") returned -1 [0063.704] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 69 [0063.704] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpSrch=".ebal") returned 0x0 [0063.704] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.704] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="taridd") returned -1 [0063.705] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.705] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.705] GetTickCount () returned 0x115057b [0063.705] GetTickCount () returned 0x115057b [0063.705] GetTickCount () returned 0x115057b [0063.705] GetTickCount () returned 0x115057b [0063.705] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.705] GetProcessHeap () returned 0x3a00000 [0063.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.705] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.710] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.710] GetProcessHeap () returned 0x3a00000 [0063.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.710] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.710] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.710] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.710] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.710] CloseHandle (hObject=0x42c) returned 1 [0063.712] GetProcessHeap () returned 0x3a00000 [0063.712] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.712] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx_r00t_{8ew5f6}.ebal") returned 88 [0063.712] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.713] GetProcessHeap () returned 0x3a00000 [0063.713] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.713] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0063.713] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="Windows") returned -1 [0063.713] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="$Recycle.bin") returned 1 [0063.713] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="System Volume Information") returned -1 [0063.713] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="Program Files") returned -1 [0063.713] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="Program Files (x86)") returned -1 [0063.713] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 68 [0063.713] StrStrIW (lpFirst="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpSrch=".ebal") returned 0x0 [0063.713] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.713] lstrcmpW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="taridd") returned -1 [0063.713] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.713] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.714] GetTickCount () returned 0x115058a [0063.714] GetTickCount () returned 0x115058a [0063.714] GetTickCount () returned 0x115058a [0063.714] GetTickCount () returned 0x115058a [0063.714] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.714] GetProcessHeap () returned 0x3a00000 [0063.714] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.714] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.784] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.784] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.784] GetProcessHeap () returned 0x3a00000 [0063.784] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.784] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.784] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.785] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.785] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.785] CloseHandle (hObject=0x42c) returned 1 [0063.789] GetProcessHeap () returned 0x3a00000 [0063.789] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.789] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx_r00t_{8ew5f6}.ebal") returned 87 [0063.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.790] GetProcessHeap () returned 0x3a00000 [0063.790] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.790] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0063.790] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="Windows") returned -1 [0063.790] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0063.790] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="System Volume Information") returned -1 [0063.790] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="Program Files") returned -1 [0063.790] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0063.790] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 58 [0063.790] StrStrIW (lpFirst="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0063.790] lstrcmpW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.790] lstrcmpW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="taridd") returned -1 [0063.790] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.790] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.790] GetTickCount () returned 0x11505d8 [0063.791] GetTickCount () returned 0x11505d8 [0063.791] GetTickCount () returned 0x11505d8 [0063.791] GetTickCount () returned 0x11505d8 [0063.791] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.791] GetProcessHeap () returned 0x3a00000 [0063.791] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.791] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.793] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.793] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.793] GetProcessHeap () returned 0x3a00000 [0063.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.793] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.793] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.794] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.794] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.794] CloseHandle (hObject=0x42c) returned 1 [0063.796] GetProcessHeap () returned 0x3a00000 [0063.796] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.796] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 77 [0063.796] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.797] GetProcessHeap () returned 0x3a00000 [0063.797] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.797] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0063.797] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="Windows") returned -1 [0063.797] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0063.797] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="System Volume Information") returned -1 [0063.797] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="Program Files") returned -1 [0063.797] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0063.797] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 54 [0063.797] StrStrIW (lpFirst="Microsoft-Windows-AppReadiness%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0063.797] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.797] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="taridd") returned -1 [0063.797] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.797] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.798] GetTickCount () returned 0x11505d8 [0063.798] GetTickCount () returned 0x11505d8 [0063.798] GetTickCount () returned 0x11505d8 [0063.798] GetTickCount () returned 0x11505d8 [0063.798] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.798] GetProcessHeap () returned 0x3a00000 [0063.798] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.798] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.800] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.800] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.800] GetProcessHeap () returned 0x3a00000 [0063.800] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.800] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.800] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.800] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.800] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.801] CloseHandle (hObject=0x42c) returned 1 [0063.804] GetProcessHeap () returned 0x3a00000 [0063.804] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.804] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 73 [0063.804] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.805] GetProcessHeap () returned 0x3a00000 [0063.805] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.805] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0063.805] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="Windows") returned -1 [0063.805] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0063.805] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="System Volume Information") returned -1 [0063.805] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="Program Files") returned -1 [0063.805] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0063.805] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 60 [0063.805] StrStrIW (lpFirst="Microsoft-Windows-AppReadiness%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0063.805] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.805] lstrcmpW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="taridd") returned -1 [0063.805] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.805] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.807] GetTickCount () returned 0x11505e8 [0063.807] GetTickCount () returned 0x11505e8 [0063.807] GetTickCount () returned 0x11505e8 [0063.807] GetTickCount () returned 0x11505e8 [0063.807] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.807] GetProcessHeap () returned 0x3a00000 [0063.807] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.807] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.810] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.810] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.810] GetProcessHeap () returned 0x3a00000 [0063.810] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.810] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.810] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.812] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.812] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.812] CloseHandle (hObject=0x42c) returned 1 [0063.891] GetProcessHeap () returned 0x3a00000 [0063.891] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.891] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 79 [0063.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.892] GetProcessHeap () returned 0x3a00000 [0063.892] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.892] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0063.892] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="Windows") returned -1 [0063.892] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0063.892] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="System Volume Information") returned -1 [0063.892] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="Program Files") returned -1 [0063.892] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0063.892] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 62 [0063.892] StrStrIW (lpFirst="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0063.892] lstrcmpW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.892] lstrcmpW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="taridd") returned -1 [0063.892] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.893] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.893] GetTickCount () returned 0x1150636 [0063.893] GetTickCount () returned 0x1150636 [0063.893] GetTickCount () returned 0x1150636 [0063.893] GetTickCount () returned 0x1150636 [0063.893] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.893] GetProcessHeap () returned 0x3a00000 [0063.893] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.893] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.896] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.896] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.896] GetProcessHeap () returned 0x3a00000 [0063.896] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.896] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.896] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.896] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.896] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.896] CloseHandle (hObject=0x42c) returned 1 [0063.898] GetProcessHeap () returned 0x3a00000 [0063.898] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0063.898] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 81 [0063.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0063.899] GetProcessHeap () returned 0x3a00000 [0063.899] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0063.899] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0063.899] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="Windows") returned -1 [0063.899] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0063.899] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="System Volume Information") returned -1 [0063.899] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="Program Files") returned -1 [0063.899] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0063.899] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 68 [0063.899] StrStrIW (lpFirst="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0063.899] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0063.899] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="taridd") returned -1 [0063.899] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0063.899] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0063.899] GetTickCount () returned 0x1150646 [0063.899] GetTickCount () returned 0x1150646 [0063.899] GetTickCount () returned 0x1150646 [0063.900] GetTickCount () returned 0x1150646 [0063.900] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0063.900] GetProcessHeap () returned 0x3a00000 [0063.900] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0063.900] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.902] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0063.902] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0063.903] GetProcessHeap () returned 0x3a00000 [0063.903] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0063.903] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.903] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0063.905] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0063.905] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0063.905] CloseHandle (hObject=0x42c) returned 1 [0064.150] GetProcessHeap () returned 0x3a00000 [0064.150] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.150] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 87 [0064.150] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.151] GetProcessHeap () returned 0x3a00000 [0064.151] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.151] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0064.151] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="Windows") returned -1 [0064.151] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="$Recycle.bin") returned 1 [0064.151] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="System Volume Information") returned -1 [0064.151] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="Program Files") returned -1 [0064.151] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="Program Files (x86)") returned -1 [0064.151] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 67 [0064.151] StrStrIW (lpFirst="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpSrch=".ebal") returned 0x0 [0064.151] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.151] lstrcmpW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="taridd") returned -1 [0064.151] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.151] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.152] GetTickCount () returned 0x1150740 [0064.152] GetTickCount () returned 0x1150740 [0064.152] GetTickCount () returned 0x1150740 [0064.152] GetTickCount () returned 0x1150740 [0064.153] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.153] GetProcessHeap () returned 0x3a00000 [0064.153] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.153] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.154] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.155] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.155] GetProcessHeap () returned 0x3a00000 [0064.155] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.155] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.155] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.155] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.155] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.155] CloseHandle (hObject=0x42c) returned 1 [0064.157] GetProcessHeap () returned 0x3a00000 [0064.157] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.157] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx_r00t_{8ew5f6}.ebal") returned 86 [0064.158] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.158] GetProcessHeap () returned 0x3a00000 [0064.158] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.158] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0064.158] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="Windows") returned -1 [0064.158] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.158] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.158] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="Program Files") returned -1 [0064.158] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.158] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 61 [0064.158] StrStrIW (lpFirst="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.158] lstrcmpW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.158] lstrcmpW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="taridd") returned -1 [0064.158] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.158] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.159] GetTickCount () returned 0x1150740 [0064.159] GetTickCount () returned 0x1150740 [0064.159] GetTickCount () returned 0x1150740 [0064.159] GetTickCount () returned 0x1150740 [0064.159] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.159] GetProcessHeap () returned 0x3a00000 [0064.159] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.159] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.161] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.161] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.161] GetProcessHeap () returned 0x3a00000 [0064.161] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.161] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.161] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.161] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.161] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.161] CloseHandle (hObject=0x42c) returned 1 [0064.164] GetProcessHeap () returned 0x3a00000 [0064.164] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.164] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.164] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.164] GetProcessHeap () returned 0x3a00000 [0064.164] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.164] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0064.164] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="Windows") returned -1 [0064.164] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.164] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.164] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="Program Files") returned -1 [0064.164] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.164] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 76 [0064.164] StrStrIW (lpFirst="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.164] lstrcmpW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.165] lstrcmpW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="taridd") returned -1 [0064.165] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.165] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.165] GetTickCount () returned 0x115074f [0064.165] GetTickCount () returned 0x115074f [0064.165] GetTickCount () returned 0x115074f [0064.165] GetTickCount () returned 0x115074f [0064.165] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.166] GetProcessHeap () returned 0x3a00000 [0064.166] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.166] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.167] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.167] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.168] GetProcessHeap () returned 0x3a00000 [0064.168] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.168] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.168] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.168] CloseHandle (hObject=0x42c) returned 1 [0064.170] GetProcessHeap () returned 0x3a00000 [0064.170] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.170] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 95 [0064.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.171] GetProcessHeap () returned 0x3a00000 [0064.171] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.171] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0064.171] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="Windows") returned -1 [0064.171] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.171] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.171] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="Program Files") returned -1 [0064.171] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.171] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 59 [0064.171] StrStrIW (lpFirst="Microsoft-Windows-Bits-Client%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.171] lstrcmpW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.171] lstrcmpW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="taridd") returned -1 [0064.171] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.171] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.171] GetTickCount () returned 0x115074f [0064.171] GetTickCount () returned 0x115074f [0064.171] GetTickCount () returned 0x115074f [0064.172] GetTickCount () returned 0x115074f [0064.172] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.172] GetProcessHeap () returned 0x3a00000 [0064.172] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.172] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.174] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.174] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.174] GetProcessHeap () returned 0x3a00000 [0064.174] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.174] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.174] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.174] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.174] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.174] CloseHandle (hObject=0x42c) returned 1 [0064.176] GetProcessHeap () returned 0x3a00000 [0064.176] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.176] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.176] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.177] GetProcessHeap () returned 0x3a00000 [0064.177] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.177] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0064.178] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="Windows") returned -1 [0064.178] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.178] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.178] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="Program Files") returned -1 [0064.178] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.178] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 61 [0064.178] StrStrIW (lpFirst="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.178] lstrcmpW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.178] lstrcmpW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="taridd") returned -1 [0064.178] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.178] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.178] GetTickCount () returned 0x115075f [0064.178] GetTickCount () returned 0x115075f [0064.178] GetTickCount () returned 0x115075f [0064.178] GetTickCount () returned 0x115075f [0064.178] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.178] GetProcessHeap () returned 0x3a00000 [0064.178] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.178] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.181] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.181] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.181] GetProcessHeap () returned 0x3a00000 [0064.181] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.181] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.181] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.181] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.181] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.181] CloseHandle (hObject=0x42c) returned 1 [0064.184] GetProcessHeap () returned 0x3a00000 [0064.184] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.184] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.188] GetProcessHeap () returned 0x3a00000 [0064.188] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.188] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0064.188] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="Windows") returned -1 [0064.188] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.188] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.188] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="Program Files") returned -1 [0064.188] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.188] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 75 [0064.188] StrStrIW (lpFirst="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.188] lstrcmpW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.188] lstrcmpW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="taridd") returned -1 [0064.188] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.188] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.188] GetTickCount () returned 0x115075f [0064.188] GetTickCount () returned 0x115075f [0064.188] GetTickCount () returned 0x115075f [0064.188] GetTickCount () returned 0x115075f [0064.188] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.188] GetProcessHeap () returned 0x3a00000 [0064.188] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.189] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.271] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.271] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.271] GetProcessHeap () returned 0x3a00000 [0064.271] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.271] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.271] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.272] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.272] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.272] CloseHandle (hObject=0x42c) returned 1 [0064.274] GetProcessHeap () returned 0x3a00000 [0064.274] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.275] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 94 [0064.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.275] GetProcessHeap () returned 0x3a00000 [0064.275] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.275] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0064.275] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="Windows") returned -1 [0064.275] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="$Recycle.bin") returned 1 [0064.275] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="System Volume Information") returned -1 [0064.275] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="Program Files") returned -1 [0064.275] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="Program Files (x86)") returned -1 [0064.275] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 61 [0064.275] StrStrIW (lpFirst="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpSrch=".ebal") returned 0x0 [0064.276] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.276] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="taridd") returned -1 [0064.276] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.276] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.276] GetTickCount () returned 0x11507bd [0064.276] GetTickCount () returned 0x11507bd [0064.276] GetTickCount () returned 0x11507bd [0064.276] GetTickCount () returned 0x11507bd [0064.276] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.276] GetProcessHeap () returned 0x3a00000 [0064.276] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.276] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.278] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.278] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.278] GetProcessHeap () returned 0x3a00000 [0064.278] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.278] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.279] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.279] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.279] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.279] CloseHandle (hObject=0x42c) returned 1 [0064.281] GetProcessHeap () returned 0x3a00000 [0064.281] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.281] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.282] GetProcessHeap () returned 0x3a00000 [0064.282] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.282] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0064.282] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="Windows") returned -1 [0064.282] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.282] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.282] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="Program Files") returned -1 [0064.282] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.282] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 60 [0064.282] StrStrIW (lpFirst="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.282] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.282] lstrcmpW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="taridd") returned -1 [0064.283] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.283] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.283] GetTickCount () returned 0x11507bd [0064.283] GetTickCount () returned 0x11507bd [0064.283] GetTickCount () returned 0x11507bd [0064.283] GetTickCount () returned 0x11507bd [0064.284] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.284] GetProcessHeap () returned 0x3a00000 [0064.284] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.284] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.286] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.286] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.286] GetProcessHeap () returned 0x3a00000 [0064.286] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.286] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.286] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.286] CloseHandle (hObject=0x42c) returned 1 [0064.289] GetProcessHeap () returned 0x3a00000 [0064.289] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.289] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 79 [0064.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.289] GetProcessHeap () returned 0x3a00000 [0064.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.289] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0064.289] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="Windows") returned -1 [0064.289] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.289] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.289] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="Program Files") returned -1 [0064.289] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.289] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 90 [0064.289] StrStrIW (lpFirst="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.289] lstrcmpW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.290] lstrcmpW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="taridd") returned -1 [0064.290] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.290] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.290] GetTickCount () returned 0x11507cc [0064.290] GetTickCount () returned 0x11507cc [0064.290] GetTickCount () returned 0x11507cc [0064.290] GetTickCount () returned 0x11507cc [0064.290] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.290] GetProcessHeap () returned 0x3a00000 [0064.290] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.290] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.292] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.292] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.292] GetProcessHeap () returned 0x3a00000 [0064.292] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.292] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.292] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.295] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.295] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.295] CloseHandle (hObject=0x42c) returned 1 [0064.331] GetProcessHeap () returned 0x3a00000 [0064.331] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.331] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 109 [0064.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.332] GetProcessHeap () returned 0x3a00000 [0064.332] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.332] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0064.332] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="Windows") returned -1 [0064.332] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.332] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.333] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="Program Files") returned -1 [0064.333] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.333] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 60 [0064.333] StrStrIW (lpFirst="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.333] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.333] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="taridd") returned -1 [0064.333] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.333] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.333] GetTickCount () returned 0x11507fb [0064.333] GetTickCount () returned 0x11507fb [0064.333] GetTickCount () returned 0x11507fb [0064.333] GetTickCount () returned 0x11507fb [0064.333] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.333] GetProcessHeap () returned 0x3a00000 [0064.333] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.333] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.335] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.336] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.336] GetProcessHeap () returned 0x3a00000 [0064.336] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.336] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.336] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.336] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.336] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.336] CloseHandle (hObject=0x42c) returned 1 [0064.338] GetProcessHeap () returned 0x3a00000 [0064.338] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.338] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 79 [0064.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.339] GetProcessHeap () returned 0x3a00000 [0064.339] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.339] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0064.339] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="Windows") returned -1 [0064.339] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.339] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.339] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="Program Files") returned -1 [0064.339] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.339] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 66 [0064.339] StrStrIW (lpFirst="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.339] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.339] lstrcmpW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="taridd") returned -1 [0064.339] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.339] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.339] GetTickCount () returned 0x11507fb [0064.339] GetTickCount () returned 0x11507fb [0064.340] GetTickCount () returned 0x11507fb [0064.340] GetTickCount () returned 0x11507fb [0064.340] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.340] GetProcessHeap () returned 0x3a00000 [0064.340] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.340] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.342] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.342] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.342] GetProcessHeap () returned 0x3a00000 [0064.342] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.342] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.342] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.342] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.342] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.342] CloseHandle (hObject=0x42c) returned 1 [0064.344] GetProcessHeap () returned 0x3a00000 [0064.344] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.344] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 85 [0064.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.350] GetProcessHeap () returned 0x3a00000 [0064.350] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.350] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0064.350] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="Windows") returned -1 [0064.350] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.350] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.350] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="Program Files") returned -1 [0064.350] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.350] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 53 [0064.350] StrStrIW (lpFirst="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.350] lstrcmpW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.350] lstrcmpW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="taridd") returned -1 [0064.350] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.350] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.350] GetTickCount () returned 0x115080b [0064.350] GetTickCount () returned 0x115080b [0064.350] GetTickCount () returned 0x115080b [0064.350] GetTickCount () returned 0x115080b [0064.350] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.351] GetProcessHeap () returned 0x3a00000 [0064.351] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.351] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.353] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.353] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.353] GetProcessHeap () returned 0x3a00000 [0064.353] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.353] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.353] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.354] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.354] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.354] CloseHandle (hObject=0x42c) returned 1 [0064.356] GetProcessHeap () returned 0x3a00000 [0064.356] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.356] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 72 [0064.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.357] GetProcessHeap () returned 0x3a00000 [0064.357] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.357] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0064.357] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="Windows") returned -1 [0064.357] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.357] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.357] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="Program Files") returned -1 [0064.357] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.357] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 55 [0064.357] StrStrIW (lpFirst="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.357] lstrcmpW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.357] lstrcmpW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="taridd") returned -1 [0064.357] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.357] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.357] GetTickCount () returned 0x115080b [0064.357] GetTickCount () returned 0x115080b [0064.357] GetTickCount () returned 0x115080b [0064.357] GetTickCount () returned 0x115080b [0064.357] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.357] GetProcessHeap () returned 0x3a00000 [0064.357] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.358] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.360] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.360] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.360] GetProcessHeap () returned 0x3a00000 [0064.360] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.360] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.360] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.360] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.360] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.360] CloseHandle (hObject=0x42c) returned 1 [0064.362] GetProcessHeap () returned 0x3a00000 [0064.362] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.362] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 74 [0064.362] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.363] GetProcessHeap () returned 0x3a00000 [0064.363] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.363] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0064.363] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="Windows") returned -1 [0064.363] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.363] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.363] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="Program Files") returned -1 [0064.363] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.363] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 61 [0064.369] StrStrIW (lpFirst="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.369] lstrcmpW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.369] lstrcmpW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="taridd") returned -1 [0064.369] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.370] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.372] GetTickCount () returned 0x115081a [0064.372] GetTickCount () returned 0x115081a [0064.372] GetTickCount () returned 0x115081a [0064.372] GetTickCount () returned 0x115081a [0064.372] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.372] GetProcessHeap () returned 0x3a00000 [0064.372] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.372] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.374] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.374] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.374] GetProcessHeap () returned 0x3a00000 [0064.374] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.374] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.374] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.375] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.375] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.375] CloseHandle (hObject=0x42c) returned 1 [0064.377] GetProcessHeap () returned 0x3a00000 [0064.377] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.377] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.378] GetProcessHeap () returned 0x3a00000 [0064.378] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.378] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0064.378] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="Windows") returned -1 [0064.378] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.378] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.378] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="Program Files") returned -1 [0064.378] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.378] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 71 [0064.378] StrStrIW (lpFirst="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.378] lstrcmpW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.378] lstrcmpW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="taridd") returned -1 [0064.378] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.378] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.378] GetTickCount () returned 0x115081a [0064.378] GetTickCount () returned 0x115081a [0064.378] GetTickCount () returned 0x115081a [0064.378] GetTickCount () returned 0x115081a [0064.378] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.379] GetProcessHeap () returned 0x3a00000 [0064.379] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.379] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.381] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.381] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.381] GetProcessHeap () returned 0x3a00000 [0064.381] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.381] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.381] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.381] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.381] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.381] CloseHandle (hObject=0x42c) returned 1 [0064.384] GetProcessHeap () returned 0x3a00000 [0064.384] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.384] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 90 [0064.384] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.384] GetProcessHeap () returned 0x3a00000 [0064.384] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.384] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0064.384] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="Windows") returned -1 [0064.384] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.384] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.384] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="Program Files") returned -1 [0064.384] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.384] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 59 [0064.384] StrStrIW (lpFirst="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.385] lstrcmpW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.385] lstrcmpW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="taridd") returned -1 [0064.385] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.385] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.385] GetTickCount () returned 0x115082a [0064.385] GetTickCount () returned 0x115082a [0064.385] GetTickCount () returned 0x115082a [0064.385] GetTickCount () returned 0x115082a [0064.385] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.385] GetProcessHeap () returned 0x3a00000 [0064.385] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.385] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.387] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.387] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.388] GetProcessHeap () returned 0x3a00000 [0064.388] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.388] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.388] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.388] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.388] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.388] CloseHandle (hObject=0x42c) returned 1 [0064.390] GetProcessHeap () returned 0x3a00000 [0064.390] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.390] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.391] GetProcessHeap () returned 0x3a00000 [0064.391] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.391] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0064.391] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="Windows") returned -1 [0064.391] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.391] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.391] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="Program Files") returned -1 [0064.391] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.391] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 59 [0064.391] StrStrIW (lpFirst="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.391] lstrcmpW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.391] lstrcmpW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="taridd") returned -1 [0064.391] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.391] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.392] GetTickCount () returned 0x115082a [0064.392] GetTickCount () returned 0x115082a [0064.392] GetTickCount () returned 0x115082a [0064.392] GetTickCount () returned 0x115082a [0064.392] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.392] GetProcessHeap () returned 0x3a00000 [0064.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.392] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.395] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.395] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.395] GetProcessHeap () returned 0x3a00000 [0064.395] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.395] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.395] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.395] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.396] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.396] CloseHandle (hObject=0x42c) returned 1 [0064.398] GetProcessHeap () returned 0x3a00000 [0064.398] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.398] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.398] GetProcessHeap () returned 0x3a00000 [0064.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.399] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0064.399] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="Windows") returned -1 [0064.399] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.399] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.399] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="Program Files") returned -1 [0064.399] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.399] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 63 [0064.399] StrStrIW (lpFirst="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.399] lstrcmpW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.399] lstrcmpW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="taridd") returned -1 [0064.399] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.399] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.399] GetTickCount () returned 0x115083a [0064.399] GetTickCount () returned 0x115083a [0064.399] GetTickCount () returned 0x115083a [0064.399] GetTickCount () returned 0x115083a [0064.399] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.399] GetProcessHeap () returned 0x3a00000 [0064.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.399] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.401] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.401] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.401] GetProcessHeap () returned 0x3a00000 [0064.401] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.401] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.402] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.402] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.402] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.402] CloseHandle (hObject=0x42c) returned 1 [0064.404] GetProcessHeap () returned 0x3a00000 [0064.404] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.404] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 82 [0064.404] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.405] GetProcessHeap () returned 0x3a00000 [0064.405] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.405] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0064.405] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="Windows") returned -1 [0064.405] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.405] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.405] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="Program Files") returned -1 [0064.405] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.405] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 61 [0064.405] StrStrIW (lpFirst="Microsoft-Windows-International%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.405] lstrcmpW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.405] lstrcmpW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="taridd") returned -1 [0064.405] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.405] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.406] GetTickCount () returned 0x115083a [0064.406] GetTickCount () returned 0x115083a [0064.406] GetTickCount () returned 0x115083a [0064.406] GetTickCount () returned 0x115083a [0064.406] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.406] GetProcessHeap () returned 0x3a00000 [0064.406] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.406] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.408] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.408] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.408] GetProcessHeap () returned 0x3a00000 [0064.408] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.408] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.408] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.408] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.409] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.409] CloseHandle (hObject=0x42c) returned 1 [0064.417] GetProcessHeap () returned 0x3a00000 [0064.417] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.417] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-International%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.417] GetProcessHeap () returned 0x3a00000 [0064.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.417] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0064.418] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="Windows") returned -1 [0064.418] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.418] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.418] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="Program Files") returned -1 [0064.418] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.418] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 59 [0064.418] StrStrIW (lpFirst="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.418] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.418] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="taridd") returned -1 [0064.418] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.418] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.418] GetTickCount () returned 0x1150849 [0064.418] GetTickCount () returned 0x1150849 [0064.418] GetTickCount () returned 0x1150849 [0064.418] GetTickCount () returned 0x1150849 [0064.418] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.418] GetProcessHeap () returned 0x3a00000 [0064.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.418] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.420] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.420] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.420] GetProcessHeap () returned 0x3a00000 [0064.420] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.420] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.420] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.421] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.421] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.421] CloseHandle (hObject=0x42c) returned 1 [0064.423] GetProcessHeap () returned 0x3a00000 [0064.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.423] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.424] GetProcessHeap () returned 0x3a00000 [0064.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.424] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0064.424] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="Windows") returned -1 [0064.424] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.424] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.424] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="Program Files") returned -1 [0064.424] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.424] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 61 [0064.424] StrStrIW (lpFirst="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.424] lstrcmpW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.424] lstrcmpW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="taridd") returned -1 [0064.424] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.424] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.424] GetTickCount () returned 0x1150849 [0064.424] GetTickCount () returned 0x1150849 [0064.424] GetTickCount () returned 0x1150849 [0064.424] GetTickCount () returned 0x1150849 [0064.424] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.424] GetProcessHeap () returned 0x3a00000 [0064.425] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.425] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.427] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.427] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.427] GetProcessHeap () returned 0x3a00000 [0064.427] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.427] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.427] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.427] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.427] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.427] CloseHandle (hObject=0x42c) returned 1 [0064.430] GetProcessHeap () returned 0x3a00000 [0064.430] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.430] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.430] GetProcessHeap () returned 0x3a00000 [0064.430] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.430] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0064.430] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="Windows") returned -1 [0064.430] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="$Recycle.bin") returned 1 [0064.431] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="System Volume Information") returned -1 [0064.431] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="Program Files") returned -1 [0064.431] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="Program Files (x86)") returned -1 [0064.431] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 60 [0064.431] StrStrIW (lpFirst="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpSrch=".ebal") returned 0x0 [0064.431] lstrcmpW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.431] lstrcmpW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="taridd") returned -1 [0064.431] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.431] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.431] GetTickCount () returned 0x1150859 [0064.431] GetTickCount () returned 0x1150859 [0064.431] GetTickCount () returned 0x1150859 [0064.431] GetTickCount () returned 0x1150859 [0064.431] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.431] GetProcessHeap () returned 0x3a00000 [0064.431] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.431] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.433] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.433] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.434] GetProcessHeap () returned 0x3a00000 [0064.434] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.434] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.434] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.436] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.436] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.436] CloseHandle (hObject=0x42c) returned 1 [0064.466] GetProcessHeap () returned 0x3a00000 [0064.466] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.466] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx_r00t_{8ew5f6}.ebal") returned 79 [0064.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.467] GetProcessHeap () returned 0x3a00000 [0064.467] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.467] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0064.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="Windows") returned -1 [0064.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="System Volume Information") returned -1 [0064.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="Program Files") returned -1 [0064.467] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.467] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 68 [0064.467] StrStrIW (lpFirst="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.467] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.467] lstrcmpW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="taridd") returned -1 [0064.467] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.467] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.467] GetTickCount () returned 0x1150878 [0064.467] GetTickCount () returned 0x1150878 [0064.467] GetTickCount () returned 0x1150878 [0064.467] GetTickCount () returned 0x1150878 [0064.468] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.468] GetProcessHeap () returned 0x3a00000 [0064.468] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.468] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.470] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.470] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.470] GetProcessHeap () returned 0x3a00000 [0064.470] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.470] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.470] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.470] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.470] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.471] CloseHandle (hObject=0x42c) returned 1 [0064.472] GetProcessHeap () returned 0x3a00000 [0064.473] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.473] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx_r00t_{8ew5f6}.ebal") returned 87 [0064.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.474] GetProcessHeap () returned 0x3a00000 [0064.474] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.474] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0064.474] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="Windows") returned -1 [0064.474] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.474] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.474] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="Program Files") returned -1 [0064.474] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.474] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 65 [0064.474] StrStrIW (lpFirst="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.474] lstrcmpW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.474] lstrcmpW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="taridd") returned -1 [0064.474] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.474] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.475] GetTickCount () returned 0x1150888 [0064.475] GetTickCount () returned 0x1150888 [0064.475] GetTickCount () returned 0x1150888 [0064.475] GetTickCount () returned 0x1150888 [0064.475] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.475] GetProcessHeap () returned 0x3a00000 [0064.475] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.475] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.477] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.477] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.477] GetProcessHeap () returned 0x3a00000 [0064.477] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.477] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.477] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.477] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.477] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.478] CloseHandle (hObject=0x42c) returned 1 [0064.480] GetProcessHeap () returned 0x3a00000 [0064.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.480] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 84 [0064.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.481] GetProcessHeap () returned 0x3a00000 [0064.481] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.481] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0064.481] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="Windows") returned -1 [0064.481] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.481] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.481] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="Program Files") returned -1 [0064.481] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.481] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 63 [0064.481] StrStrIW (lpFirst="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.481] lstrcmpW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.481] lstrcmpW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="taridd") returned -1 [0064.481] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.481] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.482] GetTickCount () returned 0x1150888 [0064.482] GetTickCount () returned 0x1150888 [0064.482] GetTickCount () returned 0x1150888 [0064.482] GetTickCount () returned 0x1150888 [0064.482] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.482] GetProcessHeap () returned 0x3a00000 [0064.482] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.482] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.484] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.484] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.484] GetProcessHeap () returned 0x3a00000 [0064.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.484] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.484] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.485] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.485] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.485] CloseHandle (hObject=0x42c) returned 1 [0064.487] GetProcessHeap () returned 0x3a00000 [0064.487] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.487] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 82 [0064.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.488] GetProcessHeap () returned 0x3a00000 [0064.488] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.488] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0064.488] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="Windows") returned -1 [0064.488] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="$Recycle.bin") returned 1 [0064.488] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="System Volume Information") returned -1 [0064.488] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="Program Files") returned -1 [0064.488] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="Program Files (x86)") returned -1 [0064.488] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 54 [0064.488] StrStrIW (lpFirst="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpSrch=".ebal") returned 0x0 [0064.488] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.488] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="taridd") returned -1 [0064.488] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.488] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.489] GetTickCount () returned 0x1150897 [0064.489] GetTickCount () returned 0x1150897 [0064.489] GetTickCount () returned 0x1150897 [0064.489] GetTickCount () returned 0x1150897 [0064.489] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.489] GetProcessHeap () returned 0x3a00000 [0064.489] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.489] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.491] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.491] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.492] GetProcessHeap () returned 0x3a00000 [0064.492] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.492] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.492] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.492] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.492] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.492] CloseHandle (hObject=0x42c) returned 1 [0064.494] GetProcessHeap () returned 0x3a00000 [0064.494] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.494] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx_r00t_{8ew5f6}.ebal") returned 73 [0064.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.495] GetProcessHeap () returned 0x3a00000 [0064.495] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.495] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0064.495] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="Windows") returned -1 [0064.495] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.495] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.495] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="Program Files") returned -1 [0064.495] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.495] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 59 [0064.495] StrStrIW (lpFirst="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.495] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.495] lstrcmpW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="taridd") returned -1 [0064.495] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.495] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.496] GetTickCount () returned 0x1150897 [0064.496] GetTickCount () returned 0x1150897 [0064.496] GetTickCount () returned 0x1150897 [0064.496] GetTickCount () returned 0x1150897 [0064.496] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.496] GetProcessHeap () returned 0x3a00000 [0064.496] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.496] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.508] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.508] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.509] GetProcessHeap () returned 0x3a00000 [0064.509] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.509] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.509] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.509] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.509] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.509] CloseHandle (hObject=0x42c) returned 1 [0064.511] GetProcessHeap () returned 0x3a00000 [0064.511] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.511] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.512] GetProcessHeap () returned 0x3a00000 [0064.512] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.512] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0064.512] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="Windows") returned -1 [0064.512] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="$Recycle.bin") returned 1 [0064.512] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="System Volume Information") returned -1 [0064.512] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="Program Files") returned -1 [0064.512] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="Program Files (x86)") returned -1 [0064.512] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 60 [0064.512] StrStrIW (lpFirst="Microsoft-Windows-Known Folders API Service.evtx", lpSrch=".ebal") returned 0x0 [0064.512] lstrcmpW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.512] lstrcmpW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="taridd") returned -1 [0064.512] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.512] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.513] GetTickCount () returned 0x11508a7 [0064.513] GetTickCount () returned 0x11508a7 [0064.513] GetTickCount () returned 0x11508a7 [0064.513] GetTickCount () returned 0x11508a7 [0064.513] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.513] GetProcessHeap () returned 0x3a00000 [0064.513] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.513] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.515] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.515] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.515] GetProcessHeap () returned 0x3a00000 [0064.515] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.515] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.515] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.516] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.516] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.516] CloseHandle (hObject=0x42c) returned 1 [0064.518] GetProcessHeap () returned 0x3a00000 [0064.518] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.518] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx_r00t_{8ew5f6}.ebal") returned 79 [0064.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.518] GetProcessHeap () returned 0x3a00000 [0064.518] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.519] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0064.519] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="Windows") returned -1 [0064.519] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.519] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.519] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="Program Files") returned -1 [0064.519] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.519] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 54 [0064.519] StrStrIW (lpFirst="Microsoft-Windows-LiveId%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.519] lstrcmpW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.519] lstrcmpW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="taridd") returned -1 [0064.519] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.519] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.519] GetTickCount () returned 0x11508a7 [0064.519] GetTickCount () returned 0x11508a7 [0064.519] GetTickCount () returned 0x11508a7 [0064.519] GetTickCount () returned 0x11508a7 [0064.519] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.519] GetProcessHeap () returned 0x3a00000 [0064.519] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.519] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.523] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.523] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.523] GetProcessHeap () returned 0x3a00000 [0064.523] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.523] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.523] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.523] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.524] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.524] CloseHandle (hObject=0x42c) returned 1 [0064.526] GetProcessHeap () returned 0x3a00000 [0064.526] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.526] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 73 [0064.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.526] GetProcessHeap () returned 0x3a00000 [0064.526] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.526] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0064.527] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="Windows") returned -1 [0064.527] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.527] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.527] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="Program Files") returned -1 [0064.527] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.527] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 45 [0064.527] StrStrIW (lpFirst="Microsoft-Windows-MUI%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.527] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.527] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="taridd") returned -1 [0064.527] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.527] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.527] GetTickCount () returned 0x11508b7 [0064.527] GetTickCount () returned 0x11508b7 [0064.527] GetTickCount () returned 0x11508b7 [0064.527] GetTickCount () returned 0x11508b7 [0064.527] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.527] GetProcessHeap () returned 0x3a00000 [0064.527] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.527] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.529] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.529] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.530] GetProcessHeap () returned 0x3a00000 [0064.530] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.530] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.530] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.530] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.530] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.530] CloseHandle (hObject=0x42c) returned 1 [0064.532] GetProcessHeap () returned 0x3a00000 [0064.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.532] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 64 [0064.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.533] GetProcessHeap () returned 0x3a00000 [0064.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.533] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0064.533] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="Windows") returned -1 [0064.533] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.533] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.533] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="Program Files") returned -1 [0064.533] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.533] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 51 [0064.533] StrStrIW (lpFirst="Microsoft-Windows-MUI%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.533] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.533] lstrcmpW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="taridd") returned -1 [0064.533] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.533] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.533] GetTickCount () returned 0x11508b7 [0064.533] GetTickCount () returned 0x11508b7 [0064.533] GetTickCount () returned 0x11508b7 [0064.533] GetTickCount () returned 0x11508b7 [0064.533] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.533] GetProcessHeap () returned 0x3a00000 [0064.533] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.533] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.535] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.535] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.536] GetProcessHeap () returned 0x3a00000 [0064.536] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.536] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.536] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.536] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.536] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.536] CloseHandle (hObject=0x42c) returned 1 [0064.538] GetProcessHeap () returned 0x3a00000 [0064.538] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.538] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 70 [0064.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.539] GetProcessHeap () returned 0x3a00000 [0064.539] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.539] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0064.539] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="Windows") returned -1 [0064.539] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.539] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.539] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="Program Files") returned -1 [0064.539] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.539] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 52 [0064.539] StrStrIW (lpFirst="Microsoft-Windows-NCSI%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.539] lstrcmpW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.539] lstrcmpW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="taridd") returned -1 [0064.539] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.539] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.539] GetTickCount () returned 0x11508c6 [0064.539] GetTickCount () returned 0x11508c6 [0064.539] GetTickCount () returned 0x11508c6 [0064.539] GetTickCount () returned 0x11508c6 [0064.539] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.540] GetProcessHeap () returned 0x3a00000 [0064.540] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.540] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.542] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.542] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.542] GetProcessHeap () returned 0x3a00000 [0064.542] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.542] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.542] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.542] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.542] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.542] CloseHandle (hObject=0x42c) returned 1 [0064.544] GetProcessHeap () returned 0x3a00000 [0064.544] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.544] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 71 [0064.544] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.545] GetProcessHeap () returned 0x3a00000 [0064.545] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.545] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0064.545] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="Windows") returned -1 [0064.545] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.545] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.545] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="Program Files") returned -1 [0064.545] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.545] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 62 [0064.545] StrStrIW (lpFirst="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.545] lstrcmpW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.545] lstrcmpW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="taridd") returned -1 [0064.545] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.545] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.545] GetTickCount () returned 0x11508c6 [0064.546] GetTickCount () returned 0x11508c6 [0064.546] GetTickCount () returned 0x11508c6 [0064.546] GetTickCount () returned 0x11508c6 [0064.546] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.546] GetProcessHeap () returned 0x3a00000 [0064.546] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.546] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.557] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.558] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.558] GetProcessHeap () returned 0x3a00000 [0064.558] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.558] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.558] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.558] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.558] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.559] CloseHandle (hObject=0x42c) returned 1 [0064.561] GetProcessHeap () returned 0x3a00000 [0064.561] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.561] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 81 [0064.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.561] GetProcessHeap () returned 0x3a00000 [0064.561] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.561] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0064.561] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="Windows") returned -1 [0064.561] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.561] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.561] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="Program Files") returned -1 [0064.561] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.561] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 52 [0064.561] StrStrIW (lpFirst="Microsoft-Windows-Ntfs%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.562] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.562] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="taridd") returned -1 [0064.562] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.562] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.562] GetTickCount () returned 0x11508d6 [0064.562] GetTickCount () returned 0x11508d6 [0064.562] GetTickCount () returned 0x11508d6 [0064.562] GetTickCount () returned 0x11508d6 [0064.562] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.563] GetProcessHeap () returned 0x3a00000 [0064.563] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.563] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.564] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.564] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.565] GetProcessHeap () returned 0x3a00000 [0064.565] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.565] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.565] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.565] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.565] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.565] CloseHandle (hObject=0x42c) returned 1 [0064.579] GetProcessHeap () returned 0x3a00000 [0064.579] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.579] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 71 [0064.579] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.580] GetProcessHeap () returned 0x3a00000 [0064.580] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.580] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0064.580] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="Windows") returned -1 [0064.580] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="$Recycle.bin") returned 1 [0064.580] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="System Volume Information") returned -1 [0064.580] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="Program Files") returned -1 [0064.580] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="Program Files (x86)") returned -1 [0064.580] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 44 [0064.580] StrStrIW (lpFirst="Microsoft-Windows-Ntfs%4WHC.evtx", lpSrch=".ebal") returned 0x0 [0064.580] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.580] lstrcmpW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="taridd") returned -1 [0064.580] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.580] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.580] GetTickCount () returned 0x11508e6 [0064.581] GetTickCount () returned 0x11508e6 [0064.581] GetTickCount () returned 0x11508e6 [0064.581] GetTickCount () returned 0x11508e6 [0064.581] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.581] GetProcessHeap () returned 0x3a00000 [0064.581] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.581] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.583] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.583] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.583] GetProcessHeap () returned 0x3a00000 [0064.583] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.583] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.583] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.583] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.583] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.583] CloseHandle (hObject=0x42c) returned 1 [0064.585] GetProcessHeap () returned 0x3a00000 [0064.585] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.586] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx_r00t_{8ew5f6}.ebal") returned 63 [0064.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.586] GetProcessHeap () returned 0x3a00000 [0064.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.586] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0064.586] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="Windows") returned -1 [0064.586] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="$Recycle.bin") returned 1 [0064.586] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="System Volume Information") returned -1 [0064.586] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="Program Files") returned -1 [0064.586] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="Program Files (x86)") returned -1 [0064.586] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 86 [0064.586] StrStrIW (lpFirst="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpSrch=".ebal") returned 0x0 [0064.586] lstrcmpW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.586] lstrcmpW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="taridd") returned -1 [0064.586] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.586] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.587] GetTickCount () returned 0x11508f5 [0064.587] GetTickCount () returned 0x11508f5 [0064.587] GetTickCount () returned 0x11508f5 [0064.587] GetTickCount () returned 0x11508f5 [0064.587] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.587] GetProcessHeap () returned 0x3a00000 [0064.587] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.588] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.590] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.590] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.590] GetProcessHeap () returned 0x3a00000 [0064.590] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.590] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.590] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.590] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.590] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.590] CloseHandle (hObject=0x42c) returned 1 [0064.592] GetProcessHeap () returned 0x3a00000 [0064.592] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.592] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx_r00t_{8ew5f6}.ebal") returned 105 [0064.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.593] GetProcessHeap () returned 0x3a00000 [0064.593] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.593] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0064.593] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="Windows") returned -1 [0064.593] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.593] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.593] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="Program Files") returned -1 [0064.593] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.593] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 58 [0064.593] StrStrIW (lpFirst="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.593] lstrcmpW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.593] lstrcmpW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="taridd") returned -1 [0064.593] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.593] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.594] GetTickCount () returned 0x11508f5 [0064.594] GetTickCount () returned 0x11508f5 [0064.594] GetTickCount () returned 0x11508f5 [0064.594] GetTickCount () returned 0x11508f5 [0064.594] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.594] GetProcessHeap () returned 0x3a00000 [0064.594] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.594] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.596] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.596] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.596] GetProcessHeap () returned 0x3a00000 [0064.596] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.596] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.596] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.596] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.596] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.597] CloseHandle (hObject=0x42c) returned 1 [0064.599] GetProcessHeap () returned 0x3a00000 [0064.599] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.599] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 77 [0064.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.600] GetProcessHeap () returned 0x3a00000 [0064.600] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.600] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0064.600] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="Windows") returned -1 [0064.600] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.600] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.600] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="Program Files") returned -1 [0064.600] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.600] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 76 [0064.600] StrStrIW (lpFirst="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.600] lstrcmpW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.600] lstrcmpW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="taridd") returned -1 [0064.600] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.600] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.600] GetTickCount () returned 0x1150905 [0064.600] GetTickCount () returned 0x1150905 [0064.600] GetTickCount () returned 0x1150905 [0064.600] GetTickCount () returned 0x1150905 [0064.600] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.600] GetProcessHeap () returned 0x3a00000 [0064.600] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.600] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.602] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.602] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.602] GetProcessHeap () returned 0x3a00000 [0064.602] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.602] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.603] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.603] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.603] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.603] CloseHandle (hObject=0x42c) returned 1 [0064.605] GetProcessHeap () returned 0x3a00000 [0064.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.605] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 95 [0064.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.605] GetProcessHeap () returned 0x3a00000 [0064.605] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.605] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0064.605] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="Windows") returned -1 [0064.606] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="$Recycle.bin") returned 1 [0064.606] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="System Volume Information") returned -1 [0064.606] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="Program Files") returned -1 [0064.606] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="Program Files (x86)") returned -1 [0064.606] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 53 [0064.606] StrStrIW (lpFirst="Microsoft-Windows-SettingSync%4Debug.evtx", lpSrch=".ebal") returned 0x0 [0064.606] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.606] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="taridd") returned -1 [0064.606] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.606] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.627] GetTickCount () returned 0x1150914 [0064.627] GetTickCount () returned 0x1150914 [0064.627] GetTickCount () returned 0x1150914 [0064.627] GetTickCount () returned 0x1150914 [0064.627] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.627] GetProcessHeap () returned 0x3a00000 [0064.627] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.627] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.629] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.630] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.630] GetProcessHeap () returned 0x3a00000 [0064.630] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.630] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.630] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.632] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.632] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.632] CloseHandle (hObject=0x42c) returned 1 [0064.660] GetProcessHeap () returned 0x3a00000 [0064.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.660] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx_r00t_{8ew5f6}.ebal") returned 72 [0064.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.661] GetProcessHeap () returned 0x3a00000 [0064.661] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.661] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0064.661] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="Windows") returned -1 [0064.661] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.661] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.661] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="Program Files") returned -1 [0064.661] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.661] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 59 [0064.661] StrStrIW (lpFirst="Microsoft-Windows-SettingSync%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.662] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.662] lstrcmpW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="taridd") returned -1 [0064.662] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.662] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.662] GetTickCount () returned 0x1150943 [0064.662] GetTickCount () returned 0x1150943 [0064.662] GetTickCount () returned 0x1150943 [0064.662] GetTickCount () returned 0x1150943 [0064.662] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.662] GetProcessHeap () returned 0x3a00000 [0064.662] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.662] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.664] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.664] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.665] GetProcessHeap () returned 0x3a00000 [0064.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.665] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.665] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.665] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.665] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.665] CloseHandle (hObject=0x42c) returned 1 [0064.667] GetProcessHeap () returned 0x3a00000 [0064.667] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.667] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.668] GetProcessHeap () returned 0x3a00000 [0064.668] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.668] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0064.668] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="Windows") returned -1 [0064.668] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="$Recycle.bin") returned 1 [0064.668] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="System Volume Information") returned -1 [0064.668] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="Program Files") returned -1 [0064.668] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="Program Files (x86)") returned -1 [0064.668] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 59 [0064.668] StrStrIW (lpFirst="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpSrch=".ebal") returned 0x0 [0064.668] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.668] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="taridd") returned -1 [0064.668] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.668] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.668] GetTickCount () returned 0x1150943 [0064.668] GetTickCount () returned 0x1150943 [0064.668] GetTickCount () returned 0x1150943 [0064.668] GetTickCount () returned 0x1150943 [0064.668] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.669] GetProcessHeap () returned 0x3a00000 [0064.669] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.669] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.716] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.716] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.717] GetProcessHeap () returned 0x3a00000 [0064.717] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.717] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.717] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.717] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.717] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.717] CloseHandle (hObject=0x42c) returned 1 [0064.719] GetProcessHeap () returned 0x3a00000 [0064.719] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.719] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx_r00t_{8ew5f6}.ebal") returned 78 [0064.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.720] GetProcessHeap () returned 0x3a00000 [0064.720] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.720] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0064.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="Windows") returned -1 [0064.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="Program Files") returned -1 [0064.720] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.720] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 58 [0064.720] StrStrIW (lpFirst="Microsoft-Windows-Shell-Core%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.720] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.720] lstrcmpW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="taridd") returned -1 [0064.720] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.720] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.721] GetTickCount () returned 0x1150972 [0064.721] GetTickCount () returned 0x1150972 [0064.721] GetTickCount () returned 0x1150972 [0064.721] GetTickCount () returned 0x1150972 [0064.721] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.721] GetProcessHeap () returned 0x3a00000 [0064.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.721] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.723] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.723] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.723] GetProcessHeap () returned 0x3a00000 [0064.723] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.723] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.723] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.724] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.724] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.724] CloseHandle (hObject=0x42c) returned 1 [0064.726] GetProcessHeap () returned 0x3a00000 [0064.726] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.726] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 77 [0064.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.730] GetProcessHeap () returned 0x3a00000 [0064.730] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.730] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0064.730] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="Windows") returned -1 [0064.730] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="$Recycle.bin") returned 1 [0064.730] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="System Volume Information") returned -1 [0064.730] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="Program Files") returned -1 [0064.730] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="Program Files (x86)") returned -1 [0064.730] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 58 [0064.730] StrStrIW (lpFirst="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpSrch=".ebal") returned 0x0 [0064.730] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.730] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="taridd") returned -1 [0064.730] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.730] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.730] GetTickCount () returned 0x1150982 [0064.730] GetTickCount () returned 0x1150982 [0064.731] GetTickCount () returned 0x1150982 [0064.731] GetTickCount () returned 0x1150982 [0064.731] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.731] GetProcessHeap () returned 0x3a00000 [0064.731] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.731] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.733] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.733] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.733] GetProcessHeap () returned 0x3a00000 [0064.733] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.733] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.733] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.733] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.733] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.733] CloseHandle (hObject=0x42c) returned 1 [0064.735] GetProcessHeap () returned 0x3a00000 [0064.735] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.735] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx_r00t_{8ew5f6}.ebal") returned 77 [0064.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.736] GetProcessHeap () returned 0x3a00000 [0064.736] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.736] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0064.736] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="Windows") returned -1 [0064.736] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.736] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.736] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="Program Files") returned -1 [0064.736] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.736] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 57 [0064.736] StrStrIW (lpFirst="Microsoft-Windows-SMBClient%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.736] lstrcmpW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.736] lstrcmpW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="taridd") returned -1 [0064.736] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.736] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.736] GetTickCount () returned 0x1150982 [0064.736] GetTickCount () returned 0x1150982 [0064.736] GetTickCount () returned 0x1150982 [0064.736] GetTickCount () returned 0x1150982 [0064.737] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.737] GetProcessHeap () returned 0x3a00000 [0064.737] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.737] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.789] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.789] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.789] GetProcessHeap () returned 0x3a00000 [0064.789] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.789] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.789] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.790] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.790] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.790] CloseHandle (hObject=0x42c) returned 1 [0064.792] GetProcessHeap () returned 0x3a00000 [0064.792] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.792] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 76 [0064.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.794] GetProcessHeap () returned 0x3a00000 [0064.794] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.794] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0064.794] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="Windows") returned -1 [0064.794] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="$Recycle.bin") returned 1 [0064.794] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="System Volume Information") returned -1 [0064.794] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="Program Files") returned -1 [0064.794] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="Program Files (x86)") returned -1 [0064.794] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 54 [0064.794] StrStrIW (lpFirst="Microsoft-Windows-SmbClient%4Security.evtx", lpSrch=".ebal") returned 0x0 [0064.794] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.794] lstrcmpW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="taridd") returned -1 [0064.794] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.794] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.795] GetTickCount () returned 0x11509c0 [0064.795] GetTickCount () returned 0x11509c0 [0064.795] GetTickCount () returned 0x11509c0 [0064.795] GetTickCount () returned 0x11509c0 [0064.795] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.795] GetProcessHeap () returned 0x3a00000 [0064.795] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.795] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.797] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.797] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.798] GetProcessHeap () returned 0x3a00000 [0064.798] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.798] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.798] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.798] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.798] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.798] CloseHandle (hObject=0x42c) returned 1 [0064.800] GetProcessHeap () returned 0x3a00000 [0064.800] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.800] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx_r00t_{8ew5f6}.ebal") returned 73 [0064.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.800] GetProcessHeap () returned 0x3a00000 [0064.801] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.801] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0064.801] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="Windows") returned -1 [0064.801] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="$Recycle.bin") returned 1 [0064.801] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="System Volume Information") returned -1 [0064.801] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="Program Files") returned -1 [0064.801] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="Program Files (x86)") returned -1 [0064.801] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 51 [0064.801] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Audit.evtx", lpSrch=".ebal") returned 0x0 [0064.801] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.801] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="taridd") returned -1 [0064.801] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.801] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.802] GetTickCount () returned 0x11509d0 [0064.802] GetTickCount () returned 0x11509d0 [0064.802] GetTickCount () returned 0x11509d0 [0064.802] GetTickCount () returned 0x11509d0 [0064.802] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.802] GetProcessHeap () returned 0x3a00000 [0064.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.802] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.831] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.831] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.831] GetProcessHeap () returned 0x3a00000 [0064.831] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.831] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.832] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.832] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.832] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.832] CloseHandle (hObject=0x42c) returned 1 [0064.834] GetProcessHeap () returned 0x3a00000 [0064.834] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.834] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx_r00t_{8ew5f6}.ebal") returned 70 [0064.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.835] GetProcessHeap () returned 0x3a00000 [0064.835] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.835] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0064.835] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="Windows") returned -1 [0064.835] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="$Recycle.bin") returned 1 [0064.835] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="System Volume Information") returned -1 [0064.835] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="Program Files") returned -1 [0064.835] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="Program Files (x86)") returned -1 [0064.835] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 58 [0064.835] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpSrch=".ebal") returned 0x0 [0064.835] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.835] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="taridd") returned -1 [0064.835] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.835] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.835] GetTickCount () returned 0x11509ef [0064.835] GetTickCount () returned 0x11509ef [0064.835] GetTickCount () returned 0x11509ef [0064.835] GetTickCount () returned 0x11509ef [0064.836] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.836] GetProcessHeap () returned 0x3a00000 [0064.836] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.836] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.839] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.839] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.840] GetProcessHeap () returned 0x3a00000 [0064.840] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.840] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.840] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.840] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.840] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.840] CloseHandle (hObject=0x42c) returned 1 [0064.842] GetProcessHeap () returned 0x3a00000 [0064.842] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.842] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx_r00t_{8ew5f6}.ebal") returned 77 [0064.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.843] GetProcessHeap () returned 0x3a00000 [0064.843] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.843] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0064.843] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="Windows") returned -1 [0064.843] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.843] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.843] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="Program Files") returned -1 [0064.843] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.843] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 57 [0064.843] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.843] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.843] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="taridd") returned -1 [0064.843] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.843] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.843] GetTickCount () returned 0x11509ef [0064.843] GetTickCount () returned 0x11509ef [0064.844] GetTickCount () returned 0x11509ef [0064.844] GetTickCount () returned 0x11509ef [0064.844] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.844] GetProcessHeap () returned 0x3a00000 [0064.844] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.844] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.845] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.846] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.846] GetProcessHeap () returned 0x3a00000 [0064.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.846] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.846] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.846] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.846] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.846] CloseHandle (hObject=0x42c) returned 1 [0064.848] GetProcessHeap () returned 0x3a00000 [0064.848] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.848] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 76 [0064.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.849] GetProcessHeap () returned 0x3a00000 [0064.849] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.849] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0064.849] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="Windows") returned -1 [0064.849] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="$Recycle.bin") returned 1 [0064.849] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="System Volume Information") returned -1 [0064.849] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="Program Files") returned -1 [0064.849] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="Program Files (x86)") returned -1 [0064.849] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 54 [0064.849] StrStrIW (lpFirst="Microsoft-Windows-SMBServer%4Security.evtx", lpSrch=".ebal") returned 0x0 [0064.849] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.849] lstrcmpW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="taridd") returned -1 [0064.849] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.849] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.849] GetTickCount () returned 0x11509ff [0064.849] GetTickCount () returned 0x11509ff [0064.849] GetTickCount () returned 0x11509ff [0064.849] GetTickCount () returned 0x11509ff [0064.849] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.850] GetProcessHeap () returned 0x3a00000 [0064.850] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.850] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.851] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.851] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.852] GetProcessHeap () returned 0x3a00000 [0064.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.852] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.852] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.852] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.852] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.852] CloseHandle (hObject=0x42c) returned 1 [0064.854] GetProcessHeap () returned 0x3a00000 [0064.854] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.854] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx_r00t_{8ew5f6}.ebal") returned 73 [0064.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.855] GetProcessHeap () returned 0x3a00000 [0064.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.855] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0064.855] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="Windows") returned -1 [0064.855] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.855] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.855] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="Program Files") returned -1 [0064.855] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.855] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 53 [0064.855] StrStrIW (lpFirst="Microsoft-Windows-Store%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.855] lstrcmpW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.855] lstrcmpW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="taridd") returned -1 [0064.855] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.855] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.857] GetTickCount () returned 0x11509ff [0064.857] GetTickCount () returned 0x11509ff [0064.857] GetTickCount () returned 0x11509ff [0064.857] GetTickCount () returned 0x11509ff [0064.857] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.857] GetProcessHeap () returned 0x3a00000 [0064.857] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.857] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.860] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.860] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.860] GetProcessHeap () returned 0x3a00000 [0064.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.860] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.860] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.860] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.860] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.860] CloseHandle (hObject=0x42c) returned 1 [0064.862] GetProcessHeap () returned 0x3a00000 [0064.862] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.862] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 72 [0064.862] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.863] GetProcessHeap () returned 0x3a00000 [0064.863] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.863] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0064.863] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="Windows") returned -1 [0064.863] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="$Recycle.bin") returned 1 [0064.863] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="System Volume Information") returned -1 [0064.863] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="Program Files") returned -1 [0064.863] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="Program Files (x86)") returned -1 [0064.863] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 61 [0064.863] StrStrIW (lpFirst="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpSrch=".ebal") returned 0x0 [0064.863] lstrcmpW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.863] lstrcmpW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="taridd") returned -1 [0064.863] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.863] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.863] GetTickCount () returned 0x1150a0e [0064.864] GetTickCount () returned 0x1150a0e [0064.864] GetTickCount () returned 0x1150a0e [0064.864] GetTickCount () returned 0x1150a0e [0064.864] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.864] GetProcessHeap () returned 0x3a00000 [0064.864] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.864] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.866] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.866] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.866] GetProcessHeap () returned 0x3a00000 [0064.866] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.866] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.866] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.866] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.866] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.866] CloseHandle (hObject=0x42c) returned 1 [0064.868] GetProcessHeap () returned 0x3a00000 [0064.868] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.868] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx_r00t_{8ew5f6}.ebal") returned 80 [0064.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.869] GetProcessHeap () returned 0x3a00000 [0064.869] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.869] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0064.869] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="Windows") returned -1 [0064.869] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.869] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.869] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="Program Files") returned -1 [0064.869] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.869] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 78 [0064.869] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.869] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.869] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="taridd") returned -1 [0064.869] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.869] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.869] GetTickCount () returned 0x1150a0e [0064.869] GetTickCount () returned 0x1150a0e [0064.869] GetTickCount () returned 0x1150a0e [0064.869] GetTickCount () returned 0x1150a0e [0064.869] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.870] GetProcessHeap () returned 0x3a00000 [0064.870] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.870] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.894] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.894] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.895] GetProcessHeap () returned 0x3a00000 [0064.895] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.895] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.895] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.895] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.895] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.896] CloseHandle (hObject=0x42c) returned 1 [0064.898] GetProcessHeap () returned 0x3a00000 [0064.898] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.898] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 97 [0064.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.898] GetProcessHeap () returned 0x3a00000 [0064.898] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.898] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0064.899] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="Windows") returned -1 [0064.899] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.899] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.899] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="Program Files") returned -1 [0064.899] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.899] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 84 [0064.899] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.899] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.899] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="taridd") returned -1 [0064.899] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.899] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.899] GetTickCount () returned 0x1150a2e [0064.899] GetTickCount () returned 0x1150a2e [0064.899] GetTickCount () returned 0x1150a2e [0064.899] GetTickCount () returned 0x1150a2e [0064.899] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.899] GetProcessHeap () returned 0x3a00000 [0064.899] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.899] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.901] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.901] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.901] GetProcessHeap () returned 0x3a00000 [0064.901] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.901] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.901] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.902] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.902] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.902] CloseHandle (hObject=0x42c) returned 1 [0064.904] GetProcessHeap () returned 0x3a00000 [0064.904] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.904] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 103 [0064.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.905] GetProcessHeap () returned 0x3a00000 [0064.905] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.905] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0064.905] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="Windows") returned -1 [0064.905] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="$Recycle.bin") returned 1 [0064.905] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="System Volume Information") returned -1 [0064.905] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="Program Files") returned -1 [0064.905] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="Program Files (x86)") returned -1 [0064.905] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 82 [0064.905] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpSrch=".ebal") returned 0x0 [0064.905] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.905] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="taridd") returned -1 [0064.905] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.905] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.906] GetTickCount () returned 0x1150a2e [0064.906] GetTickCount () returned 0x1150a2e [0064.906] GetTickCount () returned 0x1150a2e [0064.906] GetTickCount () returned 0x1150a2e [0064.906] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.906] GetProcessHeap () returned 0x3a00000 [0064.906] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.906] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.908] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.908] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.908] GetProcessHeap () returned 0x3a00000 [0064.908] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.908] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.908] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.908] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.908] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.909] CloseHandle (hObject=0x42c) returned 1 [0064.911] GetProcessHeap () returned 0x3a00000 [0064.911] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.911] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx_r00t_{8ew5f6}.ebal") returned 101 [0064.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.911] GetProcessHeap () returned 0x3a00000 [0064.911] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.911] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0064.911] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="Windows") returned -1 [0064.911] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.912] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.912] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="Program Files") returned -1 [0064.912] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.912] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 88 [0064.912] StrStrIW (lpFirst="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.912] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.912] lstrcmpW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="taridd") returned -1 [0064.912] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.912] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.912] GetTickCount () returned 0x1150a3d [0064.912] GetTickCount () returned 0x1150a3d [0064.912] GetTickCount () returned 0x1150a3d [0064.912] GetTickCount () returned 0x1150a3d [0064.913] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.913] GetProcessHeap () returned 0x3a00000 [0064.913] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a67250 [0064.913] ReadFile (in: hFile=0x42c, lpBuffer=0x3a67250, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.914] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.914] WriteFile (in: hFile=0x42c, lpBuffer=0x3a67250*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a67250*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.915] GetProcessHeap () returned 0x3a00000 [0064.915] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a67250 | out: hHeap=0x3a00000) returned 1 [0064.915] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.915] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.915] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.915] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.915] CloseHandle (hObject=0x42c) returned 1 [0064.917] GetProcessHeap () returned 0x3a00000 [0064.917] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.917] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 107 [0064.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.919] GetProcessHeap () returned 0x3a00000 [0064.919] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.919] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0064.919] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="Windows") returned -1 [0064.919] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.919] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.919] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="Program Files") returned -1 [0064.919] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.919] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 54 [0064.919] StrStrIW (lpFirst="Microsoft-Windows-TWinUI%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.919] lstrcmpW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.919] lstrcmpW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="taridd") returned -1 [0064.919] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.919] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.919] GetTickCount () returned 0x1150a3d [0064.919] GetTickCount () returned 0x1150a3d [0064.919] GetTickCount () returned 0x1150a3d [0064.919] GetTickCount () returned 0x1150a3d [0064.919] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.919] GetProcessHeap () returned 0x3a00000 [0064.919] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0064.919] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.922] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.923] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.923] GetProcessHeap () returned 0x3a00000 [0064.923] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0064.923] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.923] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.923] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.923] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.923] CloseHandle (hObject=0x42c) returned 1 [0064.925] GetProcessHeap () returned 0x3a00000 [0064.925] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.925] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 73 [0064.925] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.926] GetProcessHeap () returned 0x3a00000 [0064.926] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.926] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0064.926] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="Windows") returned -1 [0064.926] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0064.926] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="System Volume Information") returned -1 [0064.926] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="Program Files") returned -1 [0064.926] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0064.926] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 68 [0064.926] StrStrIW (lpFirst="Microsoft-Windows-User Profile Service%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0064.926] lstrcmpW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.926] lstrcmpW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="taridd") returned -1 [0064.927] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.927] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.927] GetTickCount () returned 0x1150a4d [0064.927] GetTickCount () returned 0x1150a4d [0064.927] GetTickCount () returned 0x1150a4d [0064.927] GetTickCount () returned 0x1150a4d [0064.927] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.927] GetProcessHeap () returned 0x3a00000 [0064.927] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0064.927] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.929] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0064.929] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0064.929] GetProcessHeap () returned 0x3a00000 [0064.929] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0064.929] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.929] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0064.930] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0064.930] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0064.930] CloseHandle (hObject=0x42c) returned 1 [0064.932] GetProcessHeap () returned 0x3a00000 [0064.932] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0064.932] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 87 [0064.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0064.932] GetProcessHeap () returned 0x3a00000 [0064.932] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0064.932] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0064.932] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="Windows") returned -1 [0064.932] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="$Recycle.bin") returned 1 [0064.932] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="System Volume Information") returned -1 [0064.932] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="Program Files") returned -1 [0064.932] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="Program Files (x86)") returned -1 [0064.932] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 56 [0064.933] StrStrIW (lpFirst="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpSrch=".ebal") returned 0x0 [0064.933] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0064.933] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="taridd") returned -1 [0064.933] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0064.933] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0064.933] GetTickCount () returned 0x1150a4d [0064.933] GetTickCount () returned 0x1150a4d [0064.933] GetTickCount () returned 0x1150a4d [0064.933] GetTickCount () returned 0x1150a4d [0064.933] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0064.933] GetProcessHeap () returned 0x3a00000 [0064.933] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0064.933] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.063] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.063] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.063] GetProcessHeap () returned 0x3a00000 [0065.063] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.063] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.063] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.063] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.063] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.064] CloseHandle (hObject=0x42c) returned 1 [0065.066] GetProcessHeap () returned 0x3a00000 [0065.066] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.066] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx_r00t_{8ew5f6}.ebal") returned 75 [0065.066] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.067] GetProcessHeap () returned 0x3a00000 [0065.067] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.067] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0065.067] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="Windows") returned -1 [0065.067] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="$Recycle.bin") returned 1 [0065.067] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="System Volume Information") returned -1 [0065.067] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="Program Files") returned -1 [0065.067] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="Program Files (x86)") returned -1 [0065.067] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 57 [0065.067] StrStrIW (lpFirst="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpSrch=".ebal") returned 0x0 [0065.067] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.067] lstrcmpW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="taridd") returned -1 [0065.067] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.067] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.067] GetTickCount () returned 0x1150ada [0065.067] GetTickCount () returned 0x1150ada [0065.067] GetTickCount () returned 0x1150ada [0065.067] GetTickCount () returned 0x1150ada [0065.068] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.068] GetProcessHeap () returned 0x3a00000 [0065.068] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.068] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.070] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.070] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.070] GetProcessHeap () returned 0x3a00000 [0065.070] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.070] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.070] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.070] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.070] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.070] CloseHandle (hObject=0x42c) returned 1 [0065.072] GetProcessHeap () returned 0x3a00000 [0065.072] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.072] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx_r00t_{8ew5f6}.ebal") returned 76 [0065.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.073] GetProcessHeap () returned 0x3a00000 [0065.073] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.073] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0065.073] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="Windows") returned -1 [0065.073] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.073] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.073] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="Program Files") returned -1 [0065.073] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.073] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 69 [0065.073] StrStrIW (lpFirst="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0065.073] lstrcmpW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.073] lstrcmpW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="taridd") returned -1 [0065.073] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.073] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.074] GetTickCount () returned 0x1150ada [0065.074] GetTickCount () returned 0x1150ada [0065.074] GetTickCount () returned 0x1150ada [0065.074] GetTickCount () returned 0x1150ada [0065.074] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.074] GetProcessHeap () returned 0x3a00000 [0065.074] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.074] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.076] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.076] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.076] GetProcessHeap () returned 0x3a00000 [0065.076] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.076] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.076] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.077] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.077] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.077] CloseHandle (hObject=0x42c) returned 1 [0065.079] GetProcessHeap () returned 0x3a00000 [0065.079] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.079] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 88 [0065.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.080] GetProcessHeap () returned 0x3a00000 [0065.080] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.080] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0065.080] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="Windows") returned -1 [0065.080] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.080] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.080] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="Program Files") returned -1 [0065.080] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.080] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 54 [0065.080] StrStrIW (lpFirst="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0065.080] lstrcmpW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.080] lstrcmpW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="taridd") returned -1 [0065.080] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.080] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.080] GetTickCount () returned 0x1150ada [0065.080] GetTickCount () returned 0x1150ada [0065.080] GetTickCount () returned 0x1150ada [0065.080] GetTickCount () returned 0x1150ada [0065.080] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.080] GetProcessHeap () returned 0x3a00000 [0065.080] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.081] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.082] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.083] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.083] GetProcessHeap () returned 0x3a00000 [0065.083] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.083] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.083] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.083] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.083] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.083] CloseHandle (hObject=0x42c) returned 1 [0065.085] GetProcessHeap () returned 0x3a00000 [0065.085] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.085] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 73 [0065.085] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.086] GetProcessHeap () returned 0x3a00000 [0065.086] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.086] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0065.086] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="Windows") returned -1 [0065.086] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.086] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.086] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="Program Files") returned -1 [0065.086] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.086] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 64 [0065.086] StrStrIW (lpFirst="Microsoft-Windows-Windows Defender%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0065.086] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.086] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="taridd") returned -1 [0065.086] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.086] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.086] GetTickCount () returned 0x1150ae9 [0065.087] GetTickCount () returned 0x1150ae9 [0065.087] GetTickCount () returned 0x1150ae9 [0065.087] GetTickCount () returned 0x1150ae9 [0065.087] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.087] GetProcessHeap () returned 0x3a00000 [0065.087] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.087] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.089] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.089] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.089] GetProcessHeap () returned 0x3a00000 [0065.089] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.089] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.089] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.089] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.089] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.089] CloseHandle (hObject=0x42c) returned 1 [0065.091] GetProcessHeap () returned 0x3a00000 [0065.092] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.092] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 83 [0065.092] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.092] GetProcessHeap () returned 0x3a00000 [0065.092] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.092] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0065.092] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="Windows") returned -1 [0065.092] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="$Recycle.bin") returned 1 [0065.092] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="System Volume Information") returned -1 [0065.092] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="Program Files") returned -1 [0065.092] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="Program Files (x86)") returned -1 [0065.092] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 56 [0065.092] StrStrIW (lpFirst="Microsoft-Windows-Windows Defender%4WHC.evtx", lpSrch=".ebal") returned 0x0 [0065.092] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.092] lstrcmpW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="taridd") returned -1 [0065.092] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.093] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.093] GetTickCount () returned 0x1150ae9 [0065.093] GetTickCount () returned 0x1150ae9 [0065.093] GetTickCount () returned 0x1150ae9 [0065.093] GetTickCount () returned 0x1150ae9 [0065.093] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.093] GetProcessHeap () returned 0x3a00000 [0065.093] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.093] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.095] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.095] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.095] GetProcessHeap () returned 0x3a00000 [0065.095] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.095] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.095] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.095] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.096] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.096] CloseHandle (hObject=0x42c) returned 1 [0065.103] GetProcessHeap () returned 0x3a00000 [0065.103] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.104] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx_r00t_{8ew5f6}.ebal") returned 75 [0065.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.105] GetProcessHeap () returned 0x3a00000 [0065.105] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.105] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0065.105] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="Windows") returned -1 [0065.105] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="$Recycle.bin") returned 1 [0065.105] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="System Volume Information") returned -1 [0065.105] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="Program Files") returned -1 [0065.105] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="Program Files (x86)") returned -1 [0065.105] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 94 [0065.105] StrStrIW (lpFirst="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpSrch=".ebal") returned 0x0 [0065.105] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.105] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="taridd") returned -1 [0065.105] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.105] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.105] GetTickCount () returned 0x1150af9 [0065.105] GetTickCount () returned 0x1150af9 [0065.105] GetTickCount () returned 0x1150af9 [0065.105] GetTickCount () returned 0x1150af9 [0065.105] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.106] GetProcessHeap () returned 0x3a00000 [0065.106] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.106] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.117] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.117] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.118] GetProcessHeap () returned 0x3a00000 [0065.118] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.118] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.118] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.118] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.118] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.118] CloseHandle (hObject=0x42c) returned 1 [0065.121] GetProcessHeap () returned 0x3a00000 [0065.121] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.121] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx_r00t_{8ew5f6}.ebal") returned 113 [0065.121] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.122] GetProcessHeap () returned 0x3a00000 [0065.122] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.122] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0065.122] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="Windows") returned -1 [0065.122] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="$Recycle.bin") returned 1 [0065.122] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="System Volume Information") returned -1 [0065.122] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="Program Files") returned -1 [0065.122] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="Program Files (x86)") returned -1 [0065.122] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 84 [0065.122] StrStrIW (lpFirst="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpSrch=".ebal") returned 0x0 [0065.122] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.122] lstrcmpW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="taridd") returned -1 [0065.122] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.122] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.123] GetTickCount () returned 0x1150b08 [0065.123] GetTickCount () returned 0x1150b08 [0065.123] GetTickCount () returned 0x1150b08 [0065.123] GetTickCount () returned 0x1150b08 [0065.123] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.123] GetProcessHeap () returned 0x3a00000 [0065.123] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.123] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.126] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.126] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.126] GetProcessHeap () returned 0x3a00000 [0065.126] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.126] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.126] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.128] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.128] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.128] CloseHandle (hObject=0x42c) returned 1 [0065.156] GetProcessHeap () returned 0x3a00000 [0065.156] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.156] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx_r00t_{8ew5f6}.ebal") returned 103 [0065.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.157] GetProcessHeap () returned 0x3a00000 [0065.157] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.157] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0065.157] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="Windows") returned -1 [0065.157] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="$Recycle.bin") returned 1 [0065.157] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="System Volume Information") returned -1 [0065.157] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="Program Files") returned -1 [0065.157] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="Program Files (x86)") returned -1 [0065.157] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 69 [0065.157] StrStrIW (lpFirst="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpSrch=".ebal") returned 0x0 [0065.157] lstrcmpW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.157] lstrcmpW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="taridd") returned -1 [0065.157] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.157] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.157] GetTickCount () returned 0x1150b28 [0065.157] GetTickCount () returned 0x1150b28 [0065.157] GetTickCount () returned 0x1150b28 [0065.157] GetTickCount () returned 0x1150b28 [0065.157] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.158] GetProcessHeap () returned 0x3a00000 [0065.158] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.158] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.178] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.178] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.178] GetProcessHeap () returned 0x3a00000 [0065.178] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.178] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.178] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.179] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.179] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.179] CloseHandle (hObject=0x42c) returned 1 [0065.181] GetProcessHeap () returned 0x3a00000 [0065.181] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.181] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx_r00t_{8ew5f6}.ebal") returned 88 [0065.181] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.182] GetProcessHeap () returned 0x3a00000 [0065.182] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.182] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0065.182] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="Windows") returned -1 [0065.182] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.182] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.182] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="Program Files") returned -1 [0065.182] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.182] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 56 [0065.182] StrStrIW (lpFirst="Microsoft-Windows-Winlogon%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0065.182] lstrcmpW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.182] lstrcmpW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="taridd") returned -1 [0065.182] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.182] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.183] GetTickCount () returned 0x1150b47 [0065.183] GetTickCount () returned 0x1150b47 [0065.183] GetTickCount () returned 0x1150b47 [0065.183] GetTickCount () returned 0x1150b47 [0065.183] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.183] GetProcessHeap () returned 0x3a00000 [0065.183] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.183] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.185] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.185] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.185] GetProcessHeap () returned 0x3a00000 [0065.185] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.185] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.185] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.185] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.186] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.186] CloseHandle (hObject=0x42c) returned 1 [0065.188] GetProcessHeap () returned 0x3a00000 [0065.188] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.188] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 75 [0065.188] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.188] GetProcessHeap () returned 0x3a00000 [0065.188] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.188] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0065.188] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="Windows") returned -1 [0065.188] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="$Recycle.bin") returned 1 [0065.188] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="System Volume Information") returned -1 [0065.188] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="Program Files") returned -1 [0065.188] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="Program Files (x86)") returned -1 [0065.188] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 60 [0065.188] StrStrIW (lpFirst="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpSrch=".ebal") returned 0x0 [0065.189] lstrcmpW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.189] lstrcmpW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="taridd") returned -1 [0065.189] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.189] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.189] GetTickCount () returned 0x1150b47 [0065.189] GetTickCount () returned 0x1150b47 [0065.189] GetTickCount () returned 0x1150b47 [0065.189] GetTickCount () returned 0x1150b47 [0065.189] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.189] GetProcessHeap () returned 0x3a00000 [0065.189] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.189] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.191] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.191] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.191] GetProcessHeap () returned 0x3a00000 [0065.191] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.191] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.191] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.194] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.194] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.194] CloseHandle (hObject=0x42c) returned 1 [0065.220] GetProcessHeap () returned 0x3a00000 [0065.220] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.220] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx_r00t_{8ew5f6}.ebal") returned 79 [0065.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.221] GetProcessHeap () returned 0x3a00000 [0065.221] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.221] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0065.221] lstrcmpiW (lpString1="Security.evtx", lpString2="Windows") returned -1 [0065.221] lstrcmpiW (lpString1="Security.evtx", lpString2="$Recycle.bin") returned 1 [0065.221] lstrcmpiW (lpString1="Security.evtx", lpString2="System Volume Information") returned -1 [0065.221] lstrcmpiW (lpString1="Security.evtx", lpString2="Program Files") returned 1 [0065.221] lstrcmpiW (lpString1="Security.evtx", lpString2="Program Files (x86)") returned 1 [0065.221] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Security.evtx") returned 25 [0065.221] StrStrIW (lpFirst="Security.evtx", lpSrch=".ebal") returned 0x0 [0065.221] lstrcmpW (lpString1="Security.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.221] lstrcmpW (lpString1="Security.evtx", lpString2="taridd") returned -1 [0065.221] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Security.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.221] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.221] GetTickCount () returned 0x1150b66 [0065.221] GetTickCount () returned 0x1150b66 [0065.221] GetTickCount () returned 0x1150b66 [0065.221] GetTickCount () returned 0x1150b66 [0065.222] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.222] GetProcessHeap () returned 0x3a00000 [0065.222] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.222] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.232] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.232] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.233] GetProcessHeap () returned 0x3a00000 [0065.233] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.233] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.233] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.235] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.235] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.235] CloseHandle (hObject=0x42c) returned 1 [0065.235] GetProcessHeap () returned 0x3a00000 [0065.235] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.235] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Security.evtx_r00t_{8ew5f6}.ebal") returned 44 [0065.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Security.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\security.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.236] GetProcessHeap () returned 0x3a00000 [0065.236] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.236] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0065.236] lstrcmpiW (lpString1="Setup.evtx", lpString2="Windows") returned -1 [0065.236] lstrcmpiW (lpString1="Setup.evtx", lpString2="$Recycle.bin") returned 1 [0065.236] lstrcmpiW (lpString1="Setup.evtx", lpString2="System Volume Information") returned -1 [0065.236] lstrcmpiW (lpString1="Setup.evtx", lpString2="Program Files") returned 1 [0065.236] lstrcmpiW (lpString1="Setup.evtx", lpString2="Program Files (x86)") returned 1 [0065.236] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Setup.evtx") returned 22 [0065.236] StrStrIW (lpFirst="Setup.evtx", lpSrch=".ebal") returned 0x0 [0065.236] lstrcmpW (lpString1="Setup.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.236] lstrcmpW (lpString1="Setup.evtx", lpString2="taridd") returned -1 [0065.236] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Setup.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.236] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.237] GetTickCount () returned 0x1150b76 [0065.237] GetTickCount () returned 0x1150b76 [0065.237] GetTickCount () returned 0x1150b76 [0065.237] GetTickCount () returned 0x1150b76 [0065.237] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.237] GetProcessHeap () returned 0x3a00000 [0065.237] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.237] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.239] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.239] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.239] GetProcessHeap () returned 0x3a00000 [0065.239] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.239] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.239] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.239] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.240] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.240] CloseHandle (hObject=0x42c) returned 1 [0065.240] GetProcessHeap () returned 0x3a00000 [0065.240] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.240] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Setup.evtx_r00t_{8ew5f6}.ebal") returned 41 [0065.240] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Setup.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\setup.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.240] GetProcessHeap () returned 0x3a00000 [0065.240] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.240] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0065.240] lstrcmpiW (lpString1="System.evtx", lpString2="Windows") returned -1 [0065.240] lstrcmpiW (lpString1="System.evtx", lpString2="$Recycle.bin") returned 1 [0065.240] lstrcmpiW (lpString1="System.evtx", lpString2="System Volume Information") returned 1 [0065.240] lstrcmpiW (lpString1="System.evtx", lpString2="Program Files") returned 1 [0065.241] lstrcmpiW (lpString1="System.evtx", lpString2="Program Files (x86)") returned 1 [0065.241] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\System.evtx") returned 23 [0065.241] StrStrIW (lpFirst="System.evtx", lpSrch=".ebal") returned 0x0 [0065.241] lstrcmpW (lpString1="System.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.241] lstrcmpW (lpString1="System.evtx", lpString2="taridd") returned -1 [0065.241] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\System.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.241] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.241] GetTickCount () returned 0x1150b85 [0065.241] GetTickCount () returned 0x1150b85 [0065.242] GetTickCount () returned 0x1150b85 [0065.242] GetTickCount () returned 0x1150b85 [0065.242] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.242] GetProcessHeap () returned 0x3a00000 [0065.242] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.242] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.244] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.244] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.244] GetProcessHeap () returned 0x3a00000 [0065.244] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.244] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.244] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.246] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.246] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.246] CloseHandle (hObject=0x42c) returned 1 [0065.246] GetProcessHeap () returned 0x3a00000 [0065.247] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.247] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\System.evtx_r00t_{8ew5f6}.ebal") returned 42 [0065.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\System.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\system.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.247] GetProcessHeap () returned 0x3a00000 [0065.247] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.247] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0065.247] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="Windows") returned 1 [0065.247] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="$Recycle.bin") returned 1 [0065.247] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="System Volume Information") returned 1 [0065.247] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="Program Files") returned 1 [0065.247] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="Program Files (x86)") returned 1 [0065.247] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\Windows PowerShell.evtx") returned 35 [0065.247] StrStrIW (lpFirst="Windows PowerShell.evtx", lpSrch=".ebal") returned 0x0 [0065.247] lstrcmpW (lpString1="Windows PowerShell.evtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.247] lstrcmpW (lpString1="Windows PowerShell.evtx", lpString2="taridd") returned 1 [0065.247] StrCmpNW (lpStr1="\\\\?\\C:\\Logs\\Windows PowerShell.evtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.248] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.248] GetTickCount () returned 0x1150b85 [0065.248] GetTickCount () returned 0x1150b85 [0065.248] GetTickCount () returned 0x1150b85 [0065.248] GetTickCount () returned 0x1150b85 [0065.248] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0065.248] GetProcessHeap () returned 0x3a00000 [0065.248] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0065.248] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.250] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.250] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x2800, lpOverlapped=0x0) returned 1 [0065.250] GetProcessHeap () returned 0x3a00000 [0065.250] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0065.250] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.250] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0065.251] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0065.251] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0065.251] CloseHandle (hObject=0x42c) returned 1 [0065.251] GetProcessHeap () returned 0x3a00000 [0065.251] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.251] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Logs\\Windows PowerShell.evtx_r00t_{8ew5f6}.ebal") returned 54 [0065.251] MoveFileW (lpExistingFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="\\\\?\\C:\\Logs\\Windows PowerShell.evtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\logs\\windows powershell.evtx_r00t_{8ew5f6}.ebal")) returned 1 [0065.252] GetProcessHeap () returned 0x3a00000 [0065.252] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.252] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0065.252] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0065.252] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 43 [0065.252] CreateFileW (lpFileName="\\\\?\\C:\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.252] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0065.253] CloseHandle (hObject=0x428) returned 1 [0065.253] GetProcessHeap () returned 0x3a00000 [0065.253] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0065.253] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0065.253] lstrcmpiW (lpString1="pagefile.sys", lpString2="Windows") returned -1 [0065.253] lstrcmpiW (lpString1="pagefile.sys", lpString2="$Recycle.bin") returned 1 [0065.253] lstrcmpiW (lpString1="pagefile.sys", lpString2="System Volume Information") returned -1 [0065.253] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files") returned -1 [0065.253] lstrcmpiW (lpString1="pagefile.sys", lpString2="Program Files (x86)") returned -1 [0065.253] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\pagefile.sys") returned 19 [0065.254] StrStrIW (lpFirst="pagefile.sys", lpSrch=".ebal") returned 0x0 [0065.254] lstrcmpW (lpString1="pagefile.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.254] lstrcmpW (lpString1="pagefile.sys", lpString2="taridd") returned -1 [0065.254] StrCmpNW (lpStr1="\\\\?\\C:\\pagefile.sys", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.254] CreateFileW (lpFileName="\\\\?\\C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.254] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0065.254] lstrcmpiW (lpString1="PerfLogs", lpString2="Windows") returned -1 [0065.254] lstrcmpiW (lpString1="PerfLogs", lpString2="$Recycle.bin") returned 1 [0065.254] lstrcmpiW (lpString1="PerfLogs", lpString2="System Volume Information") returned -1 [0065.254] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files") returned -1 [0065.254] lstrcmpiW (lpString1="PerfLogs", lpString2="Program Files (x86)") returned -1 [0065.254] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs") returned 15 [0065.254] lstrcmpW (lpString1="PerfLogs", lpString2=".") returned 1 [0065.254] lstrcmpW (lpString1="PerfLogs", lpString2="..") returned 1 [0065.254] lstrcmpW (lpString1="\\\\?\\C:\\PerfLogs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.254] GetProcessHeap () returned 0x3a00000 [0065.254] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0065.254] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\PerfLogs\\*") returned 17 [0065.254] FindFirstFileW (in: lpFileName="\\\\?\\C:\\PerfLogs\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0065.255] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.255] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.255] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.255] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.255] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.255] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\.") returned 17 [0065.255] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.255] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.256] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.256] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.256] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.256] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.256] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.256] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\..") returned 18 [0065.256] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.256] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.256] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.256] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0065.256] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\PerfLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 47 [0065.256] CreateFileW (lpFileName="\\\\?\\C:\\PerfLogs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\perflogs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0065.268] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0065.268] CloseHandle (hObject=0x428) returned 1 [0065.269] GetProcessHeap () returned 0x3a00000 [0065.269] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0065.269] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd2e344f5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xd2e344f5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0065.269] lstrcmpiW (lpString1="Program Files", lpString2="Windows") returned -1 [0065.269] lstrcmpiW (lpString1="Program Files", lpString2="$Recycle.bin") returned 1 [0065.269] lstrcmpiW (lpString1="Program Files", lpString2="System Volume Information") returned -1 [0065.269] lstrcmpiW (lpString1="Program Files", lpString2="Program Files") returned 0 [0065.269] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7511354, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe7511354, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0065.269] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Windows") returned -1 [0065.269] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$Recycle.bin") returned 1 [0065.269] lstrcmpiW (lpString1="Program Files (x86)", lpString2="System Volume Information") returned -1 [0065.269] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files") returned 1 [0065.269] lstrcmpiW (lpString1="Program Files (x86)", lpString2="Program Files (x86)") returned 0 [0065.269] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0065.269] lstrcmpiW (lpString1="ProgramData", lpString2="Windows") returned -1 [0065.269] lstrcmpiW (lpString1="ProgramData", lpString2="$Recycle.bin") returned 1 [0065.269] lstrcmpiW (lpString1="ProgramData", lpString2="System Volume Information") returned -1 [0065.269] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files") returned 1 [0065.269] lstrcmpiW (lpString1="ProgramData", lpString2="Program Files (x86)") returned 1 [0065.269] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData") returned 18 [0065.269] lstrcmpW (lpString1="ProgramData", lpString2=".") returned 1 [0065.269] lstrcmpW (lpString1="ProgramData", lpString2="..") returned 1 [0065.269] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.269] GetProcessHeap () returned 0x3a00000 [0065.269] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0065.269] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\*") returned 20 [0065.269] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0065.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.274] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.274] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.274] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\.") returned 20 [0065.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.274] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0065.274] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0065.274] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0065.274] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.275] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\." (normalized: "c:\\programdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.275] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.275] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\..") returned 21 [0065.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.275] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0065.275] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0065.275] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0065.275] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.275] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.275] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0065.275] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0065.275] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0065.275] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0065.275] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0065.275] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0065.275] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe") returned 24 [0065.275] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0065.275] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0065.275] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.275] GetProcessHeap () returned 0x3a00000 [0065.276] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.276] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\*") returned 26 [0065.276] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0065.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.276] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\.") returned 26 [0065.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.276] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.276] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.276] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.276] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.276] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\..") returned 27 [0065.276] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.276] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ARM", cAlternateFileName="")) returned 1 [0065.276] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0065.276] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0065.277] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0065.277] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0065.277] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0065.277] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM") returned 28 [0065.277] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0065.277] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0065.277] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.277] GetProcessHeap () returned 0x3a00000 [0065.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0065.277] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*") returned 30 [0065.277] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0065.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.279] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\.") returned 30 [0065.279] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.279] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.279] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.279] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.279] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.279] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.279] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.279] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\..") returned 31 [0065.279] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.279] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.279] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Reader_15.007.20033", cAlternateFileName="READER~1.200")) returned 1 [0065.279] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Windows") returned -1 [0065.279] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="$Recycle.bin") returned 1 [0065.279] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="System Volume Information") returned -1 [0065.279] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Program Files") returned 1 [0065.279] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Program Files (x86)") returned 1 [0065.279] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033") returned 48 [0065.279] lstrcmpW (lpString1="Reader_15.007.20033", lpString2=".") returned 1 [0065.279] lstrcmpW (lpString1="Reader_15.007.20033", lpString2="..") returned 1 [0065.279] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.279] GetProcessHeap () returned 0x3a00000 [0065.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.279] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*") returned 50 [0065.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0065.281] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.281] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.281] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.281] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.281] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.281] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\.") returned 50 [0065.281] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.281] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.281] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.281] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.281] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.281] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.281] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.281] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\..") returned 51 [0065.281] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.281] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.281] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.281] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0065.281] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0065.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_15.007.20033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.282] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.283] CloseHandle (hObject=0x434) returned 1 [0065.283] GetProcessHeap () returned 0x3a00000 [0065.283] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.283] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xa7140105, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Reader_15.023.20070", cAlternateFileName="READER~2.200")) returned 1 [0065.283] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Windows") returned -1 [0065.283] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="$Recycle.bin") returned 1 [0065.283] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="System Volume Information") returned -1 [0065.283] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Program Files") returned 1 [0065.284] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Program Files (x86)") returned 1 [0065.284] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070") returned 48 [0065.284] lstrcmpW (lpString1="Reader_15.023.20070", lpString2=".") returned 1 [0065.284] lstrcmpW (lpString1="Reader_15.023.20070", lpString2="..") returned 1 [0065.284] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.284] GetProcessHeap () returned 0x3a00000 [0065.284] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.284] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*") returned 50 [0065.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0065.284] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.284] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.284] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.284] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.284] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.284] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\.") returned 50 [0065.284] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.284] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.284] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.284] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.284] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.284] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.284] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.284] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\..") returned 51 [0065.285] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.285] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.285] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.285] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0065.285] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0065.285] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\reader_15.023.20070\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.285] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.287] CloseHandle (hObject=0x434) returned 1 [0065.287] GetProcessHeap () returned 0x3a00000 [0065.287] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.287] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S", cAlternateFileName="")) returned 1 [0065.287] lstrcmpiW (lpString1="S", lpString2="Windows") returned -1 [0065.287] lstrcmpiW (lpString1="S", lpString2="$Recycle.bin") returned 1 [0065.287] lstrcmpiW (lpString1="S", lpString2="System Volume Information") returned -1 [0065.287] lstrcmpiW (lpString1="S", lpString2="Program Files") returned 1 [0065.287] lstrcmpiW (lpString1="S", lpString2="Program Files (x86)") returned 1 [0065.287] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S") returned 30 [0065.287] lstrcmpW (lpString1="S", lpString2=".") returned 1 [0065.287] lstrcmpW (lpString1="S", lpString2="..") returned 1 [0065.287] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.287] GetProcessHeap () returned 0x3a00000 [0065.287] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.287] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*") returned 32 [0065.287] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0065.287] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.287] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.287] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.287] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.287] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.288] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\.") returned 32 [0065.288] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.288] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.288] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.288] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.288] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.288] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.288] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.288] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\..") returned 33 [0065.288] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.288] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.288] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.288] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0065.288] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0065.288] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\s\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.288] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.289] CloseHandle (hObject=0x434) returned 1 [0065.289] GetProcessHeap () returned 0x3a00000 [0065.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.289] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S", cAlternateFileName="")) returned 0 [0065.289] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0065.289] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0065.290] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\arm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0065.292] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0065.293] CloseHandle (hObject=0x430) returned 1 [0065.293] GetProcessHeap () returned 0x3a00000 [0065.293] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0065.293] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ARM", cAlternateFileName="")) returned 0 [0065.293] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0065.293] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 56 [0065.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\adobe\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.293] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0065.294] CloseHandle (hObject=0x42c) returned 1 [0065.294] GetProcessHeap () returned 0x3a00000 [0065.294] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.294] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0065.294] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0065.295] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0065.295] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0065.295] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0065.295] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0065.295] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data") returned 35 [0065.295] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0065.295] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0065.295] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Application Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.295] GetProcessHeap () returned 0x3a00000 [0065.295] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.295] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Application Data\\*") returned 37 [0065.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Application Data\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AR?", cAlternateFileName="䬸Τ￿￿扨@￿￿䬸Τ\x05")) returned 0xffffffff [0065.295] GetProcessHeap () returned 0x3a00000 [0065.295] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.295] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Comms", cAlternateFileName="")) returned 1 [0065.295] lstrcmpiW (lpString1="Comms", lpString2="Windows") returned -1 [0065.295] lstrcmpiW (lpString1="Comms", lpString2="$Recycle.bin") returned 1 [0065.295] lstrcmpiW (lpString1="Comms", lpString2="System Volume Information") returned -1 [0065.295] lstrcmpiW (lpString1="Comms", lpString2="Program Files") returned -1 [0065.295] lstrcmpiW (lpString1="Comms", lpString2="Program Files (x86)") returned -1 [0065.295] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms") returned 24 [0065.295] lstrcmpW (lpString1="Comms", lpString2=".") returned 1 [0065.295] lstrcmpW (lpString1="Comms", lpString2="..") returned 1 [0065.295] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Comms", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.295] GetProcessHeap () returned 0x3a00000 [0065.295] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.295] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\*") returned 26 [0065.296] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Comms\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0065.296] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.296] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.296] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.296] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.296] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.296] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\.") returned 26 [0065.296] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.296] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.296] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.296] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.296] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.296] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.297] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.297] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\..") returned 27 [0065.297] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.297] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.297] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.297] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0065.297] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 56 [0065.297] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\comms\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0065.297] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0065.298] CloseHandle (hObject=0x42c) returned 1 [0065.298] GetProcessHeap () returned 0x3a00000 [0065.298] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.298] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Desktop", cAlternateFileName="")) returned 1 [0065.299] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0065.299] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0065.299] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0065.299] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0065.299] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0065.299] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop") returned 26 [0065.299] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0065.299] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0065.299] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Desktop", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.299] GetProcessHeap () returned 0x3a00000 [0065.299] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.299] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Desktop\\*") returned 28 [0065.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Desktop\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="䬸Τ￿￿扨@￿￿䬸Τ\x05")) returned 0xffffffff [0065.299] GetProcessHeap () returned 0x3a00000 [0065.299] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.299] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0065.299] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0065.299] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0065.299] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0065.299] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0065.299] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0065.299] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents") returned 28 [0065.299] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0065.299] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0065.299] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Documents", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.299] GetProcessHeap () returned 0x3a00000 [0065.299] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.299] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Documents\\*") returned 30 [0065.299] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Documents\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="䬸Τ￿￿扨@￿￿䬸Τ\x05")) returned 0xffffffff [0065.300] GetProcessHeap () returned 0x3a00000 [0065.300] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0065.300] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0065.300] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0065.300] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0065.300] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0065.300] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0065.300] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0065.300] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft") returned 28 [0065.300] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0065.300] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0065.300] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.300] GetProcessHeap () returned 0x3a00000 [0065.300] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0065.300] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\*") returned 30 [0065.300] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0065.300] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.300] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.300] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.300] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.300] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.300] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\.") returned 30 [0065.300] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.300] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0065.300] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0065.300] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0065.300] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.301] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\." (normalized: "c:\\programdata\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.301] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.301] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.301] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.301] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.301] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.301] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.301] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\..") returned 31 [0065.301] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.301] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.301] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0065.301] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0065.301] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0065.301] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.301] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.301] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AppV", cAlternateFileName="")) returned 1 [0065.301] lstrcmpiW (lpString1="AppV", lpString2="Windows") returned -1 [0065.302] lstrcmpiW (lpString1="AppV", lpString2="$Recycle.bin") returned 1 [0065.302] lstrcmpiW (lpString1="AppV", lpString2="System Volume Information") returned -1 [0065.302] lstrcmpiW (lpString1="AppV", lpString2="Program Files") returned -1 [0065.302] lstrcmpiW (lpString1="AppV", lpString2="Program Files (x86)") returned -1 [0065.302] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV") returned 33 [0065.302] lstrcmpW (lpString1="AppV", lpString2=".") returned 1 [0065.302] lstrcmpW (lpString1="AppV", lpString2="..") returned 1 [0065.302] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.302] GetProcessHeap () returned 0x3a00000 [0065.302] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0065.302] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\*") returned 35 [0065.302] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0065.302] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.302] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.302] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.302] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.302] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.302] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\.") returned 35 [0065.302] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.302] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.302] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.302] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.302] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.302] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.302] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.302] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\..") returned 36 [0065.302] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.302] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.302] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup", cAlternateFileName="")) returned 1 [0065.302] lstrcmpiW (lpString1="Setup", lpString2="Windows") returned -1 [0065.303] lstrcmpiW (lpString1="Setup", lpString2="$Recycle.bin") returned 1 [0065.303] lstrcmpiW (lpString1="Setup", lpString2="System Volume Information") returned -1 [0065.303] lstrcmpiW (lpString1="Setup", lpString2="Program Files") returned 1 [0065.303] lstrcmpiW (lpString1="Setup", lpString2="Program Files (x86)") returned 1 [0065.303] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup") returned 39 [0065.303] lstrcmpW (lpString1="Setup", lpString2=".") returned 1 [0065.303] lstrcmpW (lpString1="Setup", lpString2="..") returned 1 [0065.303] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.303] GetProcessHeap () returned 0x3a00000 [0065.303] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.303] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\*") returned 41 [0065.303] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0065.304] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.304] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.304] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.304] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.304] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.304] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\.") returned 41 [0065.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.304] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0065.304] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0065.304] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0065.304] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.304] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\." (normalized: "c:\\programdata\\microsoft\\appv\\setup\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.304] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.304] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.304] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.304] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.304] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.304] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.304] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\..") returned 42 [0065.304] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.304] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.304] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0065.304] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0065.304] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0065.304] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.304] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\.." (normalized: "c:\\programdata\\microsoft\\appv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.305] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799dd27b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe2889e45, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe2889e45, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="OfficeIntegrator.ps1", cAlternateFileName="")) returned 1 [0065.305] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Windows") returned -1 [0065.305] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="$Recycle.bin") returned 1 [0065.305] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="System Volume Information") returned -1 [0065.305] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Program Files") returned -1 [0065.305] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Program Files (x86)") returned -1 [0065.305] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1") returned 60 [0065.305] StrStrIW (lpFirst="OfficeIntegrator.ps1", lpSrch=".ebal") returned 0x0 [0065.305] lstrcmpW (lpString1="OfficeIntegrator.ps1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.305] lstrcmpW (lpString1="OfficeIntegrator.ps1", lpString2="taridd") returned -1 [0065.305] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.305] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1" (normalized: "c:\\programdata\\microsoft\\appv\\setup\\officeintegrator.ps1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0065.306] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799dd27b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe2889e45, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe2889e45, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="OfficeIntegrator.ps1", cAlternateFileName="")) returned 0 [0065.306] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0065.306] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0065.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\appv\\setup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.307] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.307] CloseHandle (hObject=0x434) returned 1 [0065.308] GetProcessHeap () returned 0x3a00000 [0065.308] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.308] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup", cAlternateFileName="")) returned 0 [0065.308] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0065.308] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 65 [0065.308] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\appv\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0065.309] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0065.310] CloseHandle (hObject=0x430) returned 1 [0065.310] GetProcessHeap () returned 0x3a00000 [0065.310] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0065.310] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa011b19, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xfa011b19, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0065.310] lstrcmpiW (lpString1="ClickToRun", lpString2="Windows") returned -1 [0065.310] lstrcmpiW (lpString1="ClickToRun", lpString2="$Recycle.bin") returned 1 [0065.310] lstrcmpiW (lpString1="ClickToRun", lpString2="System Volume Information") returned -1 [0065.310] lstrcmpiW (lpString1="ClickToRun", lpString2="Program Files") returned -1 [0065.310] lstrcmpiW (lpString1="ClickToRun", lpString2="Program Files (x86)") returned -1 [0065.310] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun") returned 39 [0065.310] lstrcmpW (lpString1="ClickToRun", lpString2=".") returned 1 [0065.310] lstrcmpW (lpString1="ClickToRun", lpString2="..") returned 1 [0065.310] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.310] GetProcessHeap () returned 0x3a00000 [0065.310] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0065.310] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*") returned 41 [0065.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c4413a9, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0065.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.311] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.311] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.311] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\.") returned 41 [0065.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.311] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c4413a9, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.311] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.311] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.311] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.311] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.311] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.311] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\..") returned 42 [0065.311] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.312] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.312] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", cAlternateFileName="0D0D4E~1")) returned 1 [0065.312] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Windows") returned -1 [0065.312] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="$Recycle.bin") returned 1 [0065.312] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="System Volume Information") returned -1 [0065.312] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Program Files") returned -1 [0065.312] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Program Files (x86)") returned -1 [0065.312] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4") returned 76 [0065.312] lstrcmpW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2=".") returned 1 [0065.312] lstrcmpW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="..") returned 1 [0065.312] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.312] GetProcessHeap () returned 0x3a00000 [0065.312] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.312] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\*") returned 78 [0065.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0065.347] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.347] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.347] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.347] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.347] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.347] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\.") returned 78 [0065.347] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.347] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.347] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.347] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.347] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.347] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.347] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.347] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\..") returned 79 [0065.347] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.348] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0065.348] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0065.348] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0065.348] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0065.348] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0065.348] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0065.348] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16") returned 85 [0065.348] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0065.348] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0065.348] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.348] GetProcessHeap () returned 0x3a00000 [0065.349] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.349] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\*") returned 87 [0065.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0065.350] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.350] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.350] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.350] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.350] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.350] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\.") returned 87 [0065.350] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.350] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.350] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.350] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.350] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.350] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.351] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.351] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\..") returned 88 [0065.351] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.351] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.351] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x39768000, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x564f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.351] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0065.351] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.351] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0065.351] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0065.351] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.351] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0065.351] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.351] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.351] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0065.351] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescrip", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.351] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.353] GetTickCount () returned 0x1150bf3 [0065.353] GetTickCount () returned 0x1150bf3 [0065.353] GetTickCount () returned 0x1150bf3 [0065.353] GetTickCount () returned 0x1150bf3 [0065.353] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.353] GetProcessHeap () returned 0x3a00000 [0065.353] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.353] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.355] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.355] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.355] GetProcessHeap () returned 0x3a00000 [0065.355] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.355] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.355] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.356] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.356] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.356] CloseHandle (hObject=0x43c) returned 1 [0065.356] GetProcessHeap () returned 0x3a00000 [0065.356] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.356] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 131 [0065.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\masterdescriptor.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.356] GetProcessHeap () returned 0x3a00000 [0065.356] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.357] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash", cAlternateFileName="S64103~1.HAS")) returned 1 [0065.357] lstrcmpiW (lpString1="s641033.hash", lpString2="Windows") returned -1 [0065.357] lstrcmpiW (lpString1="s641033.hash", lpString2="$Recycle.bin") returned 1 [0065.357] lstrcmpiW (lpString1="s641033.hash", lpString2="System Volume Information") returned -1 [0065.357] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files") returned 1 [0065.357] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files (x86)") returned 1 [0065.357] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash") returned 98 [0065.357] StrStrIW (lpFirst="s641033.hash", lpSrch=".ebal") returned 0x0 [0065.357] lstrcmpW (lpString1="s641033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.357] lstrcmpW (lpString1="s641033.hash", lpString2="taridd") returned -1 [0065.357] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\s641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.358] GetTickCount () returned 0x1150bf3 [0065.358] GetTickCount () returned 0x1150bf3 [0065.358] GetTickCount () returned 0x1150bf3 [0065.358] GetTickCount () returned 0x1150bf3 [0065.358] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.358] GetProcessHeap () returned 0x3a00000 [0065.358] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.358] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.359] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.359] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.359] GetProcessHeap () returned 0x3a00000 [0065.359] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.359] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.359] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.360] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.360] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.360] CloseHandle (hObject=0x43c) returned 1 [0065.361] GetProcessHeap () returned 0x3a00000 [0065.361] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.361] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal") returned 117 [0065.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\s641033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.361] GetProcessHeap () returned 0x3a00000 [0065.361] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.361] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.361] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Windows") returned -1 [0065.361] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0065.361] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="System Volume Information") returned -1 [0065.361] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files") returned 1 [0065.361] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0065.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat") returned 110 [0065.361] StrStrIW (lpFirst="stream.x64.en-us.man.dat", lpSrch=".ebal") returned 0x0 [0065.361] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.361] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="taridd") returned -1 [0065.361] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\stream.x64.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.362] GetTickCount () returned 0x1150bf3 [0065.362] GetTickCount () returned 0x1150bf3 [0065.362] GetTickCount () returned 0x1150bf3 [0065.362] GetTickCount () returned 0x1150bf3 [0065.362] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.362] GetProcessHeap () returned 0x3a00000 [0065.362] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.362] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.365] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.365] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.365] GetProcessHeap () returned 0x3a00000 [0065.365] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.365] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.365] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.367] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.367] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.367] CloseHandle (hObject=0x43c) returned 1 [0065.367] GetProcessHeap () returned 0x3a00000 [0065.367] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.367] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 129 [0065.367] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\stream.x64.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.367] GetProcessHeap () returned 0x3a00000 [0065.367] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.367] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.368] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0065.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0065.368] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.368] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.369] CloseHandle (hObject=0x438) returned 1 [0065.369] GetProcessHeap () returned 0x3a00000 [0065.369] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.369] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0065.369] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0065.369] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0065.369] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0065.369] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0065.369] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0065.369] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16") returned 86 [0065.369] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0065.369] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0065.369] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.369] GetProcessHeap () returned 0x3a00000 [0065.369] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.369] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\*") returned 88 [0065.369] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0065.371] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.371] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.371] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.371] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.371] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\.") returned 88 [0065.371] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.371] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.371] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.371] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.371] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.371] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.371] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\..") returned 89 [0065.371] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.371] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.371] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a09ff9, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a09ff9, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x37142600, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5211, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.371] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0065.371] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.371] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0065.371] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0065.371] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0065.372] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.372] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.372] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0065.372] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescri", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.372] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.372] GetTickCount () returned 0x1150c02 [0065.372] GetTickCount () returned 0x1150c02 [0065.372] GetTickCount () returned 0x1150c02 [0065.372] GetTickCount () returned 0x1150c02 [0065.372] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.372] GetProcessHeap () returned 0x3a00000 [0065.372] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.372] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.374] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.374] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.374] GetProcessHeap () returned 0x3a00000 [0065.375] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.375] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.375] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.375] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.375] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.375] CloseHandle (hObject=0x43c) returned 1 [0065.375] GetProcessHeap () returned 0x3a00000 [0065.375] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.375] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 133 [0065.375] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\masterdescriptor.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.376] GetProcessHeap () returned 0x3a00000 [0065.376] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.376] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash", cAlternateFileName="S640~1.HAS")) returned 1 [0065.376] lstrcmpiW (lpString1="s640.hash", lpString2="Windows") returned -1 [0065.376] lstrcmpiW (lpString1="s640.hash", lpString2="$Recycle.bin") returned 1 [0065.376] lstrcmpiW (lpString1="s640.hash", lpString2="System Volume Information") returned -1 [0065.376] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files") returned 1 [0065.376] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files (x86)") returned 1 [0065.376] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash") returned 96 [0065.376] StrStrIW (lpFirst="s640.hash", lpSrch=".ebal") returned 0x0 [0065.376] lstrcmpW (lpString1="s640.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.376] lstrcmpW (lpString1="s640.hash", lpString2="taridd") returned -1 [0065.376] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.376] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\s640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.377] GetTickCount () returned 0x1150c02 [0065.377] GetTickCount () returned 0x1150c02 [0065.377] GetTickCount () returned 0x1150c02 [0065.377] GetTickCount () returned 0x1150c02 [0065.377] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.377] GetProcessHeap () returned 0x3a00000 [0065.377] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.377] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.378] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.378] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.378] GetProcessHeap () returned 0x3a00000 [0065.378] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.378] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.378] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.379] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.379] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.379] CloseHandle (hObject=0x43c) returned 1 [0065.379] GetProcessHeap () returned 0x3a00000 [0065.380] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.380] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal") returned 115 [0065.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\s640.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.380] GetProcessHeap () returned 0x3a00000 [0065.380] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.380] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.380] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Windows") returned -1 [0065.380] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0065.380] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="System Volume Information") returned -1 [0065.380] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files") returned 1 [0065.380] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0065.380] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat") returned 112 [0065.380] StrStrIW (lpFirst="stream.x64.x-none.man.dat", lpSrch=".ebal") returned 0x0 [0065.380] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.380] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="taridd") returned -1 [0065.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\stream.x64.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.381] GetTickCount () returned 0x1150c12 [0065.381] GetTickCount () returned 0x1150c12 [0065.381] GetTickCount () returned 0x1150c12 [0065.381] GetTickCount () returned 0x1150c12 [0065.381] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.381] GetProcessHeap () returned 0x3a00000 [0065.381] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.381] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.383] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.383] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.384] GetProcessHeap () returned 0x3a00000 [0065.384] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.384] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.384] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.386] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.386] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.386] CloseHandle (hObject=0x43c) returned 1 [0065.386] GetProcessHeap () returned 0x3a00000 [0065.386] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.386] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 131 [0065.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\stream.x64.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.386] GetProcessHeap () returned 0x3a00000 [0065.386] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.386] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.386] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0065.387] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0065.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.387] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.388] CloseHandle (hObject=0x438) returned 1 [0065.388] GetProcessHeap () returned 0x3a00000 [0065.388] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.388] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a5650a, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0065.388] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0065.388] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0065.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.388] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.389] CloseHandle (hObject=0x434) returned 1 [0065.389] GetProcessHeap () returned 0x3a00000 [0065.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.389] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", cAlternateFileName="19B111~1")) returned 1 [0065.389] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Windows") returned -1 [0065.389] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="$Recycle.bin") returned 1 [0065.389] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="System Volume Information") returned -1 [0065.389] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Program Files") returned -1 [0065.389] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Program Files (x86)") returned -1 [0065.389] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0") returned 76 [0065.389] lstrcmpW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2=".") returned 1 [0065.389] lstrcmpW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="..") returned 1 [0065.390] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.390] GetProcessHeap () returned 0x3a00000 [0065.390] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\*") returned 78 [0065.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0065.390] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.390] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.390] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.390] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.390] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\.") returned 78 [0065.390] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.390] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\..") returned 79 [0065.390] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.390] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0065.390] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0065.390] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0065.390] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0065.390] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0065.390] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0065.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16") returned 85 [0065.390] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0065.391] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0065.391] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.391] GetProcessHeap () returned 0x3a00000 [0065.391] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.391] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\*") returned 87 [0065.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0065.392] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.392] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.392] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.392] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.392] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.392] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\.") returned 87 [0065.392] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.392] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.392] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.392] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.392] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.392] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.392] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.392] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\..") returned 88 [0065.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.392] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x39768000, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x564f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.392] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0065.392] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.392] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0065.392] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0065.392] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.392] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0065.392] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.392] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.392] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0065.392] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescrip", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.393] GetTickCount () returned 0x1150c12 [0065.393] GetTickCount () returned 0x1150c12 [0065.393] GetTickCount () returned 0x1150c12 [0065.393] GetTickCount () returned 0x1150c12 [0065.393] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.393] GetProcessHeap () returned 0x3a00000 [0065.393] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.393] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.398] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.398] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.398] GetProcessHeap () returned 0x3a00000 [0065.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.398] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.398] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.398] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.398] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.398] CloseHandle (hObject=0x43c) returned 1 [0065.399] GetProcessHeap () returned 0x3a00000 [0065.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.399] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 131 [0065.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\masterdescriptor.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.399] GetProcessHeap () returned 0x3a00000 [0065.399] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.399] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash", cAlternateFileName="S64103~1.HAS")) returned 1 [0065.399] lstrcmpiW (lpString1="s641033.hash", lpString2="Windows") returned -1 [0065.399] lstrcmpiW (lpString1="s641033.hash", lpString2="$Recycle.bin") returned 1 [0065.399] lstrcmpiW (lpString1="s641033.hash", lpString2="System Volume Information") returned -1 [0065.399] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files") returned 1 [0065.399] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files (x86)") returned 1 [0065.399] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash") returned 98 [0065.399] StrStrIW (lpFirst="s641033.hash", lpSrch=".ebal") returned 0x0 [0065.399] lstrcmpW (lpString1="s641033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.399] lstrcmpW (lpString1="s641033.hash", lpString2="taridd") returned -1 [0065.399] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\s641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.400] GetTickCount () returned 0x1150c22 [0065.400] GetTickCount () returned 0x1150c22 [0065.400] GetTickCount () returned 0x1150c22 [0065.400] GetTickCount () returned 0x1150c22 [0065.400] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.400] GetProcessHeap () returned 0x3a00000 [0065.400] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.400] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.401] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.401] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.402] GetProcessHeap () returned 0x3a00000 [0065.402] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.402] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.402] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.402] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.403] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.403] CloseHandle (hObject=0x43c) returned 1 [0065.403] GetProcessHeap () returned 0x3a00000 [0065.403] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.403] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal") returned 117 [0065.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\s641033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.403] GetProcessHeap () returned 0x3a00000 [0065.403] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.403] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.403] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Windows") returned -1 [0065.403] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0065.403] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="System Volume Information") returned -1 [0065.403] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files") returned 1 [0065.404] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0065.404] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat") returned 110 [0065.404] StrStrIW (lpFirst="stream.x64.en-us.man.dat", lpSrch=".ebal") returned 0x0 [0065.404] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.404] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="taridd") returned -1 [0065.404] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.404] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\stream.x64.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.404] GetTickCount () returned 0x1150c22 [0065.404] GetTickCount () returned 0x1150c22 [0065.404] GetTickCount () returned 0x1150c22 [0065.404] GetTickCount () returned 0x1150c22 [0065.404] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.404] GetProcessHeap () returned 0x3a00000 [0065.404] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.404] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.406] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.407] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.407] GetProcessHeap () returned 0x3a00000 [0065.407] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.407] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.407] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.409] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.409] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.409] CloseHandle (hObject=0x43c) returned 1 [0065.409] GetProcessHeap () returned 0x3a00000 [0065.409] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.409] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 129 [0065.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\stream.x64.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.409] GetProcessHeap () returned 0x3a00000 [0065.409] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.409] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x3e87ff00, ftLastWriteTime.dwHighDateTime=0x1d0d7ef, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.409] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0065.410] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0065.410] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.411] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.412] CloseHandle (hObject=0x438) returned 1 [0065.412] GetProcessHeap () returned 0x3a00000 [0065.412] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.412] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0065.412] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0065.412] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0065.412] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0065.412] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0065.412] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0065.412] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16") returned 86 [0065.412] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0065.412] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0065.412] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.412] GetProcessHeap () returned 0x3a00000 [0065.412] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.412] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\*") returned 88 [0065.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0065.413] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.413] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.413] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.413] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.413] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.413] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\.") returned 88 [0065.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.413] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.413] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.413] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.413] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.413] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.413] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.413] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\..") returned 89 [0065.413] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.413] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.413] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x37142600, ftLastWriteTime.dwHighDateTime=0x1d0d7ee, nFileSizeHigh=0x0, nFileSizeLow=0x5211, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.413] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0065.414] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.414] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0065.414] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0065.414] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.414] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0065.414] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.414] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.414] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0065.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescri", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.415] GetTickCount () returned 0x1150c31 [0065.415] GetTickCount () returned 0x1150c31 [0065.415] GetTickCount () returned 0x1150c31 [0065.415] GetTickCount () returned 0x1150c31 [0065.415] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.415] GetProcessHeap () returned 0x3a00000 [0065.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.415] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.417] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.418] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.418] GetProcessHeap () returned 0x3a00000 [0065.418] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.418] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.418] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.418] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.418] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.418] CloseHandle (hObject=0x43c) returned 1 [0065.418] GetProcessHeap () returned 0x3a00000 [0065.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.418] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 133 [0065.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\masterdescriptor.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.419] GetProcessHeap () returned 0x3a00000 [0065.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.419] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash", cAlternateFileName="S640~1.HAS")) returned 1 [0065.419] lstrcmpiW (lpString1="s640.hash", lpString2="Windows") returned -1 [0065.419] lstrcmpiW (lpString1="s640.hash", lpString2="$Recycle.bin") returned 1 [0065.419] lstrcmpiW (lpString1="s640.hash", lpString2="System Volume Information") returned -1 [0065.419] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files") returned 1 [0065.419] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files (x86)") returned 1 [0065.419] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash") returned 96 [0065.419] StrStrIW (lpFirst="s640.hash", lpSrch=".ebal") returned 0x0 [0065.419] lstrcmpW (lpString1="s640.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.419] lstrcmpW (lpString1="s640.hash", lpString2="taridd") returned -1 [0065.419] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\s640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.431] GetTickCount () returned 0x1150c41 [0065.431] GetTickCount () returned 0x1150c41 [0065.431] GetTickCount () returned 0x1150c41 [0065.431] GetTickCount () returned 0x1150c41 [0065.431] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.431] GetProcessHeap () returned 0x3a00000 [0065.431] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.431] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.432] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.432] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.432] GetProcessHeap () returned 0x3a00000 [0065.432] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.432] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.432] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.433] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.433] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.433] CloseHandle (hObject=0x43c) returned 1 [0065.433] GetProcessHeap () returned 0x3a00000 [0065.433] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.433] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal") returned 115 [0065.433] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\s640.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.434] GetProcessHeap () returned 0x3a00000 [0065.434] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.434] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.434] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Windows") returned -1 [0065.434] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0065.434] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="System Volume Information") returned -1 [0065.434] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files") returned 1 [0065.434] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0065.434] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat") returned 112 [0065.434] StrStrIW (lpFirst="stream.x64.x-none.man.dat", lpSrch=".ebal") returned 0x0 [0065.434] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.434] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="taridd") returned -1 [0065.434] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.434] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\stream.x64.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.434] GetTickCount () returned 0x1150c41 [0065.435] GetTickCount () returned 0x1150c41 [0065.435] GetTickCount () returned 0x1150c41 [0065.435] GetTickCount () returned 0x1150c41 [0065.435] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.435] GetProcessHeap () returned 0x3a00000 [0065.435] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.435] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.437] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.437] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.437] GetProcessHeap () returned 0x3a00000 [0065.437] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.437] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.437] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.439] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.439] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.439] CloseHandle (hObject=0x43c) returned 1 [0065.439] GetProcessHeap () returned 0x3a00000 [0065.439] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.439] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 131 [0065.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\stream.x64.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.440] GetProcessHeap () returned 0x3a00000 [0065.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.440] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x6035b600, ftLastWriteTime.dwHighDateTime=0x1d0d7f0, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.440] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0065.440] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0065.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.440] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.441] CloseHandle (hObject=0x438) returned 1 [0065.441] GetProcessHeap () returned 0x3a00000 [0065.441] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.441] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ec13b1, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0065.441] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0065.441] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0065.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.442] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.443] CloseHandle (hObject=0x434) returned 1 [0065.443] GetProcessHeap () returned 0x3a00000 [0065.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.443] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", cAlternateFileName="201EB7~1")) returned 1 [0065.443] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Windows") returned -1 [0065.443] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="$Recycle.bin") returned 1 [0065.443] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="System Volume Information") returned -1 [0065.443] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Program Files") returned -1 [0065.443] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Program Files (x86)") returned -1 [0065.443] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6") returned 76 [0065.443] lstrcmpW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2=".") returned 1 [0065.443] lstrcmpW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="..") returned 1 [0065.443] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.443] GetProcessHeap () returned 0x3a00000 [0065.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.443] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\*") returned 78 [0065.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0065.445] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.445] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.445] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.445] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.445] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.445] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\.") returned 78 [0065.445] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.445] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.445] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.445] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.445] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.445] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.445] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.445] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\..") returned 79 [0065.445] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.445] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.445] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f9a029, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82f9a029, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0065.445] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0065.445] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0065.445] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0065.445] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0065.445] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0065.445] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16") returned 85 [0065.445] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0065.446] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0065.446] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.446] GetProcessHeap () returned 0x3a00000 [0065.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.446] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\*") returned 87 [0065.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f9a029, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82f9a029, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0065.449] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.449] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.449] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.449] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.449] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.449] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\.") returned 87 [0065.449] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.449] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f9a029, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x82f9a029, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.449] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.449] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.449] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.449] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.449] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.449] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\..") returned 88 [0065.449] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.449] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.449] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd7b21800, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x564f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.449] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0065.449] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.449] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0065.450] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0065.450] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.450] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml") returned 112 [0065.450] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.450] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.450] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0065.450] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescrip", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.450] GetTickCount () returned 0x1150c51 [0065.450] GetTickCount () returned 0x1150c51 [0065.450] GetTickCount () returned 0x1150c51 [0065.450] GetTickCount () returned 0x1150c51 [0065.450] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.450] GetProcessHeap () returned 0x3a00000 [0065.450] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.450] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.452] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.452] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.453] GetProcessHeap () returned 0x3a00000 [0065.453] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.453] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.453] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.453] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.453] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.453] CloseHandle (hObject=0x43c) returned 1 [0065.453] GetProcessHeap () returned 0x3a00000 [0065.453] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.453] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 131 [0065.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\masterdescriptor.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.454] GetProcessHeap () returned 0x3a00000 [0065.454] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.454] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash", cAlternateFileName="S64103~1.HAS")) returned 1 [0065.454] lstrcmpiW (lpString1="s641033.hash", lpString2="Windows") returned -1 [0065.454] lstrcmpiW (lpString1="s641033.hash", lpString2="$Recycle.bin") returned 1 [0065.454] lstrcmpiW (lpString1="s641033.hash", lpString2="System Volume Information") returned -1 [0065.454] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files") returned 1 [0065.454] lstrcmpiW (lpString1="s641033.hash", lpString2="Program Files (x86)") returned 1 [0065.454] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash") returned 98 [0065.454] StrStrIW (lpFirst="s641033.hash", lpSrch=".ebal") returned 0x0 [0065.454] lstrcmpW (lpString1="s641033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.454] lstrcmpW (lpString1="s641033.hash", lpString2="taridd") returned -1 [0065.454] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\s641033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.454] GetTickCount () returned 0x1150c51 [0065.454] GetTickCount () returned 0x1150c51 [0065.454] GetTickCount () returned 0x1150c51 [0065.454] GetTickCount () returned 0x1150c51 [0065.454] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.454] GetProcessHeap () returned 0x3a00000 [0065.454] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.454] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.455] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.455] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.456] GetProcessHeap () returned 0x3a00000 [0065.456] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.456] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.456] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.457] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.457] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.457] CloseHandle (hObject=0x43c) returned 1 [0065.457] GetProcessHeap () returned 0x3a00000 [0065.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.457] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal") returned 117 [0065.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\s641033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.458] GetProcessHeap () returned 0x3a00000 [0065.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.458] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcc39700, ftLastWriteTime.dwHighDateTime=0x1d0d7e6, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.458] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Windows") returned -1 [0065.458] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0065.458] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="System Volume Information") returned -1 [0065.458] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files") returned 1 [0065.458] lstrcmpiW (lpString1="stream.x64.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0065.458] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat") returned 110 [0065.458] StrStrIW (lpFirst="stream.x64.en-us.man.dat", lpSrch=".ebal") returned 0x0 [0065.458] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.458] lstrcmpW (lpString1="stream.x64.en-us.man.dat", lpString2="taridd") returned -1 [0065.458] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.458] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\stream.x64.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.458] GetTickCount () returned 0x1150c60 [0065.458] GetTickCount () returned 0x1150c60 [0065.458] GetTickCount () returned 0x1150c60 [0065.458] GetTickCount () returned 0x1150c60 [0065.458] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.458] GetProcessHeap () returned 0x3a00000 [0065.458] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.458] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.462] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.462] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.462] GetProcessHeap () returned 0x3a00000 [0065.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.462] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.462] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.465] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.465] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.465] CloseHandle (hObject=0x43c) returned 1 [0065.465] GetProcessHeap () returned 0x3a00000 [0065.465] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.465] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 129 [0065.465] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\stream.x64.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.465] GetProcessHeap () returned 0x3a00000 [0065.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.465] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcc39700, ftLastWriteTime.dwHighDateTime=0x1d0d7e6, nFileSizeHigh=0x0, nFileSizeLow=0xd77c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.465] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0065.466] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0065.466] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.467] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.467] CloseHandle (hObject=0x438) returned 1 [0065.467] GetProcessHeap () returned 0x3a00000 [0065.468] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.468] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0065.468] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0065.468] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0065.468] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0065.468] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0065.468] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0065.468] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16") returned 86 [0065.468] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0065.468] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0065.468] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.468] GetProcessHeap () returned 0x3a00000 [0065.468] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.468] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\*") returned 88 [0065.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0065.471] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.471] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.471] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.471] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.471] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.471] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\.") returned 88 [0065.471] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.471] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.471] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.471] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.471] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\..") returned 89 [0065.471] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.471] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.471] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd54fbe00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x5211, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.471] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0065.471] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.471] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0065.471] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0065.471] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.471] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml") returned 114 [0065.471] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.471] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.471] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0065.471] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescri", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.472] GetTickCount () returned 0x1150c60 [0065.472] GetTickCount () returned 0x1150c60 [0065.472] GetTickCount () returned 0x1150c60 [0065.472] GetTickCount () returned 0x1150c60 [0065.472] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.472] GetProcessHeap () returned 0x3a00000 [0065.472] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.472] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.479] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.479] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.479] GetProcessHeap () returned 0x3a00000 [0065.479] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.479] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.479] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.479] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.479] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.479] CloseHandle (hObject=0x43c) returned 1 [0065.480] GetProcessHeap () returned 0x3a00000 [0065.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.480] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 133 [0065.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\masterdescriptor.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.480] GetProcessHeap () returned 0x3a00000 [0065.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.480] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash", cAlternateFileName="S640~1.HAS")) returned 1 [0065.480] lstrcmpiW (lpString1="s640.hash", lpString2="Windows") returned -1 [0065.480] lstrcmpiW (lpString1="s640.hash", lpString2="$Recycle.bin") returned 1 [0065.480] lstrcmpiW (lpString1="s640.hash", lpString2="System Volume Information") returned -1 [0065.480] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files") returned 1 [0065.480] lstrcmpiW (lpString1="s640.hash", lpString2="Program Files (x86)") returned 1 [0065.481] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash") returned 96 [0065.481] StrStrIW (lpFirst="s640.hash", lpSrch=".ebal") returned 0x0 [0065.481] lstrcmpW (lpString1="s640.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.481] lstrcmpW (lpString1="s640.hash", lpString2="taridd") returned -1 [0065.481] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\s640.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.481] GetTickCount () returned 0x1150c70 [0065.481] GetTickCount () returned 0x1150c70 [0065.481] GetTickCount () returned 0x1150c70 [0065.481] GetTickCount () returned 0x1150c70 [0065.481] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.481] GetProcessHeap () returned 0x3a00000 [0065.481] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6c278 [0065.481] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6c278, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesRead=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.482] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6c278*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6c278*, lpNumberOfBytesWritten=0x65af04c*=0x66, lpOverlapped=0x0) returned 1 [0065.482] GetProcessHeap () returned 0x3a00000 [0065.482] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6c278 | out: hHeap=0x3a00000) returned 1 [0065.482] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.482] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.483] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.483] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.483] CloseHandle (hObject=0x43c) returned 1 [0065.484] GetProcessHeap () returned 0x3a00000 [0065.484] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.484] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal") returned 115 [0065.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\s640.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.484] GetProcessHeap () returned 0x3a00000 [0065.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.484] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.484] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Windows") returned -1 [0065.484] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0065.484] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="System Volume Information") returned -1 [0065.484] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files") returned 1 [0065.484] lstrcmpiW (lpString1="stream.x64.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0065.484] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat") returned 112 [0065.484] StrStrIW (lpFirst="stream.x64.x-none.man.dat", lpSrch=".ebal") returned 0x0 [0065.484] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.484] lstrcmpW (lpString1="stream.x64.x-none.man.dat", lpString2="taridd") returned -1 [0065.484] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\stream.x64.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.485] GetTickCount () returned 0x1150c70 [0065.485] GetTickCount () returned 0x1150c70 [0065.485] GetTickCount () returned 0x1150c70 [0065.485] GetTickCount () returned 0x1150c70 [0065.485] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0065.485] GetProcessHeap () returned 0x3a00000 [0065.485] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.485] ReadFile (in: hFile=0x43c, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.487] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.487] WriteFile (in: hFile=0x43c, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0065.488] GetProcessHeap () returned 0x3a00000 [0065.488] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.488] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.488] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0065.489] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0065.489] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0065.489] CloseHandle (hObject=0x43c) returned 1 [0065.489] GetProcessHeap () returned 0x3a00000 [0065.490] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.490] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 131 [0065.490] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\stream.x64.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.490] GetProcessHeap () returned 0x3a00000 [0065.490] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.490] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfe714e00, ftLastWriteTime.dwHighDateTime=0x1d0d7e7, nFileSizeHigh=0x0, nFileSizeLow=0x38480a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.490] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0065.490] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0065.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.490] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.491] CloseHandle (hObject=0x438) returned 1 [0065.491] GetProcessHeap () returned 0x3a00000 [0065.491] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.491] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0065.492] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0065.492] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0065.492] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.492] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.493] CloseHandle (hObject=0x434) returned 1 [0065.493] GetProcessHeap () returned 0x3a00000 [0065.493] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.493] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3dbb3c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8512127a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8512127a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7b6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.0.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0065.493] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="Windows") returned -1 [0065.493] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="$Recycle.bin") returned 1 [0065.493] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="System Volume Information") returned -1 [0065.493] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="Program Files") returned -1 [0065.493] lstrcmpiW (lpString1="DeploymentConfig.0.xml", lpString2="Program Files (x86)") returned -1 [0065.493] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml") returned 62 [0065.493] StrStrIW (lpFirst="DeploymentConfig.0.xml", lpSrch=".ebal") returned 0x0 [0065.493] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.493] lstrcmpW (lpString1="DeploymentConfig.0.xml", lpString2="taridd") returned -1 [0065.493] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.494] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.494] GetTickCount () returned 0x1150c7f [0065.494] GetTickCount () returned 0x1150c7f [0065.494] GetTickCount () returned 0x1150c7f [0065.494] GetTickCount () returned 0x1150c7f [0065.494] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0065.494] GetProcessHeap () returned 0x3a00000 [0065.494] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.494] ReadFile (in: hFile=0x434, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af55c*=0x7b6, lpOverlapped=0x0) returned 1 [0065.497] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff84a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.497] WriteFile (in: hFile=0x434, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x7b6, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af55c*=0x7b6, lpOverlapped=0x0) returned 1 [0065.497] GetProcessHeap () returned 0x3a00000 [0065.497] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.497] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.497] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0065.497] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0065.497] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0065.497] CloseHandle (hObject=0x434) returned 1 [0065.497] GetProcessHeap () returned 0x3a00000 [0065.498] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.498] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal") returned 81 [0065.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.0.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.498] GetProcessHeap () returned 0x3a00000 [0065.498] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.498] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b22dc95, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa011b19, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xfa011b19, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x7b4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.1.xml", cAlternateFileName="DEPLOY~3.XML")) returned 1 [0065.498] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="Windows") returned -1 [0065.498] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="$Recycle.bin") returned 1 [0065.498] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="System Volume Information") returned -1 [0065.498] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="Program Files") returned -1 [0065.498] lstrcmpiW (lpString1="DeploymentConfig.1.xml", lpString2="Program Files (x86)") returned -1 [0065.498] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml") returned 62 [0065.498] StrStrIW (lpFirst="DeploymentConfig.1.xml", lpSrch=".ebal") returned 0x0 [0065.498] lstrcmpW (lpString1="DeploymentConfig.1.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.498] lstrcmpW (lpString1="DeploymentConfig.1.xml", lpString2="taridd") returned -1 [0065.498] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.499] GetTickCount () returned 0x1150c7f [0065.499] GetTickCount () returned 0x1150c7f [0065.499] GetTickCount () returned 0x1150c7f [0065.499] GetTickCount () returned 0x1150c7f [0065.499] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0065.499] GetProcessHeap () returned 0x3a00000 [0065.499] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.499] ReadFile (in: hFile=0x434, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af55c*=0x7b4, lpOverlapped=0x0) returned 1 [0065.501] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff84c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.501] WriteFile (in: hFile=0x434, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x7b4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af55c*=0x7b4, lpOverlapped=0x0) returned 1 [0065.501] GetProcessHeap () returned 0x3a00000 [0065.501] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.501] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.501] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0065.501] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0065.501] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0065.501] CloseHandle (hObject=0x434) returned 1 [0065.501] GetProcessHeap () returned 0x3a00000 [0065.501] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.501] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal") returned 81 [0065.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.1.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.502] GetProcessHeap () returned 0x3a00000 [0065.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.502] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x534ee362, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c4413a9, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.2.xml", cAlternateFileName="DEPLOY~2.XML")) returned 1 [0065.502] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="Windows") returned -1 [0065.502] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="$Recycle.bin") returned 1 [0065.502] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="System Volume Information") returned -1 [0065.502] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="Program Files") returned -1 [0065.502] lstrcmpiW (lpString1="DeploymentConfig.2.xml", lpString2="Program Files (x86)") returned -1 [0065.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml") returned 62 [0065.502] StrStrIW (lpFirst="DeploymentConfig.2.xml", lpSrch=".ebal") returned 0x0 [0065.502] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.502] lstrcmpW (lpString1="DeploymentConfig.2.xml", lpString2="taridd") returned -1 [0065.502] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.503] GetTickCount () returned 0x1150c7f [0065.503] GetTickCount () returned 0x1150c7f [0065.503] GetTickCount () returned 0x1150c7f [0065.503] GetTickCount () returned 0x1150c7f [0065.503] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0065.503] GetProcessHeap () returned 0x3a00000 [0065.503] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.503] ReadFile (in: hFile=0x434, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af55c*=0x566, lpOverlapped=0x0) returned 1 [0065.516] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffa9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.516] WriteFile (in: hFile=0x434, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x566, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af55c*=0x566, lpOverlapped=0x0) returned 1 [0065.516] GetProcessHeap () returned 0x3a00000 [0065.516] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.516] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.516] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0065.516] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0065.517] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0065.517] CloseHandle (hObject=0x434) returned 1 [0065.517] GetProcessHeap () returned 0x3a00000 [0065.517] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.517] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal") returned 81 [0065.517] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\deploymentconfig.2.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.517] GetProcessHeap () returned 0x3a00000 [0065.517] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.517] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0065.517] lstrcmpiW (lpString1="MachineData", lpString2="Windows") returned -1 [0065.517] lstrcmpiW (lpString1="MachineData", lpString2="$Recycle.bin") returned 1 [0065.517] lstrcmpiW (lpString1="MachineData", lpString2="System Volume Information") returned -1 [0065.517] lstrcmpiW (lpString1="MachineData", lpString2="Program Files") returned -1 [0065.517] lstrcmpiW (lpString1="MachineData", lpString2="Program Files (x86)") returned -1 [0065.517] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData") returned 51 [0065.517] lstrcmpW (lpString1="MachineData", lpString2=".") returned 1 [0065.518] lstrcmpW (lpString1="MachineData", lpString2="..") returned 1 [0065.518] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.518] GetProcessHeap () returned 0x3a00000 [0065.518] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.518] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*") returned 53 [0065.518] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0065.518] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.518] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.518] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.518] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.518] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.518] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\.") returned 53 [0065.518] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.518] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.518] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.518] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.518] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.518] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.518] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.518] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\..") returned 54 [0065.518] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.518] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.518] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Catalog", cAlternateFileName="")) returned 1 [0065.518] lstrcmpiW (lpString1="Catalog", lpString2="Windows") returned -1 [0065.518] lstrcmpiW (lpString1="Catalog", lpString2="$Recycle.bin") returned 1 [0065.518] lstrcmpiW (lpString1="Catalog", lpString2="System Volume Information") returned -1 [0065.518] lstrcmpiW (lpString1="Catalog", lpString2="Program Files") returned -1 [0065.518] lstrcmpiW (lpString1="Catalog", lpString2="Program Files (x86)") returned -1 [0065.519] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 59 [0065.519] lstrcmpW (lpString1="Catalog", lpString2=".") returned 1 [0065.519] lstrcmpW (lpString1="Catalog", lpString2="..") returned 1 [0065.519] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.519] GetProcessHeap () returned 0x3a00000 [0065.519] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.519] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned 61 [0065.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0065.519] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.519] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.519] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.519] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\.") returned 61 [0065.519] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.519] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.519] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.519] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.519] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.519] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.519] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.519] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\..") returned 62 [0065.519] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.519] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.519] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Packages", cAlternateFileName="")) returned 1 [0065.519] lstrcmpiW (lpString1="Packages", lpString2="Windows") returned -1 [0065.519] lstrcmpiW (lpString1="Packages", lpString2="$Recycle.bin") returned 1 [0065.519] lstrcmpiW (lpString1="Packages", lpString2="System Volume Information") returned -1 [0065.520] lstrcmpiW (lpString1="Packages", lpString2="Program Files") returned -1 [0065.520] lstrcmpiW (lpString1="Packages", lpString2="Program Files (x86)") returned -1 [0065.520] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 68 [0065.520] lstrcmpW (lpString1="Packages", lpString2=".") returned 1 [0065.520] lstrcmpW (lpString1="Packages", lpString2="..") returned 1 [0065.520] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.520] GetProcessHeap () returned 0x3a00000 [0065.520] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.520] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned 70 [0065.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0065.520] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.520] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.520] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.520] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.520] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.520] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\.") returned 70 [0065.521] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.521] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.521] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.521] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.521] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.521] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.521] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.521] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\..") returned 71 [0065.521] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.521] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.521] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0065.521] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Windows") returned -1 [0065.521] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="$Recycle.bin") returned 1 [0065.521] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="System Volume Information") returned -1 [0065.521] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Program Files") returned -1 [0065.521] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Program Files (x86)") returned -1 [0065.521] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 107 [0065.521] lstrcmpW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2=".") returned 1 [0065.521] lstrcmpW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="..") returned 1 [0065.521] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.521] GetProcessHeap () returned 0x3a00000 [0065.521] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.521] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned 109 [0065.521] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0065.521] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.521] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.521] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.521] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.522] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\.") returned 109 [0065.522] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.522] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.522] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.522] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.522] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.522] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.522] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\..") returned 110 [0065.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.522] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0065.522] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Windows") returned -1 [0065.522] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="$Recycle.bin") returned 1 [0065.522] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="System Volume Information") returned -1 [0065.522] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Program Files") returned -1 [0065.522] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Program Files (x86)") returned -1 [0065.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 146 [0065.522] lstrcmpW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2=".") returned 1 [0065.522] lstrcmpW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="..") returned 1 [0065.522] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.522] GetProcessHeap () returned 0x3a00000 [0065.522] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0065.522] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned 148 [0065.522] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0065.522] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.522] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.523] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.523] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.523] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.523] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\.") returned 148 [0065.523] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.523] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.523] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.523] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.523] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.523] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.523] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.523] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\..") returned 149 [0065.523] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.523] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.523] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x3c4670e0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfiguration.xml", cAlternateFileName="DEPLOY~1.XML")) returned 1 [0065.523] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="Windows") returned -1 [0065.523] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="$Recycle.bin") returned 1 [0065.523] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="System Volume Information") returned -1 [0065.523] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="Program Files") returned -1 [0065.523] lstrcmpiW (lpString1="DeploymentConfiguration.xml", lpString2="Program Files (x86)") returned -1 [0065.523] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml") returned 174 [0065.523] StrStrIW (lpFirst="DeploymentConfiguration.xml", lpSrch=".ebal") returned 0x0 [0065.523] lstrcmpW (lpString1="DeploymentConfiguration.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.523] lstrcmpW (lpString1="DeploymentConfiguration.xml", lpString2="taridd") returned -1 [0065.523] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0065.524] GetTickCount () returned 0x1150c9f [0065.524] GetTickCount () returned 0x1150c9f [0065.524] GetTickCount () returned 0x1150c9f [0065.524] GetTickCount () returned 0x1150c9f [0065.524] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0065.524] GetProcessHeap () returned 0x3a00000 [0065.524] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a716a0 [0065.524] ReadFile (in: hFile=0x448, lpBuffer=0x3a716a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesRead=0x65ae8b4*=0x266, lpOverlapped=0x0) returned 1 [0065.525] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffd9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.525] WriteFile (in: hFile=0x448, lpBuffer=0x3a716a0*, nNumberOfBytesToWrite=0x266, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesWritten=0x65ae8b4*=0x266, lpOverlapped=0x0) returned 1 [0065.525] GetProcessHeap () returned 0x3a00000 [0065.525] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.525] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.525] WriteFile (in: hFile=0x448, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0065.525] WriteFile (in: hFile=0x448, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0065.525] WriteFile (in: hFile=0x448, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0065.525] CloseHandle (hObject=0x448) returned 1 [0065.528] GetProcessHeap () returned 0x3a00000 [0065.528] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a716a0 [0065.528] wnsprintfW (in: pszDest=0x3a716a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal") returned 193 [0065.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\deploymentconfiguration.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.529] GetProcessHeap () returned 0x3a00000 [0065.529] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.529] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84d6778e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9dfb986, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf9e9425d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x5ab2f7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Manifest.xml", cAlternateFileName="")) returned 1 [0065.529] lstrcmpiW (lpString1="Manifest.xml", lpString2="Windows") returned -1 [0065.529] lstrcmpiW (lpString1="Manifest.xml", lpString2="$Recycle.bin") returned 1 [0065.529] lstrcmpiW (lpString1="Manifest.xml", lpString2="System Volume Information") returned -1 [0065.529] lstrcmpiW (lpString1="Manifest.xml", lpString2="Program Files") returned -1 [0065.529] lstrcmpiW (lpString1="Manifest.xml", lpString2="Program Files (x86)") returned -1 [0065.529] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml") returned 159 [0065.529] StrStrIW (lpFirst="Manifest.xml", lpSrch=".ebal") returned 0x0 [0065.529] lstrcmpW (lpString1="Manifest.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.529] lstrcmpW (lpString1="Manifest.xml", lpString2="taridd") returned -1 [0065.529] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0065.529] GetTickCount () returned 0x1150c9f [0065.529] GetTickCount () returned 0x1150c9f [0065.529] GetTickCount () returned 0x1150c9f [0065.529] GetTickCount () returned 0x1150c9f [0065.529] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0065.529] GetProcessHeap () returned 0x3a00000 [0065.529] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a716a0 [0065.529] ReadFile (in: hFile=0x448, lpBuffer=0x3a716a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesRead=0x65ae8b4*=0x2800, lpOverlapped=0x0) returned 1 [0065.530] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.530] WriteFile (in: hFile=0x448, lpBuffer=0x3a716a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesWritten=0x65ae8b4*=0x2800, lpOverlapped=0x0) returned 1 [0065.530] GetProcessHeap () returned 0x3a00000 [0065.530] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.531] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.531] WriteFile (in: hFile=0x448, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0065.531] WriteFile (in: hFile=0x448, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0065.531] WriteFile (in: hFile=0x448, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0065.532] CloseHandle (hObject=0x448) returned 1 [0065.532] GetProcessHeap () returned 0x3a00000 [0065.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a716a0 [0065.532] wnsprintfW (in: pszDest=0x3a716a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml_r00t_{8ew5f6}.ebal") returned 178 [0065.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\manifest.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.532] GetProcessHeap () returned 0x3a00000 [0065.532] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.532] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8639b81c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf39b2ab6, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x3c4670e0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x266, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserDeploymentConfiguration.xml", cAlternateFileName="USERDE~1.XML")) returned 1 [0065.532] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="Windows") returned -1 [0065.532] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="$Recycle.bin") returned 1 [0065.532] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="System Volume Information") returned 1 [0065.532] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="Program Files") returned 1 [0065.532] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml", lpString2="Program Files (x86)") returned 1 [0065.533] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml") returned 178 [0065.533] StrStrIW (lpFirst="UserDeploymentConfiguration.xml", lpSrch=".ebal") returned 0x0 [0065.533] lstrcmpW (lpString1="UserDeploymentConfiguration.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.533] lstrcmpW (lpString1="UserDeploymentConfiguration.xml", lpString2="taridd") returned 1 [0065.533] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0065.533] GetTickCount () returned 0x1150c9f [0065.533] GetTickCount () returned 0x1150c9f [0065.533] GetTickCount () returned 0x1150c9f [0065.533] GetTickCount () returned 0x1150c9f [0065.533] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0065.533] GetProcessHeap () returned 0x3a00000 [0065.533] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a716a0 [0065.533] ReadFile (in: hFile=0x448, lpBuffer=0x3a716a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesRead=0x65ae8b4*=0x266, lpOverlapped=0x0) returned 1 [0065.534] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xfffffd9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.534] WriteFile (in: hFile=0x448, lpBuffer=0x3a716a0*, nNumberOfBytesToWrite=0x266, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesWritten=0x65ae8b4*=0x266, lpOverlapped=0x0) returned 1 [0065.534] GetProcessHeap () returned 0x3a00000 [0065.534] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.534] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.534] WriteFile (in: hFile=0x448, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0065.535] WriteFile (in: hFile=0x448, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0065.535] WriteFile (in: hFile=0x448, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0065.535] CloseHandle (hObject=0x448) returned 1 [0065.535] GetProcessHeap () returned 0x3a00000 [0065.535] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a716a0 [0065.535] wnsprintfW (in: pszDest=0x3a716a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal") returned 197 [0065.535] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\userdeploymentconfiguration.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.536] GetProcessHeap () returned 0x3a00000 [0065.536] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.536] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf36dde8c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x42b5f096, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x38e9a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 1 [0065.536] lstrcmpiW (lpString1="UserManifest.xml", lpString2="Windows") returned -1 [0065.536] lstrcmpiW (lpString1="UserManifest.xml", lpString2="$Recycle.bin") returned 1 [0065.536] lstrcmpiW (lpString1="UserManifest.xml", lpString2="System Volume Information") returned 1 [0065.536] lstrcmpiW (lpString1="UserManifest.xml", lpString2="Program Files") returned 1 [0065.536] lstrcmpiW (lpString1="UserManifest.xml", lpString2="Program Files (x86)") returned 1 [0065.536] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml") returned 163 [0065.536] StrStrIW (lpFirst="UserManifest.xml", lpSrch=".ebal") returned 0x0 [0065.536] lstrcmpW (lpString1="UserManifest.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.536] lstrcmpW (lpString1="UserManifest.xml", lpString2="taridd") returned 1 [0065.536] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.536] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x448 [0065.537] GetTickCount () returned 0x1150cae [0065.537] GetTickCount () returned 0x1150cae [0065.537] GetTickCount () returned 0x1150cae [0065.537] GetTickCount () returned 0x1150cae [0065.537] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0065.537] GetProcessHeap () returned 0x3a00000 [0065.537] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a716a0 [0065.537] ReadFile (in: hFile=0x448, lpBuffer=0x3a716a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesRead=0x65ae8b4*=0x2800, lpOverlapped=0x0) returned 1 [0065.539] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.539] WriteFile (in: hFile=0x448, lpBuffer=0x3a716a0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a716a0*, lpNumberOfBytesWritten=0x65ae8b4*=0x2800, lpOverlapped=0x0) returned 1 [0065.540] GetProcessHeap () returned 0x3a00000 [0065.540] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.540] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.540] WriteFile (in: hFile=0x448, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0065.542] WriteFile (in: hFile=0x448, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0065.542] WriteFile (in: hFile=0x448, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0065.542] CloseHandle (hObject=0x448) returned 1 [0065.542] GetProcessHeap () returned 0x3a00000 [0065.542] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a716a0 [0065.542] wnsprintfW (in: pszDest=0x3a716a0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml_r00t_{8ew5f6}.ebal") returned 182 [0065.542] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\usermanifest.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.543] GetProcessHeap () returned 0x3a00000 [0065.543] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a716a0 | out: hHeap=0x3a00000) returned 1 [0065.543] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf36dde8c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x42b5f096, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x38e9a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserManifest.xml", cAlternateFileName="USERMA~1.XML")) returned 0 [0065.543] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0065.543] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 178 [0065.543] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x444 [0065.545] WriteFile (in: hFile=0x444, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.546] CloseHandle (hObject=0x444) returned 1 [0065.546] GetProcessHeap () returned 0x3a00000 [0065.546] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0065.546] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3cb8e906, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3cb8e906, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0065.546] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0065.546] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 139 [0065.546] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.548] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0065.549] CloseHandle (hObject=0x440) returned 1 [0065.549] GetProcessHeap () returned 0x3a00000 [0065.549] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.549] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0065.549] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0065.549] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0065.549] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.549] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.550] CloseHandle (hObject=0x43c) returned 1 [0065.550] GetProcessHeap () returned 0x3a00000 [0065.550] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.550] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Packages", cAlternateFileName="")) returned 0 [0065.550] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0065.550] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0065.550] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\catalog\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.551] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.552] CloseHandle (hObject=0x438) returned 1 [0065.552] GetProcessHeap () returned 0x3a00000 [0065.552] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.552] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0065.552] lstrcmpiW (lpString1="Integration", lpString2="Windows") returned -1 [0065.552] lstrcmpiW (lpString1="Integration", lpString2="$Recycle.bin") returned 1 [0065.552] lstrcmpiW (lpString1="Integration", lpString2="System Volume Information") returned -1 [0065.552] lstrcmpiW (lpString1="Integration", lpString2="Program Files") returned -1 [0065.552] lstrcmpiW (lpString1="Integration", lpString2="Program Files (x86)") returned -1 [0065.552] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 63 [0065.552] lstrcmpW (lpString1="Integration", lpString2=".") returned 1 [0065.552] lstrcmpW (lpString1="Integration", lpString2="..") returned 1 [0065.552] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.552] GetProcessHeap () returned 0x3a00000 [0065.552] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.552] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned 65 [0065.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0065.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.552] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\.") returned 65 [0065.552] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.553] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.553] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.553] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.553] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.553] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.553] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.553] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\..") returned 66 [0065.553] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.553] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.553] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0065.553] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Windows") returned -1 [0065.553] lstrcmpiW (lpString1="ShortcutBackups", lpString2="$Recycle.bin") returned 1 [0065.553] lstrcmpiW (lpString1="ShortcutBackups", lpString2="System Volume Information") returned -1 [0065.553] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Program Files") returned 1 [0065.553] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Program Files (x86)") returned 1 [0065.553] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 79 [0065.553] lstrcmpW (lpString1="ShortcutBackups", lpString2=".") returned 1 [0065.553] lstrcmpW (lpString1="ShortcutBackups", lpString2="..") returned 1 [0065.553] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.553] GetProcessHeap () returned 0x3a00000 [0065.553] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned 81 [0065.553] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0065.553] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.553] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.553] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.553] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.554] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.554] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\.") returned 81 [0065.554] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.554] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.554] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.554] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.554] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.554] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.554] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.554] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\..") returned 82 [0065.554] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.554] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.554] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.554] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0065.554] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0065.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.555] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.556] CloseHandle (hObject=0x43c) returned 1 [0065.556] GetProcessHeap () returned 0x3a00000 [0065.556] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.556] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0 [0065.556] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0065.556] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0065.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\integration\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.557] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.557] CloseHandle (hObject=0x438) returned 1 [0065.558] GetProcessHeap () returned 0x3a00000 [0065.558] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.558] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0 [0065.558] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0065.558] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0065.558] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\machinedata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.558] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.559] CloseHandle (hObject=0x434) returned 1 [0065.559] GetProcessHeap () returned 0x3a00000 [0065.559] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.559] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ProductReleases", cAlternateFileName="PRODUC~1")) returned 1 [0065.559] lstrcmpiW (lpString1="ProductReleases", lpString2="Windows") returned -1 [0065.559] lstrcmpiW (lpString1="ProductReleases", lpString2="$Recycle.bin") returned 1 [0065.559] lstrcmpiW (lpString1="ProductReleases", lpString2="System Volume Information") returned -1 [0065.559] lstrcmpiW (lpString1="ProductReleases", lpString2="Program Files") returned -1 [0065.559] lstrcmpiW (lpString1="ProductReleases", lpString2="Program Files (x86)") returned -1 [0065.559] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases") returned 55 [0065.559] lstrcmpW (lpString1="ProductReleases", lpString2=".") returned 1 [0065.559] lstrcmpW (lpString1="ProductReleases", lpString2="..") returned 1 [0065.559] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.559] GetProcessHeap () returned 0x3a00000 [0065.559] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.559] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*") returned 57 [0065.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0065.562] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.562] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.562] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.562] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.562] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.562] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\.") returned 57 [0065.562] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.562] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.562] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.562] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.562] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\..") returned 58 [0065.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.562] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", cAlternateFileName="5A65C4~1")) returned 1 [0065.562] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Windows") returned -1 [0065.562] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="$Recycle.bin") returned 1 [0065.562] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="System Volume Information") returned -1 [0065.562] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Program Files") returned -1 [0065.562] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Program Files (x86)") returned -1 [0065.562] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F") returned 92 [0065.562] lstrcmpW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2=".") returned 1 [0065.562] lstrcmpW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="..") returned 1 [0065.562] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.562] GetProcessHeap () returned 0x3a00000 [0065.563] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.563] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\*") returned 94 [0065.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0065.563] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.563] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.563] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.563] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.563] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.563] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\.") returned 94 [0065.563] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.563] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.563] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.563] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.563] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.563] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.563] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.563] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\..") returned 95 [0065.563] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.563] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.563] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a49e573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0065.563] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0065.563] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0065.563] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0065.563] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0065.564] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0065.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16") returned 101 [0065.564] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0065.564] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0065.564] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.564] GetProcessHeap () returned 0x3a00000 [0065.564] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.564] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\*") returned 103 [0065.564] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a49e573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0065.566] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.566] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.566] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.566] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.566] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\.") returned 103 [0065.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.566] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a49e573, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\..") returned 104 [0065.566] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.566] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a346f8d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a346f8d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd19cd600, ftLastWriteTime.dwHighDateTime=0x1d32052, nFileSizeHigh=0x0, nFileSizeLow=0x5bec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.567] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Windows") returned -1 [0065.567] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.567] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="System Volume Information") returned -1 [0065.567] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files") returned -1 [0065.567] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.567] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml") returned 128 [0065.567] StrStrIW (lpFirst="MasterDescriptor.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.567] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.567] lstrcmpW (lpString1="MasterDescriptor.en-us.xml", lpString2="taridd") returned -1 [0065.567] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.567] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\masterdescriptor.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.567] GetTickCount () returned 0x1150cce [0065.567] GetTickCount () returned 0x1150cce [0065.567] GetTickCount () returned 0x1150cce [0065.567] GetTickCount () returned 0x1150cce [0065.567] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.568] GetProcessHeap () returned 0x3a00000 [0065.568] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.568] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.569] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.569] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.570] GetProcessHeap () returned 0x3a00000 [0065.570] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.570] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.570] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.570] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.570] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.570] CloseHandle (hObject=0x440) returned 1 [0065.570] GetProcessHeap () returned 0x3a00000 [0065.570] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.570] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 147 [0065.570] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\masterdescriptor.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\masterdescriptor.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.571] GetProcessHeap () returned 0x3a00000 [0065.571] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.571] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a36d2e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a36d2e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x918a2300, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s321033.hash", cAlternateFileName="S32103~1.HAS")) returned 1 [0065.571] lstrcmpiW (lpString1="s321033.hash", lpString2="Windows") returned -1 [0065.571] lstrcmpiW (lpString1="s321033.hash", lpString2="$Recycle.bin") returned 1 [0065.571] lstrcmpiW (lpString1="s321033.hash", lpString2="System Volume Information") returned -1 [0065.571] lstrcmpiW (lpString1="s321033.hash", lpString2="Program Files") returned 1 [0065.571] lstrcmpiW (lpString1="s321033.hash", lpString2="Program Files (x86)") returned 1 [0065.571] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash") returned 114 [0065.571] StrStrIW (lpFirst="s321033.hash", lpSrch=".ebal") returned 0x0 [0065.571] lstrcmpW (lpString1="s321033.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.571] lstrcmpW (lpString1="s321033.hash", lpString2="taridd") returned -1 [0065.571] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.571] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\s321033.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.571] GetTickCount () returned 0x1150cce [0065.571] GetTickCount () returned 0x1150cce [0065.571] GetTickCount () returned 0x1150cce [0065.572] GetTickCount () returned 0x1150cce [0065.572] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.572] GetProcessHeap () returned 0x3a00000 [0065.572] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.572] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x66, lpOverlapped=0x0) returned 1 [0065.573] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.573] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x66, lpOverlapped=0x0) returned 1 [0065.573] GetProcessHeap () returned 0x3a00000 [0065.573] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.573] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.573] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.574] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.574] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.574] CloseHandle (hObject=0x440) returned 1 [0065.574] GetProcessHeap () returned 0x3a00000 [0065.574] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.574] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash_r00t_{8ew5f6}.ebal") returned 133 [0065.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\s321033.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\s321033.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.575] GetProcessHeap () returned 0x3a00000 [0065.575] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.575] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a36d2e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a36d2e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x918a2300, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x1dff67, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.Platform.Culture.man.xml", cAlternateFileName="STREAM~1.XML")) returned 1 [0065.575] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="Windows") returned -1 [0065.575] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="$Recycle.bin") returned 1 [0065.575] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="System Volume Information") returned -1 [0065.575] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="Program Files") returned 1 [0065.575] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml", lpString2="Program Files (x86)") returned 1 [0065.575] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml") returned 133 [0065.575] StrStrIW (lpFirst="stream.Platform.Culture.man.xml", lpSrch=".ebal") returned 0x0 [0065.575] lstrcmpW (lpString1="stream.Platform.Culture.man.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.575] lstrcmpW (lpString1="stream.Platform.Culture.man.xml", lpString2="taridd") returned -1 [0065.575] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.575] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.platform.culture.man.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.577] GetTickCount () returned 0x1150cce [0065.577] GetTickCount () returned 0x1150cce [0065.577] GetTickCount () returned 0x1150cce [0065.577] GetTickCount () returned 0x1150cce [0065.577] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.577] GetProcessHeap () returned 0x3a00000 [0065.577] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.577] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.579] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.579] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.579] GetProcessHeap () returned 0x3a00000 [0065.579] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.579] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.579] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.588] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.588] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.588] CloseHandle (hObject=0x440) returned 1 [0065.588] GetProcessHeap () returned 0x3a00000 [0065.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.588] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal") returned 152 [0065.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.platform.culture.man.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.platform.culture.man.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.589] GetProcessHeap () returned 0x3a00000 [0065.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.589] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x80, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.hash", cAlternateFileName="STREAM~1.HAS")) returned 1 [0065.589] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="Windows") returned -1 [0065.589] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="$Recycle.bin") returned 1 [0065.589] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="System Volume Information") returned -1 [0065.589] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="Program Files") returned 1 [0065.589] lstrcmpiW (lpString1="stream.x86.en-us.hash", lpString2="Program Files (x86)") returned 1 [0065.589] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash") returned 123 [0065.589] StrStrIW (lpFirst="stream.x86.en-us.hash", lpSrch=".ebal") returned 0x0 [0065.589] lstrcmpW (lpString1="stream.x86.en-us.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.589] lstrcmpW (lpString1="stream.x86.en-us.hash", lpString2="taridd") returned -1 [0065.589] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.589] GetTickCount () returned 0x1150cdd [0065.589] GetTickCount () returned 0x1150cdd [0065.589] GetTickCount () returned 0x1150cdd [0065.589] GetTickCount () returned 0x1150cdd [0065.590] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.590] GetProcessHeap () returned 0x3a00000 [0065.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.590] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.591] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffff80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.591] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.591] GetProcessHeap () returned 0x3a00000 [0065.591] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.591] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.591] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.592] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.592] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.592] CloseHandle (hObject=0x440) returned 1 [0065.592] GetProcessHeap () returned 0x3a00000 [0065.592] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.592] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash_r00t_{8ew5f6}.ebal") returned 142 [0065.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.592] GetProcessHeap () returned 0x3a00000 [0065.593] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.593] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.593] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Windows") returned -1 [0065.593] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0065.593] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="System Volume Information") returned -1 [0065.593] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files") returned 1 [0065.593] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0065.593] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat") returned 126 [0065.593] StrStrIW (lpFirst="stream.x86.en-us.man.dat", lpSrch=".ebal") returned 0x0 [0065.593] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.593] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="taridd") returned -1 [0065.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.594] GetTickCount () returned 0x1150cdd [0065.594] GetTickCount () returned 0x1150cdd [0065.594] GetTickCount () returned 0x1150cdd [0065.594] GetTickCount () returned 0x1150cdd [0065.594] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.594] GetProcessHeap () returned 0x3a00000 [0065.594] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.594] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.596] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.596] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.597] GetProcessHeap () returned 0x3a00000 [0065.597] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.597] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.597] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.599] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.600] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.600] CloseHandle (hObject=0x440) returned 1 [0065.600] GetProcessHeap () returned 0x3a00000 [0065.600] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.600] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 145 [0065.600] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.600] GetProcessHeap () returned 0x3a00000 [0065.600] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.600] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.600] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0065.601] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 133 [0065.601] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.603] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.604] CloseHandle (hObject=0x43c) returned 1 [0065.604] GetProcessHeap () returned 0x3a00000 [0065.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.604] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0065.604] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0065.604] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0065.604] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0065.604] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0065.604] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0065.604] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16") returned 102 [0065.605] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0065.605] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0065.605] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.605] GetProcessHeap () returned 0x3a00000 [0065.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.605] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\*") returned 104 [0065.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0065.607] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.607] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.607] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.607] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.608] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.608] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\.") returned 104 [0065.608] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.608] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.608] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.608] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.608] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.608] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.608] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.608] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\..") returned 105 [0065.608] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.608] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.608] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bd39c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdd889800, ftLastWriteTime.dwHighDateTime=0x1d32052, nFileSizeHigh=0x0, nFileSizeLow=0x5b31, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0065.608] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Windows") returned -1 [0065.608] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.608] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="System Volume Information") returned -1 [0065.608] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files") returned -1 [0065.608] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.608] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml") returned 130 [0065.608] StrStrIW (lpFirst="MasterDescriptor.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.608] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.608] lstrcmpW (lpString1="MasterDescriptor.x-none.xml", lpString2="taridd") returned -1 [0065.608] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.608] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\masterdescriptor.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.609] GetTickCount () returned 0x1150ced [0065.609] GetTickCount () returned 0x1150ced [0065.609] GetTickCount () returned 0x1150ced [0065.609] GetTickCount () returned 0x1150ced [0065.609] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.609] GetProcessHeap () returned 0x3a00000 [0065.609] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.609] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.610] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.611] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.611] GetProcessHeap () returned 0x3a00000 [0065.611] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.611] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.611] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.611] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.611] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.611] CloseHandle (hObject=0x440) returned 1 [0065.611] GetProcessHeap () returned 0x3a00000 [0065.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.611] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 149 [0065.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\masterdescriptor.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\masterdescriptor.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.612] GetProcessHeap () returned 0x3a00000 [0065.612] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.612] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bf9d35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bf9d35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6aa2800, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s320.hash", cAlternateFileName="S320~1.HAS")) returned 1 [0065.612] lstrcmpiW (lpString1="s320.hash", lpString2="Windows") returned -1 [0065.612] lstrcmpiW (lpString1="s320.hash", lpString2="$Recycle.bin") returned 1 [0065.612] lstrcmpiW (lpString1="s320.hash", lpString2="System Volume Information") returned -1 [0065.612] lstrcmpiW (lpString1="s320.hash", lpString2="Program Files") returned 1 [0065.612] lstrcmpiW (lpString1="s320.hash", lpString2="Program Files (x86)") returned 1 [0065.612] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash") returned 112 [0065.612] StrStrIW (lpFirst="s320.hash", lpSrch=".ebal") returned 0x0 [0065.612] lstrcmpW (lpString1="s320.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.612] lstrcmpW (lpString1="s320.hash", lpString2="taridd") returned -1 [0065.612] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\s320.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.613] GetTickCount () returned 0x1150ced [0065.613] GetTickCount () returned 0x1150ced [0065.613] GetTickCount () returned 0x1150ced [0065.613] GetTickCount () returned 0x1150ced [0065.613] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.613] GetProcessHeap () returned 0x3a00000 [0065.613] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.613] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x66, lpOverlapped=0x0) returned 1 [0065.614] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffff9a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.614] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x66, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x66, lpOverlapped=0x0) returned 1 [0065.614] GetProcessHeap () returned 0x3a00000 [0065.614] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.614] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.614] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.615] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.615] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.615] CloseHandle (hObject=0x440) returned 1 [0065.615] GetProcessHeap () returned 0x3a00000 [0065.615] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.616] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash_r00t_{8ew5f6}.ebal") returned 131 [0065.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\s320.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\s320.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.616] GetProcessHeap () returned 0x3a00000 [0065.616] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.616] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bf9d35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bf9d35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6aa2800, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x7e0a5c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.Platform.x-none.man.xml", cAlternateFileName="STREAM~1.XML")) returned 1 [0065.616] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="Windows") returned -1 [0065.616] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="$Recycle.bin") returned 1 [0065.616] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="System Volume Information") returned -1 [0065.616] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="Program Files") returned 1 [0065.616] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml", lpString2="Program Files (x86)") returned 1 [0065.616] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml") returned 133 [0065.616] StrStrIW (lpFirst="stream.Platform.x-none.man.xml", lpSrch=".ebal") returned 0x0 [0065.616] lstrcmpW (lpString1="stream.Platform.x-none.man.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.616] lstrcmpW (lpString1="stream.Platform.x-none.man.xml", lpString2="taridd") returned -1 [0065.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.platform.x-none.man.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.617] GetTickCount () returned 0x1150cfc [0065.617] GetTickCount () returned 0x1150cfc [0065.617] GetTickCount () returned 0x1150cfc [0065.617] GetTickCount () returned 0x1150cfc [0065.617] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.617] GetProcessHeap () returned 0x3a00000 [0065.617] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.617] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.619] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.620] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.620] GetProcessHeap () returned 0x3a00000 [0065.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.620] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.620] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.621] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.621] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.621] CloseHandle (hObject=0x440) returned 1 [0065.621] GetProcessHeap () returned 0x3a00000 [0065.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.622] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal") returned 152 [0065.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.platform.x-none.man.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.platform.x-none.man.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.622] GetProcessHeap () returned 0x3a00000 [0065.622] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.622] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x316a100, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x80, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.hash", cAlternateFileName="STREAM~1.HAS")) returned 1 [0065.622] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="Windows") returned -1 [0065.622] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="$Recycle.bin") returned 1 [0065.622] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="System Volume Information") returned -1 [0065.622] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="Program Files") returned 1 [0065.622] lstrcmpiW (lpString1="stream.x86.x-none.hash", lpString2="Program Files (x86)") returned 1 [0065.622] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash") returned 125 [0065.622] StrStrIW (lpFirst="stream.x86.x-none.hash", lpSrch=".ebal") returned 0x0 [0065.622] lstrcmpW (lpString1="stream.x86.x-none.hash", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.622] lstrcmpW (lpString1="stream.x86.x-none.hash", lpString2="taridd") returned -1 [0065.622] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.623] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.hash"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.623] GetTickCount () returned 0x1150cfc [0065.623] GetTickCount () returned 0x1150cfc [0065.623] GetTickCount () returned 0x1150cfc [0065.623] GetTickCount () returned 0x1150cfc [0065.623] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.623] GetProcessHeap () returned 0x3a00000 [0065.623] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.623] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffff80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.624] GetProcessHeap () returned 0x3a00000 [0065.624] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.625] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.625] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.625] CloseHandle (hObject=0x440) returned 1 [0065.625] GetProcessHeap () returned 0x3a00000 [0065.625] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.625] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash_r00t_{8ew5f6}.ebal") returned 144 [0065.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.hash"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.hash_r00t_{8ew5f6}.ebal")) returned 1 [0065.626] GetProcessHeap () returned 0x3a00000 [0065.626] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.626] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.626] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Windows") returned -1 [0065.626] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0065.626] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="System Volume Information") returned -1 [0065.626] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files") returned 1 [0065.626] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0065.626] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat") returned 128 [0065.626] StrStrIW (lpFirst="stream.x86.x-none.man.dat", lpSrch=".ebal") returned 0x0 [0065.626] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.626] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="taridd") returned -1 [0065.626] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.626] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.635] GetTickCount () returned 0x1150d0c [0065.635] GetTickCount () returned 0x1150d0c [0065.635] GetTickCount () returned 0x1150d0c [0065.635] GetTickCount () returned 0x1150d0c [0065.635] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.635] GetProcessHeap () returned 0x3a00000 [0065.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.635] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.637] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.637] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.637] GetProcessHeap () returned 0x3a00000 [0065.637] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.637] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.637] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.639] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.639] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.639] CloseHandle (hObject=0x440) returned 1 [0065.639] GetProcessHeap () returned 0x3a00000 [0065.639] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.639] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 147 [0065.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.640] GetProcessHeap () returned 0x3a00000 [0065.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.640] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.640] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0065.640] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 134 [0065.640] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.640] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.641] CloseHandle (hObject=0x43c) returned 1 [0065.641] GetProcessHeap () returned 0x3a00000 [0065.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.641] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a025ed3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a025ed3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0065.641] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0065.641] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0065.642] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.642] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.643] CloseHandle (hObject=0x438) returned 1 [0065.643] GetProcessHeap () returned 0x3a00000 [0065.643] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.643] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A6A87302-92AE-41F2-AC52-73F5EE18259F", cAlternateFileName="A6A873~1")) returned 1 [0065.643] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Windows") returned -1 [0065.643] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="$Recycle.bin") returned 1 [0065.643] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="System Volume Information") returned -1 [0065.643] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Program Files") returned -1 [0065.643] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Program Files (x86)") returned -1 [0065.643] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F") returned 92 [0065.643] lstrcmpW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2=".") returned 1 [0065.643] lstrcmpW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="..") returned 1 [0065.643] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.643] GetProcessHeap () returned 0x3a00000 [0065.643] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.643] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\*") returned 94 [0065.643] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0065.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.644] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.645] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.645] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.645] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\.") returned 94 [0065.645] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.645] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.645] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\..") returned 95 [0065.645] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.645] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.645] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0065.645] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0065.645] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0065.645] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0065.645] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0065.645] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0065.645] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16") returned 101 [0065.645] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0065.645] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0065.645] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.645] GetProcessHeap () returned 0x3a00000 [0065.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.646] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\*") returned 103 [0065.646] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0065.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.647] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\.") returned 103 [0065.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.647] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.648] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.648] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.648] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.648] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.648] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.648] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\..") returned 104 [0065.648] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.648] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.648] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x113f8423, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x113f8423, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.648] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Windows") returned -1 [0065.648] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="$Recycle.bin") returned 1 [0065.648] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="System Volume Information") returned -1 [0065.648] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files") returned 1 [0065.648] lstrcmpiW (lpString1="stream.x86.en-us.man.dat", lpString2="Program Files (x86)") returned 1 [0065.648] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat") returned 126 [0065.648] StrStrIW (lpFirst="stream.x86.en-us.man.dat", lpSrch=".ebal") returned 0x0 [0065.648] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.648] lstrcmpW (lpString1="stream.x86.en-us.man.dat", lpString2="taridd") returned -1 [0065.648] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\stream.x86.en-us.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.649] GetTickCount () returned 0x1150d1c [0065.649] GetTickCount () returned 0x1150d1c [0065.649] GetTickCount () returned 0x1150d1c [0065.649] GetTickCount () returned 0x1150d1c [0065.649] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.649] GetProcessHeap () returned 0x3a00000 [0065.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.649] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.651] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.651] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.651] GetProcessHeap () returned 0x3a00000 [0065.651] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.651] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.651] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.654] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.654] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.654] CloseHandle (hObject=0x440) returned 1 [0065.654] GetProcessHeap () returned 0x3a00000 [0065.654] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.654] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 145 [0065.654] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\stream.x86.en-us.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.655] GetProcessHeap () returned 0x3a00000 [0065.655] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.655] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x113f8423, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x113f8423, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x8f27c900, ftLastWriteTime.dwHighDateTime=0x1d32053, nFileSizeHigh=0x0, nFileSizeLow=0x108693, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.655] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0065.655] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 133 [0065.655] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.655] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.656] CloseHandle (hObject=0x43c) returned 1 [0065.656] GetProcessHeap () returned 0x3a00000 [0065.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.656] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0065.656] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0065.656] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0065.656] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0065.656] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0065.656] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0065.656] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16") returned 102 [0065.656] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0065.656] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0065.657] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.657] GetProcessHeap () returned 0x3a00000 [0065.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0065.657] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\*") returned 104 [0065.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0065.658] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.658] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.658] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.658] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.658] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.658] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\.") returned 104 [0065.658] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.658] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.658] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.658] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.658] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.658] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.658] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.658] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\..") returned 105 [0065.658] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.659] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x10ff2492, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x10ff2492, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 1 [0065.659] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Windows") returned -1 [0065.659] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="$Recycle.bin") returned 1 [0065.659] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="System Volume Information") returned -1 [0065.659] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files") returned 1 [0065.659] lstrcmpiW (lpString1="stream.x86.x-none.man.dat", lpString2="Program Files (x86)") returned 1 [0065.659] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat") returned 128 [0065.659] StrStrIW (lpFirst="stream.x86.x-none.man.dat", lpSrch=".ebal") returned 0x0 [0065.659] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.659] lstrcmpW (lpString1="stream.x86.x-none.man.dat", lpString2="taridd") returned -1 [0065.659] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.659] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\stream.x86.x-none.man.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0065.660] GetTickCount () returned 0x1150d1c [0065.660] GetTickCount () returned 0x1150d1c [0065.660] GetTickCount () returned 0x1150d1c [0065.660] GetTickCount () returned 0x1150d1c [0065.660] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0065.660] GetProcessHeap () returned 0x3a00000 [0065.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.660] ReadFile (in: hFile=0x440, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.663] WriteFile (in: hFile=0x440, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0065.663] GetProcessHeap () returned 0x3a00000 [0065.663] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.663] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0065.664] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0065.664] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0065.664] CloseHandle (hObject=0x440) returned 1 [0065.664] GetProcessHeap () returned 0x3a00000 [0065.664] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0065.665] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 147 [0065.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\stream.x86.x-none.man.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal")) returned 1 [0065.665] GetProcessHeap () returned 0x3a00000 [0065.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0065.665] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x10ff2492, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x10ff2492, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x447ce00, ftLastWriteTime.dwHighDateTime=0x1d32055, nFileSizeHigh=0x0, nFileSizeLow=0x460b47, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat", cAlternateFileName="STREAM~1.DAT")) returned 0 [0065.665] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0065.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 134 [0065.665] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0065.666] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.667] CloseHandle (hObject=0x43c) returned 1 [0065.667] GetProcessHeap () returned 0x3a00000 [0065.667] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0065.667] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x66b4e849, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x66b4e849, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0065.667] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0065.667] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0065.667] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.667] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0065.668] CloseHandle (hObject=0x438) returned 1 [0065.668] GetProcessHeap () returned 0x3a00000 [0065.668] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.668] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A6A87302-92AE-41F2-AC52-73F5EE18259F", cAlternateFileName="A6A873~1")) returned 0 [0065.668] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0065.668] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0065.669] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\productreleases\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.670] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.670] CloseHandle (hObject=0x434) returned 1 [0065.671] GetProcessHeap () returned 0x3a00000 [0065.671] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.671] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserData", cAlternateFileName="")) returned 1 [0065.671] lstrcmpiW (lpString1="UserData", lpString2="Windows") returned -1 [0065.671] lstrcmpiW (lpString1="UserData", lpString2="$Recycle.bin") returned 1 [0065.671] lstrcmpiW (lpString1="UserData", lpString2="System Volume Information") returned 1 [0065.671] lstrcmpiW (lpString1="UserData", lpString2="Program Files") returned 1 [0065.671] lstrcmpiW (lpString1="UserData", lpString2="Program Files (x86)") returned 1 [0065.671] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData") returned 48 [0065.671] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0065.671] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0065.671] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.671] GetProcessHeap () returned 0x3a00000 [0065.671] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.671] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*") returned 50 [0065.671] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0065.671] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.671] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.671] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.671] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.671] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.671] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\.") returned 50 [0065.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.671] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.672] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.672] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.672] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\..") returned 51 [0065.672] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.672] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.672] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0065.672] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0065.672] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0065.672] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\userdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0065.672] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0065.673] CloseHandle (hObject=0x434) returned 1 [0065.673] GetProcessHeap () returned 0x3a00000 [0065.673] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0065.673] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0065.673] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Windows") returned -1 [0065.673] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="$Recycle.bin") returned 1 [0065.673] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="System Volume Information") returned -1 [0065.673] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Program Files") returned -1 [0065.673] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Program Files (x86)") returned -1 [0065.673] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 78 [0065.673] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2=".") returned 1 [0065.673] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="..") returned 1 [0065.673] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0065.673] GetProcessHeap () returned 0x3a00000 [0065.673] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0065.673] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned 80 [0065.673] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0065.683] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0065.683] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0065.683] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0065.683] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0065.683] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0065.683] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\.") returned 80 [0065.683] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0065.683] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0065.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0065.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0065.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0065.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0065.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0065.684] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\..") returned 81 [0065.685] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0065.685] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0065.685] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437adb83, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x437adb83, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x247ecc35, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x44e23, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AirSpace.Etw.man", cAlternateFileName="AIRSPA~1.MAN")) returned 1 [0065.685] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="Windows") returned -1 [0065.685] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="$Recycle.bin") returned 1 [0065.685] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="System Volume Information") returned -1 [0065.685] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="Program Files") returned -1 [0065.685] lstrcmpiW (lpString1="AirSpace.Etw.man", lpString2="Program Files (x86)") returned -1 [0065.685] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man") returned 95 [0065.685] StrStrIW (lpFirst="AirSpace.Etw.man", lpSrch=".ebal") returned 0x0 [0065.685] lstrcmpW (lpString1="AirSpace.Etw.man", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.685] lstrcmpW (lpString1="AirSpace.Etw.man", lpString2="taridd") returned -1 [0065.685] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.685] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.685] GetTickCount () returned 0x1150d3b [0065.685] GetTickCount () returned 0x1150d3b [0065.685] GetTickCount () returned 0x1150d3b [0065.685] GetTickCount () returned 0x1150d3b [0065.685] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.685] GetProcessHeap () returned 0x3a00000 [0065.685] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.686] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.688] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.688] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.688] GetProcessHeap () returned 0x3a00000 [0065.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.688] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.688] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.690] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.690] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.690] CloseHandle (hObject=0x438) returned 1 [0065.690] GetProcessHeap () returned 0x3a00000 [0065.690] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.690] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man_r00t_{8ew5f6}.ebal") returned 114 [0065.690] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\airspace.etw.man_r00t_{8ew5f6}.ebal")) returned 1 [0065.691] GetProcessHeap () returned 0x3a00000 [0065.691] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.691] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2686ce0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x91f0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", cAlternateFileName="C25A45~1.XML")) returned 1 [0065.691] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.691] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.691] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.691] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.691] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.691] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml") returned 129 [0065.691] StrStrIW (lpFirst="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.691] lstrcmpW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.691] lstrcmpW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.691] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.A", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.691] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.691] GetTickCount () returned 0x1150d4b [0065.692] GetTickCount () returned 0x1150d4b [0065.692] GetTickCount () returned 0x1150d4b [0065.692] GetTickCount () returned 0x1150d4b [0065.692] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.692] GetProcessHeap () returned 0x3a00000 [0065.692] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.692] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.694] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.694] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.694] GetProcessHeap () returned 0x3a00000 [0065.694] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.694] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.694] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.694] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.694] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.694] CloseHandle (hObject=0x438) returned 1 [0065.694] GetProcessHeap () returned 0x3a00000 [0065.695] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.695] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 148 [0065.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.access.access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.696] GetProcessHeap () returned 0x3a00000 [0065.696] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.696] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd356d87a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xe71c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.accessmui.msi.16.en-us.xml", cAlternateFileName="C222C2~1.XML")) returned 1 [0065.696] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.696] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.696] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.696] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.696] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.696] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml") returned 117 [0065.696] StrStrIW (lpFirst="C2RManifest.accessmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.696] lstrcmpW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.696] lstrcmpW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.696] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.696] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.696] GetTickCount () returned 0x1150d4b [0065.696] GetTickCount () returned 0x1150d4b [0065.696] GetTickCount () returned 0x1150d4b [0065.696] GetTickCount () returned 0x1150d4b [0065.696] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.696] GetProcessHeap () returned 0x3a00000 [0065.696] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.696] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.698] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.699] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.699] GetProcessHeap () returned 0x3a00000 [0065.699] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.699] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.699] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.699] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.699] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.699] CloseHandle (hObject=0x438) returned 1 [0065.699] GetProcessHeap () returned 0x3a00000 [0065.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.699] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 136 [0065.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.700] GetProcessHeap () returned 0x3a00000 [0065.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.700] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd31d9ff6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml", cAlternateFileName="C2FB2E~1.XML")) returned 1 [0065.700] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.700] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.700] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.700] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.700] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.700] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml") returned 120 [0065.700] StrStrIW (lpFirst="C2RManifest.accessmuiset.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.700] lstrcmpW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.700] lstrcmpW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.700] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.700] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.701] GetTickCount () returned 0x1150d4b [0065.701] GetTickCount () returned 0x1150d4b [0065.701] GetTickCount () returned 0x1150d4b [0065.701] GetTickCount () returned 0x1150d4b [0065.701] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.701] GetProcessHeap () returned 0x3a00000 [0065.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.701] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0065.702] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff806, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.703] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0065.703] GetProcessHeap () returned 0x3a00000 [0065.703] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.703] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.703] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.703] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.703] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.703] CloseHandle (hObject=0x438) returned 1 [0065.703] GetProcessHeap () returned 0x3a00000 [0065.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.703] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0065.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.704] GetProcessHeap () returned 0x3a00000 [0065.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.704] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62ed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed6f62ed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd26f9444, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3f14, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", cAlternateFileName="C210C4~1.XML")) returned 1 [0065.704] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.704] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.704] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.704] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.704] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.704] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml") returned 123 [0065.704] StrStrIW (lpFirst="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.704] lstrcmpW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.704] lstrcmpW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.704] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.705] GetTickCount () returned 0x1150d4b [0065.705] GetTickCount () returned 0x1150d4b [0065.705] GetTickCount () returned 0x1150d4b [0065.705] GetTickCount () returned 0x1150d4b [0065.705] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.705] GetProcessHeap () returned 0x3a00000 [0065.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.705] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.707] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.707] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.707] GetProcessHeap () returned 0x3a00000 [0065.707] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.707] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.707] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.707] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.708] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.708] CloseHandle (hObject=0x438) returned 1 [0065.708] GetProcessHeap () returned 0x3a00000 [0065.708] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.708] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 142 [0065.708] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcf.dcf.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.708] GetProcessHeap () returned 0x3a00000 [0065.708] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.708] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62ed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed6f62ed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd31415cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x265a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml", cAlternateFileName="C206B0~1.XML")) returned 1 [0065.708] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.708] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.708] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.708] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.709] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.709] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml") returned 114 [0065.709] StrStrIW (lpFirst="C2RManifest.dcfmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.709] lstrcmpW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.709] lstrcmpW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.709] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.m", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.709] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.709] GetTickCount () returned 0x1150d5a [0065.709] GetTickCount () returned 0x1150d5a [0065.709] GetTickCount () returned 0x1150d5a [0065.709] GetTickCount () returned 0x1150d5a [0065.709] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.709] GetProcessHeap () returned 0x3a00000 [0065.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.709] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x265a, lpOverlapped=0x0) returned 1 [0065.711] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd9a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.711] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x265a, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x265a, lpOverlapped=0x0) returned 1 [0065.711] GetProcessHeap () returned 0x3a00000 [0065.711] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.711] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.711] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.711] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.711] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.711] CloseHandle (hObject=0x438) returned 1 [0065.711] GetProcessHeap () returned 0x3a00000 [0065.711] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.711] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 133 [0065.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.712] GetProcessHeap () returned 0x3a00000 [0065.712] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.712] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed611426, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed611426, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd252f7b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x39d9c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", cAlternateFileName="C21578~1.XML")) returned 1 [0065.712] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.712] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.712] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.712] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.712] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.712] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml") returned 127 [0065.712] StrStrIW (lpFirst="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.712] lstrcmpW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.712] lstrcmpW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.712] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Ex", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.712] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.713] GetTickCount () returned 0x1150d5a [0065.713] GetTickCount () returned 0x1150d5a [0065.713] GetTickCount () returned 0x1150d5a [0065.713] GetTickCount () returned 0x1150d5a [0065.713] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.713] GetProcessHeap () returned 0x3a00000 [0065.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.713] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.715] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.715] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.716] GetProcessHeap () returned 0x3a00000 [0065.716] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.716] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.716] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.716] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.717] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.717] CloseHandle (hObject=0x438) returned 1 [0065.717] GetProcessHeap () returned 0x3a00000 [0065.717] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.717] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 146 [0065.717] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excel.excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.717] GetProcessHeap () returned 0x3a00000 [0065.717] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.717] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5c4f9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5c4f9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd330b2e9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8f70, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.excelmui.msi.16.en-us.xml", cAlternateFileName="C2D2CD~1.XML")) returned 1 [0065.717] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.717] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.717] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.718] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.718] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.718] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml") returned 116 [0065.718] StrStrIW (lpFirst="C2RManifest.excelmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.718] lstrcmpW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.718] lstrcmpW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.718] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.718] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.718] GetTickCount () returned 0x1150d5a [0065.718] GetTickCount () returned 0x1150d5a [0065.718] GetTickCount () returned 0x1150d5a [0065.718] GetTickCount () returned 0x1150d5a [0065.719] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.719] GetProcessHeap () returned 0x3a00000 [0065.719] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.719] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.721] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.721] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.721] GetProcessHeap () returned 0x3a00000 [0065.721] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.721] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.721] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.721] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.721] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.722] CloseHandle (hObject=0x438) returned 1 [0065.722] GetProcessHeap () returned 0x3a00000 [0065.722] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.722] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0065.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.722] GetProcessHeap () returned 0x3a00000 [0065.722] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.722] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd23fe538, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8f8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", cAlternateFileName="C233DB~1.XML")) returned 1 [0065.722] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.722] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.722] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.723] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.723] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.723] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml") returned 129 [0065.725] StrStrIW (lpFirst="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.725] lstrcmpW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.725] lstrcmpW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.725] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.G", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.725] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.725] GetTickCount () returned 0x1150d6a [0065.725] GetTickCount () returned 0x1150d6a [0065.725] GetTickCount () returned 0x1150d6a [0065.725] GetTickCount () returned 0x1150d6a [0065.725] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.725] GetProcessHeap () returned 0x3a00000 [0065.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.725] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.727] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.727] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.728] GetProcessHeap () returned 0x3a00000 [0065.728] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.728] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.728] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.728] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.728] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.728] CloseHandle (hObject=0x438) returned 1 [0065.731] GetProcessHeap () returned 0x3a00000 [0065.731] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.731] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 148 [0065.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groove.groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.731] GetProcessHeap () returned 0x3a00000 [0065.731] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.731] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3298bbd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x180e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.groovemui.msi.16.en-us.xml", cAlternateFileName="C26024~1.XML")) returned 1 [0065.732] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.732] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.732] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.732] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.732] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.732] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml") returned 117 [0065.732] StrStrIW (lpFirst="C2RManifest.groovemui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.732] lstrcmpW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.732] lstrcmpW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.732] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.733] GetTickCount () returned 0x1150d6a [0065.733] GetTickCount () returned 0x1150d6a [0065.733] GetTickCount () returned 0x1150d6a [0065.733] GetTickCount () returned 0x1150d6a [0065.733] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.733] GetProcessHeap () returned 0x3a00000 [0065.733] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.733] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x180e, lpOverlapped=0x0) returned 1 [0065.734] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe7f2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.734] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x180e, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x180e, lpOverlapped=0x0) returned 1 [0065.734] GetProcessHeap () returned 0x3a00000 [0065.734] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.734] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.735] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.735] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.735] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.735] CloseHandle (hObject=0x438) returned 1 [0065.735] GetProcessHeap () returned 0x3a00000 [0065.735] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.735] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 136 [0065.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.735] GetProcessHeap () returned 0x3a00000 [0065.736] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.736] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd257bc65, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", cAlternateFileName="C25956~1.XML")) returned 1 [0065.736] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.736] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.736] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.736] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.736] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.736] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml") returned 125 [0065.736] StrStrIW (lpFirst="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.736] lstrcmpW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.736] lstrcmpW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.736] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lyn", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.736] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.736] GetTickCount () returned 0x1150d6a [0065.736] GetTickCount () returned 0x1150d6a [0065.736] GetTickCount () returned 0x1150d6a [0065.736] GetTickCount () returned 0x1150d6a [0065.736] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.736] GetProcessHeap () returned 0x3a00000 [0065.736] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.736] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.739] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.739] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.739] GetProcessHeap () returned 0x3a00000 [0065.739] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.739] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.739] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.739] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.739] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.739] CloseHandle (hObject=0x438) returned 1 [0065.739] GetProcessHeap () returned 0x3a00000 [0065.739] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.739] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 144 [0065.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lync.lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.740] GetProcessHeap () returned 0x3a00000 [0065.740] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.740] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed578aca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed578aca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd32bedda, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5b94, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml", cAlternateFileName="C2FCD6~1.XML")) returned 1 [0065.740] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.740] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.740] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.740] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.740] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.740] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml") returned 115 [0065.740] StrStrIW (lpFirst="C2RManifest.lyncmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.740] lstrcmpW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.740] lstrcmpW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.740] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.740] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.741] GetTickCount () returned 0x1150d79 [0065.741] GetTickCount () returned 0x1150d79 [0065.741] GetTickCount () returned 0x1150d79 [0065.741] GetTickCount () returned 0x1150d79 [0065.741] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.741] GetProcessHeap () returned 0x3a00000 [0065.741] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.741] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.743] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.743] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.743] GetProcessHeap () returned 0x3a00000 [0065.743] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.743] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.743] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.743] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.743] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.743] CloseHandle (hObject=0x438) returned 1 [0065.743] GetProcessHeap () returned 0x3a00000 [0065.743] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.743] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 134 [0065.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.744] GetProcessHeap () returned 0x3a00000 [0065.744] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.744] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5063b1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5063b1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3593a88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6b4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.office32mui.msi.16.en-us.xml", cAlternateFileName="C2BADD~1.XML")) returned 1 [0065.744] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.744] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.744] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.744] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.744] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.744] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml") returned 119 [0065.744] StrStrIW (lpFirst="C2RManifest.office32mui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.744] lstrcmpW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.744] lstrcmpW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.744] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.744] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32mui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.745] GetTickCount () returned 0x1150d79 [0065.745] GetTickCount () returned 0x1150d79 [0065.745] GetTickCount () returned 0x1150d79 [0065.745] GetTickCount () returned 0x1150d79 [0065.745] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.745] GetProcessHeap () returned 0x3a00000 [0065.745] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6e280 [0065.745] ReadFile (in: hFile=0x438, lpBuffer=0x3a6e280, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.747] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.747] WriteFile (in: hFile=0x438, lpBuffer=0x3a6e280*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6e280*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.747] GetProcessHeap () returned 0x3a00000 [0065.747] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6e280 | out: hHeap=0x3a00000) returned 1 [0065.747] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.747] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.748] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.748] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.748] CloseHandle (hObject=0x438) returned 1 [0065.748] GetProcessHeap () returned 0x3a00000 [0065.748] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.748] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 138 [0065.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32mui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.748] GetProcessHeap () returned 0x3a00000 [0065.748] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.748] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed3d50b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed3d50b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2cc8f5f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4f3f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.office32ww.msi.16.x-none.xml", cAlternateFileName="C2EBFE~1.XML")) returned 1 [0065.749] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.749] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.749] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.749] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.749] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.749] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml") returned 119 [0065.749] StrStrIW (lpFirst="C2RManifest.office32ww.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.749] lstrcmpW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.749] lstrcmpW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.749] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.749] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32ww.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.749] GetTickCount () returned 0x1150d79 [0065.750] GetTickCount () returned 0x1150d79 [0065.750] GetTickCount () returned 0x1150d79 [0065.750] GetTickCount () returned 0x1150d79 [0065.750] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.750] GetProcessHeap () returned 0x3a00000 [0065.750] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.750] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.751] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.752] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.752] GetProcessHeap () returned 0x3a00000 [0065.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.752] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.752] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.754] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.754] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.754] CloseHandle (hObject=0x438) returned 1 [0065.754] GetProcessHeap () returned 0x3a00000 [0065.754] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.754] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 138 [0065.754] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32ww.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.755] GetProcessHeap () returned 0x3a00000 [0065.755] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.755] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed31650e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed31650e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd36c4db5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x19870, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.officemui.msi.16.en-us.xml", cAlternateFileName="C29059~1.XML")) returned 1 [0065.755] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.755] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.755] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.755] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.755] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.755] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml") returned 117 [0065.755] StrStrIW (lpFirst="C2RManifest.officemui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.755] lstrcmpW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.755] lstrcmpW (lpString1="C2RManifest.officemui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.755] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.755] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.756] GetTickCount () returned 0x1150d89 [0065.756] GetTickCount () returned 0x1150d89 [0065.756] GetTickCount () returned 0x1150d89 [0065.756] GetTickCount () returned 0x1150d89 [0065.756] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.756] GetProcessHeap () returned 0x3a00000 [0065.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.756] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.758] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.758] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.758] GetProcessHeap () returned 0x3a00000 [0065.758] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.758] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.758] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.759] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.759] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.759] CloseHandle (hObject=0x438) returned 1 [0065.759] GetProcessHeap () returned 0x3a00000 [0065.759] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.759] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 136 [0065.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.759] GetProcessHeap () returned 0x3a00000 [0065.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.760] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd38424c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml", cAlternateFileName="C2467F~1.XML")) returned 1 [0065.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.760] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.760] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml") returned 120 [0065.760] StrStrIW (lpFirst="C2RManifest.officemuiset.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.760] lstrcmpW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.760] lstrcmpW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.760] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.760] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.761] GetTickCount () returned 0x1150d89 [0065.761] GetTickCount () returned 0x1150d89 [0065.761] GetTickCount () returned 0x1150d89 [0065.761] GetTickCount () returned 0x1150d89 [0065.761] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.761] GetProcessHeap () returned 0x3a00000 [0065.761] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.761] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0065.767] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff806, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.767] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0065.767] GetProcessHeap () returned 0x3a00000 [0065.767] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.767] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.767] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.767] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.768] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.768] CloseHandle (hObject=0x438) returned 1 [0065.768] GetProcessHeap () returned 0x3a00000 [0065.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.768] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0065.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.768] GetProcessHeap () returned 0x3a00000 [0065.768] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.768] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd295b9b9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17b3c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", cAlternateFileName="C21839~1.XML")) returned 1 [0065.768] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.769] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.769] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.769] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.769] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.769] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml") returned 131 [0065.769] StrStrIW (lpFirst="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.769] lstrcmpW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.769] lstrcmpW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.769] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.769] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.769] GetTickCount () returned 0x1150d89 [0065.769] GetTickCount () returned 0x1150d89 [0065.769] GetTickCount () returned 0x1150d89 [0065.769] GetTickCount () returned 0x1150d89 [0065.769] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.769] GetProcessHeap () returned 0x3a00000 [0065.769] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.769] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.779] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.779] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.779] GetProcessHeap () returned 0x3a00000 [0065.779] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.779] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.779] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.779] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.779] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.779] CloseHandle (hObject=0x438) returned 1 [0065.780] GetProcessHeap () returned 0x3a00000 [0065.780] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.780] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 150 [0065.780] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenote.onenote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.780] GetProcessHeap () returned 0x3a00000 [0065.780] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.780] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2ca0b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2ca0b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd375d6d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4a4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml", cAlternateFileName="C24C3D~1.XML")) returned 1 [0065.780] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.780] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.780] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.780] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.781] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.781] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml") returned 118 [0065.781] StrStrIW (lpFirst="C2RManifest.onenotemui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.781] lstrcmpW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.781] lstrcmpW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.781] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotem", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.781] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.781] GetTickCount () returned 0x1150d99 [0065.781] GetTickCount () returned 0x1150d99 [0065.781] GetTickCount () returned 0x1150d99 [0065.781] GetTickCount () returned 0x1150d99 [0065.781] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.781] GetProcessHeap () returned 0x3a00000 [0065.781] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.781] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.783] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.783] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.783] GetProcessHeap () returned 0x3a00000 [0065.783] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.783] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.783] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.784] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.784] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.784] CloseHandle (hObject=0x438) returned 1 [0065.784] GetProcessHeap () returned 0x3a00000 [0065.784] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.784] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 137 [0065.784] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.784] GetProcessHeap () returned 0x3a00000 [0065.784] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.784] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2a3e81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2a3e81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd29a7ddb, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5f6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", cAlternateFileName="C24EFF~1.XML")) returned 1 [0065.785] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.785] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.785] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.785] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.785] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.785] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml") returned 123 [0065.785] StrStrIW (lpFirst="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.785] lstrcmpW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.785] lstrcmpW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.785] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.785] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.786] GetTickCount () returned 0x1150da8 [0065.786] GetTickCount () returned 0x1150da8 [0065.786] GetTickCount () returned 0x1150da8 [0065.786] GetTickCount () returned 0x1150da8 [0065.786] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.786] GetProcessHeap () returned 0x3a00000 [0065.786] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.786] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x5f6, lpOverlapped=0x0) returned 1 [0065.787] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffa0a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.787] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x5f6, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x5f6, lpOverlapped=0x0) returned 1 [0065.787] GetProcessHeap () returned 0x3a00000 [0065.787] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.787] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.788] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.788] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.788] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.788] CloseHandle (hObject=0x438) returned 1 [0065.788] GetProcessHeap () returned 0x3a00000 [0065.788] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.788] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 142 [0065.788] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osm.osm.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.788] GetProcessHeap () returned 0x3a00000 [0065.789] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.789] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2a3e81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2a3e81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3678904, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.osmmui.msi.16.en-us.xml", cAlternateFileName="C25F09~1.XML")) returned 1 [0065.789] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.789] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.789] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.789] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.789] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.789] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml") returned 114 [0065.789] StrStrIW (lpFirst="C2RManifest.osmmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.789] lstrcmpW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.789] lstrcmpW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.789] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.m", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.789] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.789] GetTickCount () returned 0x1150da8 [0065.789] GetTickCount () returned 0x1150da8 [0065.789] GetTickCount () returned 0x1150da8 [0065.789] GetTickCount () returned 0x1150da8 [0065.789] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.789] GetProcessHeap () returned 0x3a00000 [0065.789] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.789] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.791] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.791] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.791] GetProcessHeap () returned 0x3a00000 [0065.791] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.791] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.791] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.791] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.791] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.791] CloseHandle (hObject=0x438) returned 1 [0065.792] GetProcessHeap () returned 0x3a00000 [0065.792] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.792] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 133 [0065.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.792] GetProcessHeap () returned 0x3a00000 [0065.792] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.792] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd28c2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x906, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", cAlternateFileName="C22C6F~1.XML")) returned 1 [0065.792] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.792] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.792] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.792] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.792] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.792] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml") returned 127 [0065.792] StrStrIW (lpFirst="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.792] lstrcmpW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.793] lstrcmpW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.793] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OS", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.793] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.793] GetTickCount () returned 0x1150da8 [0065.793] GetTickCount () returned 0x1150da8 [0065.793] GetTickCount () returned 0x1150da8 [0065.793] GetTickCount () returned 0x1150da8 [0065.793] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.793] GetProcessHeap () returned 0x3a00000 [0065.793] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.793] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x906, lpOverlapped=0x0) returned 1 [0065.794] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff6fa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.794] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x906, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x906, lpOverlapped=0x0) returned 1 [0065.795] GetProcessHeap () returned 0x3a00000 [0065.795] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.795] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.795] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.795] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.795] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.795] CloseHandle (hObject=0x438) returned 1 [0065.795] GetProcessHeap () returned 0x3a00000 [0065.795] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.795] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 146 [0065.795] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmux.osmux.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.796] GetProcessHeap () returned 0x3a00000 [0065.796] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.796] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd362c40f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2b8a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml", cAlternateFileName="C21C45~1.XML")) returned 1 [0065.796] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.796] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.796] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.796] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.796] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.796] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml") returned 116 [0065.796] StrStrIW (lpFirst="C2RManifest.osmuxmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.796] lstrcmpW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.796] lstrcmpW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.796] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.796] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.797] GetTickCount () returned 0x1150da8 [0065.797] GetTickCount () returned 0x1150da8 [0065.797] GetTickCount () returned 0x1150da8 [0065.797] GetTickCount () returned 0x1150da8 [0065.797] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.797] GetProcessHeap () returned 0x3a00000 [0065.797] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.797] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.799] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.799] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.799] GetProcessHeap () returned 0x3a00000 [0065.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.799] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.799] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.799] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.799] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.799] CloseHandle (hObject=0x438) returned 1 [0065.799] GetProcessHeap () returned 0x3a00000 [0065.799] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.800] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0065.800] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.800] GetProcessHeap () returned 0x3a00000 [0065.800] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.800] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd276bb03, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17194, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", cAlternateFileName="C29151~1.XML")) returned 1 [0065.802] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.802] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.802] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.802] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.802] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.802] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml") returned 131 [0065.802] StrStrIW (lpFirst="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.802] lstrcmpW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.803] lstrcmpW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.803] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.803] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.803] GetTickCount () returned 0x1150db8 [0065.803] GetTickCount () returned 0x1150db8 [0065.803] GetTickCount () returned 0x1150db8 [0065.803] GetTickCount () returned 0x1150db8 [0065.803] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.803] GetProcessHeap () returned 0x3a00000 [0065.803] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.803] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.805] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.805] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.805] GetProcessHeap () returned 0x3a00000 [0065.805] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.805] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.805] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.806] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.806] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.806] CloseHandle (hObject=0x438) returned 1 [0065.806] GetProcessHeap () returned 0x3a00000 [0065.806] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.806] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 150 [0065.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlook.outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.807] GetProcessHeap () returned 0x3a00000 [0065.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.807] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed20b499, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed20b499, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3783951, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x17984, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml", cAlternateFileName="C2C4E2~1.XML")) returned 1 [0065.807] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.807] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.807] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.807] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.807] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.807] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml") returned 118 [0065.807] StrStrIW (lpFirst="C2RManifest.outlookmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.807] lstrcmpW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.807] lstrcmpW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.807] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.808] GetTickCount () returned 0x1150db8 [0065.808] GetTickCount () returned 0x1150db8 [0065.808] GetTickCount () returned 0x1150db8 [0065.808] GetTickCount () returned 0x1150db8 [0065.808] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.808] GetProcessHeap () returned 0x3a00000 [0065.808] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.808] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.810] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.810] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.810] GetProcessHeap () returned 0x3a00000 [0065.810] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.810] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.810] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.810] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.811] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.811] CloseHandle (hObject=0x438) returned 1 [0065.811] GetProcessHeap () returned 0x3a00000 [0065.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.811] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 137 [0065.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.811] GetProcessHeap () returned 0x3a00000 [0065.811] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.811] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed1e5243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed1e5243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd27de170, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xafddc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", cAlternateFileName="C280EB~1.XML")) returned 1 [0065.811] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.811] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.811] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.811] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.812] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.812] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml") returned 137 [0065.812] StrStrIW (lpFirst="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.812] lstrcmpW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.812] lstrcmpW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.812] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPiv", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.812] GetTickCount () returned 0x1150db8 [0065.812] GetTickCount () returned 0x1150db8 [0065.812] GetTickCount () returned 0x1150db8 [0065.812] GetTickCount () returned 0x1150db8 [0065.812] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.813] GetProcessHeap () returned 0x3a00000 [0065.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.813] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.815] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.815] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.815] GetProcessHeap () returned 0x3a00000 [0065.815] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.815] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.815] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.817] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.817] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.817] CloseHandle (hObject=0x438) returned 1 [0065.817] GetProcessHeap () returned 0x3a00000 [0065.817] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.817] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 156 [0065.817] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpivot.powerpivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.818] GetProcessHeap () returned 0x3a00000 [0065.818] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.818] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed12666a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed12666a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd290f4ec, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x195a4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", cAlternateFileName="C222CA~1.XML")) returned 1 [0065.818] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.818] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.818] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.818] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.818] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.818] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml") returned 137 [0065.818] StrStrIW (lpFirst="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.818] lstrcmpW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.818] lstrcmpW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.818] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.818] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.818] GetTickCount () returned 0x1150dc8 [0065.818] GetTickCount () returned 0x1150dc8 [0065.818] GetTickCount () returned 0x1150dc8 [0065.818] GetTickCount () returned 0x1150dc8 [0065.818] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.819] GetProcessHeap () returned 0x3a00000 [0065.819] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.819] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.837] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.837] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.837] GetProcessHeap () returned 0x3a00000 [0065.837] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.837] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.837] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.838] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.838] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.838] CloseHandle (hObject=0x438) returned 1 [0065.838] GetProcessHeap () returned 0x3a00000 [0065.838] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.838] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 156 [0065.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpoint.powerpoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.839] GetProcessHeap () returned 0x3a00000 [0065.839] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.839] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed0da264, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed0da264, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd35dffce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x689e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml", cAlternateFileName="C27FF4~1.XML")) returned 1 [0065.839] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.839] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.839] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.839] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.839] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.839] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml") returned 121 [0065.839] StrStrIW (lpFirst="C2RManifest.powerpointmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.839] lstrcmpW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.839] lstrcmpW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.839] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpoi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.839] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.840] GetTickCount () returned 0x1150dd7 [0065.840] GetTickCount () returned 0x1150dd7 [0065.840] GetTickCount () returned 0x1150dd7 [0065.840] GetTickCount () returned 0x1150dd7 [0065.840] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.840] GetProcessHeap () returned 0x3a00000 [0065.840] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.840] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.842] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.842] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.842] GetProcessHeap () returned 0x3a00000 [0065.842] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.842] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.842] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.842] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.842] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.842] CloseHandle (hObject=0x438) returned 1 [0065.843] GetProcessHeap () returned 0x3a00000 [0065.843] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.843] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 140 [0065.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.843] GetProcessHeap () returned 0x3a00000 [0065.843] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.843] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x7446, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", cAlternateFileName="C2E87B~1.XML")) returned 1 [0065.843] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.843] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.843] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.843] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.843] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.843] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml") returned 131 [0065.843] StrStrIW (lpFirst="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.844] lstrcmpW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.844] lstrcmpW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.844] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.844] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.project.project.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.844] GetTickCount () returned 0x1150dd7 [0065.844] GetTickCount () returned 0x1150dd7 [0065.844] GetTickCount () returned 0x1150dd7 [0065.844] GetTickCount () returned 0x1150dd7 [0065.844] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.844] GetProcessHeap () returned 0x3a00000 [0065.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.845] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.846] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.846] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.847] GetProcessHeap () returned 0x3a00000 [0065.847] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.847] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.847] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.847] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.847] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.847] CloseHandle (hObject=0x438) returned 1 [0065.847] GetProcessHeap () returned 0x3a00000 [0065.847] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.847] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 150 [0065.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.project.project.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.project.project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.848] GetProcessHeap () returned 0x3a00000 [0065.848] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.848] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2d20ad, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x809e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.projectmui.msi.16.en-us.xml", cAlternateFileName="C26005~1.XML")) returned 1 [0065.848] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.849] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.849] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.849] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.849] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.849] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml") returned 118 [0065.849] StrStrIW (lpFirst="C2RManifest.projectmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.849] lstrcmpW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.849] lstrcmpW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.849] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.849] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.projectmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.849] GetTickCount () returned 0x1150de7 [0065.849] GetTickCount () returned 0x1150de7 [0065.849] GetTickCount () returned 0x1150de7 [0065.849] GetTickCount () returned 0x1150de7 [0065.849] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.849] GetProcessHeap () returned 0x3a00000 [0065.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.849] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.851] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.851] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.852] GetProcessHeap () returned 0x3a00000 [0065.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.852] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.852] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.852] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.852] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.852] CloseHandle (hObject=0x438) returned 1 [0065.852] GetProcessHeap () returned 0x3a00000 [0065.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.852] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 137 [0065.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.projectmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.853] GetProcessHeap () returned 0x3a00000 [0065.853] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.853] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd397382c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x63ae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml", cAlternateFileName="C2B3EB~1.XML")) returned 1 [0065.853] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.853] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.853] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.853] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.853] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.853] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml") returned 121 [0065.853] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.853] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.853] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.853] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Cu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.853] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.854] GetTickCount () returned 0x1150de7 [0065.854] GetTickCount () returned 0x1150de7 [0065.854] GetTickCount () returned 0x1150de7 [0065.854] GetTickCount () returned 0x1150de7 [0065.854] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.854] GetProcessHeap () returned 0x3a00000 [0065.854] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.854] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.855] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.856] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.856] GetProcessHeap () returned 0x3a00000 [0065.856] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.856] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.856] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.856] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.856] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.856] CloseHandle (hObject=0x438) returned 1 [0065.856] GetProcessHeap () returned 0x3a00000 [0065.856] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.856] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 140 [0065.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.857] GetProcessHeap () returned 0x3a00000 [0065.857] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.857] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37a9bb2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml", cAlternateFileName="C23127~1.XML")) returned 1 [0065.857] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="Windows") returned -1 [0065.857] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="$Recycle.bin") returned 1 [0065.857] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="System Volume Information") returned -1 [0065.857] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="Program Files") returned -1 [0065.857] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="Program Files (x86)") returned -1 [0065.857] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml") returned 121 [0065.857] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpSrch=".ebal") returned 0x0 [0065.857] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.857] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml", lpString2="taridd") returned -1 [0065.857] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Cu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.858] GetTickCount () returned 0x1150de7 [0065.858] GetTickCount () returned 0x1150de7 [0065.858] GetTickCount () returned 0x1150de7 [0065.858] GetTickCount () returned 0x1150de7 [0065.858] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.858] GetProcessHeap () returned 0x3a00000 [0065.858] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.858] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.860] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.860] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.860] GetProcessHeap () returned 0x3a00000 [0065.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.860] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.860] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.861] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.861] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.861] CloseHandle (hObject=0x438) returned 1 [0065.861] GetProcessHeap () returned 0x3a00000 [0065.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.861] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal") returned 140 [0065.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.862] GetProcessHeap () returned 0x3a00000 [0065.862] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.862] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed067a9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed067a9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3999a72, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5fee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", cAlternateFileName="C2BAB3~1.XML")) returned 1 [0065.862] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="Windows") returned -1 [0065.862] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="$Recycle.bin") returned 1 [0065.862] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="System Volume Information") returned -1 [0065.862] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="Program Files") returned -1 [0065.862] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="Program Files (x86)") returned -1 [0065.862] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml") returned 121 [0065.862] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpSrch=".ebal") returned 0x0 [0065.862] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.862] lstrcmpW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml", lpString2="taridd") returned -1 [0065.862] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Cu", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.862] GetTickCount () returned 0x1150de7 [0065.862] GetTickCount () returned 0x1150de7 [0065.862] GetTickCount () returned 0x1150de7 [0065.862] GetTickCount () returned 0x1150de7 [0065.862] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.862] GetProcessHeap () returned 0x3a00000 [0065.862] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.862] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.864] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.864] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.865] GetProcessHeap () returned 0x3a00000 [0065.865] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.865] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.865] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.865] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.865] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.865] CloseHandle (hObject=0x438) returned 1 [0065.865] GetProcessHeap () returned 0x3a00000 [0065.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.865] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal") returned 140 [0065.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proof.culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.866] GetProcessHeap () returned 0x3a00000 [0065.866] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.866] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37f6035, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x7fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.proofing.msi.16.en-us.xml", cAlternateFileName="C24618~1.XML")) returned 1 [0065.866] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.866] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.866] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.866] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.866] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.866] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml") returned 116 [0065.866] StrStrIW (lpFirst="C2RManifest.proofing.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.866] lstrcmpW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.866] lstrcmpW (lpString1="C2RManifest.proofing.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.866] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.866] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.866] GetTickCount () returned 0x1150df6 [0065.866] GetTickCount () returned 0x1150df6 [0065.866] GetTickCount () returned 0x1150df6 [0065.866] GetTickCount () returned 0x1150df6 [0065.866] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.867] GetProcessHeap () returned 0x3a00000 [0065.867] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.867] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0065.869] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff806, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.869] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x7fa, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x7fa, lpOverlapped=0x0) returned 1 [0065.869] GetProcessHeap () returned 0x3a00000 [0065.869] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.869] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.869] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.869] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.869] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.869] CloseHandle (hObject=0x438) returned 1 [0065.869] GetProcessHeap () returned 0x3a00000 [0065.869] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.870] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0065.870] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.870] GetProcessHeap () returned 0x3a00000 [0065.870] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.870] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2b97d2d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12e4a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", cAlternateFileName="C2C6D1~1.XML")) returned 1 [0065.870] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.870] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.870] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.870] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.870] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.870] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml") returned 135 [0065.870] StrStrIW (lpFirst="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.871] lstrcmpW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.871] lstrcmpW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.871] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publishe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.871] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.871] GetTickCount () returned 0x1150df6 [0065.871] GetTickCount () returned 0x1150df6 [0065.871] GetTickCount () returned 0x1150df6 [0065.871] GetTickCount () returned 0x1150df6 [0065.871] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.871] GetProcessHeap () returned 0x3a00000 [0065.871] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.871] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.873] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.873] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.873] GetProcessHeap () returned 0x3a00000 [0065.873] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.873] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.873] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.874] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.874] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.874] CloseHandle (hObject=0x438) returned 1 [0065.874] GetProcessHeap () returned 0x3a00000 [0065.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.874] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 154 [0065.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publisher.publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.874] GetProcessHeap () returned 0x3a00000 [0065.874] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.874] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd37374c5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x3734, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.publishermui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~4.XML")) returned 1 [0065.875] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.875] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.875] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.875] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.875] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.875] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml") returned 120 [0065.875] StrStrIW (lpFirst="C2RManifest.publishermui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.875] lstrcmpW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.875] lstrcmpW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.875] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.875] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.875] GetTickCount () returned 0x1150df6 [0065.875] GetTickCount () returned 0x1150df6 [0065.875] GetTickCount () returned 0x1150df6 [0065.875] GetTickCount () returned 0x1150df6 [0065.875] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.875] GetProcessHeap () returned 0x3a00000 [0065.875] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.875] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.882] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.882] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.882] GetProcessHeap () returned 0x3a00000 [0065.882] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.882] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.882] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.882] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.882] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.882] CloseHandle (hObject=0x438) returned 1 [0065.883] GetProcessHeap () returned 0x3a00000 [0065.883] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.883] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0065.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.883] GetProcessHeap () returned 0x3a00000 [0065.883] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.883] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed01b5ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed01b5ef, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd29ce0e8, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xb27ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~3.XML")) returned 1 [0065.883] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.883] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.883] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.883] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.883] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.883] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml") returned 129 [0065.883] StrStrIW (lpFirst="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.883] lstrcmpW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.883] lstrcmpW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.884] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.O", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.884] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.884] GetTickCount () returned 0x1150e06 [0065.884] GetTickCount () returned 0x1150e06 [0065.884] GetTickCount () returned 0x1150e06 [0065.884] GetTickCount () returned 0x1150e06 [0065.884] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.885] GetProcessHeap () returned 0x3a00000 [0065.885] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.885] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.887] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.887] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.887] GetProcessHeap () returned 0x3a00000 [0065.887] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.887] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.887] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.888] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.889] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.889] CloseHandle (hObject=0x438) returned 1 [0065.889] GetProcessHeap () returned 0x3a00000 [0065.889] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.889] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 148 [0065.889] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.shared.office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.889] GetProcessHeap () returned 0x3a00000 [0065.889] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.889] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a705a3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a705a3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x11cbd0e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2aafe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", cAlternateFileName="C2668D~1.XML")) returned 1 [0065.889] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.889] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.889] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.889] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.890] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.890] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml") returned 127 [0065.890] StrStrIW (lpFirst="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.890] lstrcmpW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.890] lstrcmpW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.890] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Vi", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.890] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.890] GetTickCount () returned 0x1150e06 [0065.890] GetTickCount () returned 0x1150e06 [0065.890] GetTickCount () returned 0x1150e06 [0065.891] GetTickCount () returned 0x1150e06 [0065.891] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.891] GetProcessHeap () returned 0x3a00000 [0065.891] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.891] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.892] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.893] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.893] GetProcessHeap () returned 0x3a00000 [0065.893] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.893] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.893] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.894] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.894] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.894] CloseHandle (hObject=0x438) returned 1 [0065.894] GetProcessHeap () returned 0x3a00000 [0065.894] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.894] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 146 [0065.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visio.visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.896] GetProcessHeap () returned 0x3a00000 [0065.896] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.896] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a4a3b4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a4a3b4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1218203, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf0cb4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.visiomui.msi.16.en-us.xml", cAlternateFileName="C2A712~1.XML")) returned 1 [0065.896] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.896] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.896] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.896] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.896] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.896] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml") returned 116 [0065.896] StrStrIW (lpFirst="C2RManifest.visiomui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.896] lstrcmpW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.896] lstrcmpW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.896] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.896] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visiomui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.897] GetTickCount () returned 0x1150e16 [0065.897] GetTickCount () returned 0x1150e16 [0065.897] GetTickCount () returned 0x1150e16 [0065.897] GetTickCount () returned 0x1150e16 [0065.897] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.897] GetProcessHeap () returned 0x3a00000 [0065.897] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.897] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.899] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.899] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.900] GetProcessHeap () returned 0x3a00000 [0065.900] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.900] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.900] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.901] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.901] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.901] CloseHandle (hObject=0x438) returned 1 [0065.901] GetProcessHeap () returned 0x3a00000 [0065.902] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.902] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0065.902] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visiomui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.902] GetProcessHeap () returned 0x3a00000 [0065.902] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.902] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf5ca1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecf5ca1c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2dd401b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1536e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", cAlternateFileName="C2RMAN~2.XML")) returned 1 [0065.902] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="Windows") returned -1 [0065.902] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="$Recycle.bin") returned 1 [0065.902] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="System Volume Information") returned -1 [0065.902] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="Program Files") returned -1 [0065.902] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="Program Files (x86)") returned -1 [0065.902] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml") returned 125 [0065.902] StrStrIW (lpFirst="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpSrch=".ebal") returned 0x0 [0065.902] lstrcmpW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.902] lstrcmpW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml", lpString2="taridd") returned -1 [0065.903] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Wor", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.903] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.903] GetTickCount () returned 0x1150e16 [0065.903] GetTickCount () returned 0x1150e16 [0065.903] GetTickCount () returned 0x1150e16 [0065.903] GetTickCount () returned 0x1150e16 [0065.903] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.903] GetProcessHeap () returned 0x3a00000 [0065.903] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.903] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.905] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.905] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.905] GetProcessHeap () returned 0x3a00000 [0065.905] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.905] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.905] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.905] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.905] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.906] CloseHandle (hObject=0x438) returned 1 [0065.906] GetProcessHeap () returned 0x3a00000 [0065.906] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.906] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 144 [0065.906] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.word.word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.906] GetProcessHeap () returned 0x3a00000 [0065.906] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.906] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecf3682d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd3a7e818, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x130fe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.wordmui.msi.16.en-us.xml", cAlternateFileName="C2RMAN~1.XML")) returned 1 [0065.906] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="Windows") returned -1 [0065.906] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="$Recycle.bin") returned 1 [0065.906] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="System Volume Information") returned -1 [0065.906] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="Program Files") returned -1 [0065.906] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="Program Files (x86)") returned -1 [0065.906] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml") returned 115 [0065.906] StrStrIW (lpFirst="C2RManifest.wordmui.msi.16.en-us.xml", lpSrch=".ebal") returned 0x0 [0065.907] lstrcmpW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.907] lstrcmpW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml", lpString2="taridd") returned -1 [0065.907] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.907] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.907] GetTickCount () returned 0x1150e16 [0065.907] GetTickCount () returned 0x1150e16 [0065.907] GetTickCount () returned 0x1150e16 [0065.907] GetTickCount () returned 0x1150e16 [0065.907] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.908] GetProcessHeap () returned 0x3a00000 [0065.908] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.908] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.909] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.910] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.910] GetProcessHeap () returned 0x3a00000 [0065.910] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.910] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.910] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.910] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.910] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.910] CloseHandle (hObject=0x438) returned 1 [0065.910] GetProcessHeap () returned 0x3a00000 [0065.911] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.911] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 134 [0065.911] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\c2rmanifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal")) returned 1 [0065.913] GetProcessHeap () returned 0x3a00000 [0065.913] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.913] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x49bee514, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xd2dfa2a2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x12c470, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="integrator.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0065.913] lstrcmpiW (lpString1="integrator.exe", lpString2="Windows") returned -1 [0065.913] lstrcmpiW (lpString1="integrator.exe", lpString2="$Recycle.bin") returned 1 [0065.913] lstrcmpiW (lpString1="integrator.exe", lpString2="System Volume Information") returned -1 [0065.913] lstrcmpiW (lpString1="integrator.exe", lpString2="Program Files") returned -1 [0065.914] lstrcmpiW (lpString1="integrator.exe", lpString2="Program Files (x86)") returned -1 [0065.914] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe") returned 93 [0065.914] StrStrIW (lpFirst="integrator.exe", lpSrch=".ebal") returned 0x0 [0065.914] lstrcmpW (lpString1="integrator.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.914] lstrcmpW (lpString1="integrator.exe", lpString2="taridd") returned -1 [0065.914] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0065.914] GetTickCount () returned 0x1150e25 [0065.914] GetTickCount () returned 0x1150e25 [0065.914] GetTickCount () returned 0x1150e25 [0065.914] GetTickCount () returned 0x1150e25 [0065.914] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0065.914] GetProcessHeap () returned 0x3a00000 [0065.914] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0065.914] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.916] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0065.916] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0065.916] GetProcessHeap () returned 0x3a00000 [0065.916] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0065.916] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.916] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0065.919] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0065.919] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0065.920] CloseHandle (hObject=0x438) returned 1 [0065.920] GetProcessHeap () returned 0x3a00000 [0065.920] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0065.920] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe_r00t_{8ew5f6}.ebal") returned 112 [0065.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\integrator.exe_r00t_{8ew5f6}.ebal")) returned 1 [0065.920] GetProcessHeap () returned 0x3a00000 [0065.920] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0065.920] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3481a2, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x3f3481a2, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf427d4ce, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", cAlternateFileName="MICROS~2.XML")) returned 1 [0065.920] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="Windows") returned -1 [0065.920] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="$Recycle.bin") returned 1 [0065.920] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="System Volume Information") returned -1 [0065.920] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="Program Files") returned -1 [0065.920] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="Program Files (x86)") returned -1 [0065.920] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml") returned 132 [0065.920] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpSrch=".ebal") returned 0x0 [0065.920] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0065.920] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml", lpString2="taridd") returned -1 [0065.922] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_Off", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0065.922] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.200] GetTickCount () returned 0x1150f3f [0066.200] GetTickCount () returned 0x1150f3f [0066.200] GetTickCount () returned 0x1150f3f [0066.200] GetTickCount () returned 0x1150f3f [0066.200] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.200] GetProcessHeap () returned 0x3a00000 [0066.200] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.200] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0xce8, lpOverlapped=0x0) returned 1 [0066.201] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff318, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.201] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0xce8, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0xce8, lpOverlapped=0x0) returned 1 [0066.202] GetProcessHeap () returned 0x3a00000 [0066.202] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.202] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.202] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.202] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.202] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.202] CloseHandle (hObject=0x438) returned 1 [0066.202] GetProcessHeap () returned 0x3a00000 [0066.202] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.203] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal") returned 151 [0066.203] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentfallback2016.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.203] GetProcessHeap () returned 0x3a00000 [0066.203] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.203] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f0e5bdc, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x3f0e5bdc, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf40d9aa3, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0xca6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", cAlternateFileName="MICROS~1.XML")) returned 1 [0066.203] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="Windows") returned -1 [0066.203] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="$Recycle.bin") returned 1 [0066.203] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="System Volume Information") returned -1 [0066.203] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="Program Files") returned -1 [0066.203] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="Program Files (x86)") returned -1 [0066.203] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml") returned 129 [0066.203] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpSrch=".ebal") returned 0x0 [0066.203] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.203] lstrcmpW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml", lpString2="taridd") returned -1 [0066.204] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_Off", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.204] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.204] GetTickCount () returned 0x1150f3f [0066.204] GetTickCount () returned 0x1150f3f [0066.204] GetTickCount () returned 0x1150f3f [0066.204] GetTickCount () returned 0x1150f3f [0066.204] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.204] GetProcessHeap () returned 0x3a00000 [0066.204] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.204] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0xca6, lpOverlapped=0x0) returned 1 [0066.206] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff35a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.206] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0xca6, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0xca6, lpOverlapped=0x0) returned 1 [0066.206] GetProcessHeap () returned 0x3a00000 [0066.206] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.206] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.206] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.206] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.206] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.207] CloseHandle (hObject=0x438) returned 1 [0066.207] GetProcessHeap () returned 0x3a00000 [0066.207] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.207] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal") returned 148 [0066.207] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\microsoft_office_officetelemetryagentlogon2016.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.207] GetProcessHeap () returned 0x3a00000 [0066.207] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.207] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x433f4072, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x433f4072, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x1bd7df5e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b826, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msoutilstat.etw.man", cAlternateFileName="MSOUTI~1.MAN")) returned 1 [0066.207] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="Windows") returned -1 [0066.207] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="$Recycle.bin") returned 1 [0066.207] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="System Volume Information") returned -1 [0066.207] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="Program Files") returned -1 [0066.207] lstrcmpiW (lpString1="msoutilstat.etw.man", lpString2="Program Files (x86)") returned -1 [0066.208] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man") returned 98 [0066.208] StrStrIW (lpFirst="msoutilstat.etw.man", lpSrch=".ebal") returned 0x0 [0066.208] lstrcmpW (lpString1="msoutilstat.etw.man", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.208] lstrcmpW (lpString1="msoutilstat.etw.man", lpString2="taridd") returned -1 [0066.208] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.208] GetTickCount () returned 0x1150f4e [0066.208] GetTickCount () returned 0x1150f4e [0066.208] GetTickCount () returned 0x1150f4e [0066.208] GetTickCount () returned 0x1150f4e [0066.208] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.208] GetProcessHeap () returned 0x3a00000 [0066.208] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.208] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.210] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.210] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.210] GetProcessHeap () returned 0x3a00000 [0066.210] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.210] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.211] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.211] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.211] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.211] CloseHandle (hObject=0x438) returned 1 [0066.211] GetProcessHeap () returned 0x3a00000 [0066.211] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.211] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man_r00t_{8ew5f6}.ebal") returned 117 [0066.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\msoutilstat.etw.man_r00t_{8ew5f6}.ebal")) returned 1 [0066.211] GetProcessHeap () returned 0x3a00000 [0066.211] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.211] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4f7c0, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x42b4f7c0, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x244f1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wordEtw.man", cAlternateFileName="")) returned 1 [0066.212] lstrcmpiW (lpString1="wordEtw.man", lpString2="Windows") returned 1 [0066.212] lstrcmpiW (lpString1="wordEtw.man", lpString2="$Recycle.bin") returned 1 [0066.212] lstrcmpiW (lpString1="wordEtw.man", lpString2="System Volume Information") returned 1 [0066.212] lstrcmpiW (lpString1="wordEtw.man", lpString2="Program Files") returned 1 [0066.212] lstrcmpiW (lpString1="wordEtw.man", lpString2="Program Files (x86)") returned 1 [0066.212] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man") returned 90 [0066.212] StrStrIW (lpFirst="wordEtw.man", lpSrch=".ebal") returned 0x0 [0066.212] lstrcmpW (lpString1="wordEtw.man", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.212] lstrcmpW (lpString1="wordEtw.man", lpString2="taridd") returned 1 [0066.212] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.212] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.212] GetTickCount () returned 0x1150f4e [0066.213] GetTickCount () returned 0x1150f4e [0066.213] GetTickCount () returned 0x1150f4e [0066.213] GetTickCount () returned 0x1150f4e [0066.213] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.213] GetProcessHeap () returned 0x3a00000 [0066.213] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.213] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.215] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.215] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.215] GetProcessHeap () returned 0x3a00000 [0066.215] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.215] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.215] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.216] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.217] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.217] CloseHandle (hObject=0x438) returned 1 [0066.217] GetProcessHeap () returned 0x3a00000 [0066.217] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.217] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man_r00t_{8ew5f6}.ebal") returned 109 [0066.217] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\wordetw.man_r00t_{8ew5f6}.ebal")) returned 1 [0066.218] GetProcessHeap () returned 0x3a00000 [0066.218] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.218] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4f7c0, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x42b4f7c0, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x244f1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9bddd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wordEtw.man", cAlternateFileName="")) returned 0 [0066.218] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0066.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 110 [0066.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.219] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.220] CloseHandle (hObject=0x434) returned 1 [0066.220] GetProcessHeap () returned 0x3a00000 [0066.220] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.220] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b87bb60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0066.220] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0066.220] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0066.220] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\clicktorun\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.220] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.221] CloseHandle (hObject=0x430) returned 1 [0066.221] GetProcessHeap () returned 0x3a00000 [0066.221] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.221] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Crypto", cAlternateFileName="")) returned 1 [0066.221] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0066.221] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0066.221] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0066.221] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0066.221] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0066.221] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto") returned 35 [0066.221] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0066.221] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0066.221] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.221] GetProcessHeap () returned 0x3a00000 [0066.222] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.222] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*") returned 37 [0066.222] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0066.222] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.222] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.222] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.222] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.222] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.222] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\.") returned 37 [0066.222] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.222] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.222] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.222] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.222] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.222] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.222] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.222] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\..") returned 38 [0066.222] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.222] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.222] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DSS", cAlternateFileName="")) returned 1 [0066.222] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0066.222] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0066.222] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0066.222] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0066.222] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0066.222] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS") returned 39 [0066.222] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0066.222] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0066.222] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.223] GetProcessHeap () returned 0x3a00000 [0066.223] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.223] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*") returned 41 [0066.223] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0066.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.226] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.226] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.226] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.226] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.226] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\.") returned 41 [0066.226] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.226] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.226] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.226] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.226] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.226] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.226] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.226] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\..") returned 42 [0066.226] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.226] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.226] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0066.226] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0066.226] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0066.226] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0066.226] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0066.226] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0066.226] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 51 [0066.226] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0066.226] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0066.226] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.226] GetProcessHeap () returned 0x3a00000 [0066.226] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.226] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 53 [0066.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0066.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.228] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.228] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.228] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.228] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.228] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 53 [0066.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.228] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.228] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.228] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 54 [0066.228] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.228] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.228] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.228] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0066.228] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0066.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.229] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.230] CloseHandle (hObject=0x438) returned 1 [0066.230] GetProcessHeap () returned 0x3a00000 [0066.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.230] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0066.230] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0066.230] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0066.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\dss\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.230] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.231] CloseHandle (hObject=0x434) returned 1 [0066.231] GetProcessHeap () returned 0x3a00000 [0066.231] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.231] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Keys", cAlternateFileName="")) returned 1 [0066.232] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0066.232] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0066.232] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0066.232] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0066.232] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0066.232] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys") returned 40 [0066.232] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0066.232] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0066.232] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.232] GetProcessHeap () returned 0x3a00000 [0066.232] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.232] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*") returned 42 [0066.232] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0066.233] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.233] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.233] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.233] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.233] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.233] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.") returned 42 [0066.233] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.233] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.233] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.233] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.233] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.233] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.233] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.233] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.233] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.233] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.233] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.233] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..") returned 43 [0066.233] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.233] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.233] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.233] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.233] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.233] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.234] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.234] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0066.234] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0066.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\keys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.234] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.235] CloseHandle (hObject=0x434) returned 1 [0066.235] GetProcessHeap () returned 0x3a00000 [0066.235] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.235] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PCPKSP", cAlternateFileName="")) returned 1 [0066.235] lstrcmpiW (lpString1="PCPKSP", lpString2="Windows") returned -1 [0066.235] lstrcmpiW (lpString1="PCPKSP", lpString2="$Recycle.bin") returned 1 [0066.235] lstrcmpiW (lpString1="PCPKSP", lpString2="System Volume Information") returned -1 [0066.236] lstrcmpiW (lpString1="PCPKSP", lpString2="Program Files") returned -1 [0066.236] lstrcmpiW (lpString1="PCPKSP", lpString2="Program Files (x86)") returned -1 [0066.236] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP") returned 42 [0066.236] lstrcmpW (lpString1="PCPKSP", lpString2=".") returned 1 [0066.236] lstrcmpW (lpString1="PCPKSP", lpString2="..") returned 1 [0066.236] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.236] GetProcessHeap () returned 0x3a00000 [0066.236] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.236] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*") returned 44 [0066.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0066.236] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.236] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.236] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.236] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.236] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.237] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\.") returned 44 [0066.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.237] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.237] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\..") returned 45 [0066.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.237] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1 [0066.237] lstrcmpiW (lpString1="WindowsAIK", lpString2="Windows") returned 1 [0066.237] lstrcmpiW (lpString1="WindowsAIK", lpString2="$Recycle.bin") returned 1 [0066.237] lstrcmpiW (lpString1="WindowsAIK", lpString2="System Volume Information") returned 1 [0066.237] lstrcmpiW (lpString1="WindowsAIK", lpString2="Program Files") returned 1 [0066.237] lstrcmpiW (lpString1="WindowsAIK", lpString2="Program Files (x86)") returned 1 [0066.237] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned 53 [0066.237] lstrcmpW (lpString1="WindowsAIK", lpString2=".") returned 1 [0066.237] lstrcmpW (lpString1="WindowsAIK", lpString2="..") returned 1 [0066.237] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.237] GetProcessHeap () returned 0x3a00000 [0066.237] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.237] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*") returned 55 [0066.237] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0066.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.238] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.238] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.238] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.238] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.") returned 55 [0066.238] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.238] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.238] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.238] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.238] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\." (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.238] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.238] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.238] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.238] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.238] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.238] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.238] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\..") returned 56 [0066.238] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.238] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.238] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.238] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.238] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.238] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.238] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.238] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.239] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0066.239] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0066.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\windowsaik\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.259] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.260] CloseHandle (hObject=0x438) returned 1 [0066.260] GetProcessHeap () returned 0x3a00000 [0066.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.260] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 0 [0066.260] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0066.261] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0066.261] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\pcpksp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.261] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.262] CloseHandle (hObject=0x434) returned 1 [0066.262] GetProcessHeap () returned 0x3a00000 [0066.262] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.262] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x17c6f037, ftLastAccessTime.dwHighDateTime=0x1d2a02b, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RSA", cAlternateFileName="")) returned 1 [0066.262] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0066.262] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0066.262] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0066.262] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0066.262] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0066.262] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA") returned 39 [0066.262] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0066.262] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0066.262] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.262] GetProcessHeap () returned 0x3a00000 [0066.262] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.262] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*") returned 41 [0066.262] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x17c6f037, ftLastAccessTime.dwHighDateTime=0x1d2a02b, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0066.262] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.262] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.262] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.262] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.263] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\.") returned 41 [0066.263] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.263] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x17c6f037, ftLastAccessTime.dwHighDateTime=0x1d2a02b, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.263] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.263] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.263] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.263] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.263] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\..") returned 42 [0066.263] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.263] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.263] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0066.263] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0066.263] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0066.263] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0066.263] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0066.263] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0066.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 51 [0066.263] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0066.263] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0066.263] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.263] GetProcessHeap () returned 0x3a00000 [0066.263] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.263] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 53 [0066.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0066.271] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.271] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.271] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.271] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.271] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.271] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 53 [0066.271] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.271] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.271] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.271] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.271] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.272] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.272] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 54 [0066.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.272] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcb806263, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb806263, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcbbe5f7c, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x8b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="F686AA~1")) returned 1 [0066.272] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Windows") returned -1 [0066.272] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="$Recycle.bin") returned 1 [0066.272] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="System Volume Information") returned -1 [0066.272] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files") returned -1 [0066.272] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files (x86)") returned -1 [0066.272] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267") returned 121 [0066.272] StrStrIW (lpFirst="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpSrch=".ebal") returned 0x0 [0066.272] lstrcmpW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.272] lstrcmpW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="taridd") returned -1 [0066.272] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.272] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcb806263, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb806263, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcbbe5f7c, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x8b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="F686AA~1")) returned 0 [0066.272] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0066.272] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0066.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.274] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.275] CloseHandle (hObject=0x438) returned 1 [0066.275] GetProcessHeap () returned 0x3a00000 [0066.275] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.275] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0066.275] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0066.275] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0066.275] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0066.275] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0066.275] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0066.275] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 48 [0066.275] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0066.275] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0066.275] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.275] GetProcessHeap () returned 0x3a00000 [0066.275] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.275] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 50 [0066.275] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0066.276] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.276] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.276] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.276] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.276] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.276] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 50 [0066.276] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.276] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.276] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.276] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.276] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.276] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.276] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.276] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.276] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.276] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.276] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.276] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 51 [0066.276] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.276] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.276] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.276] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.276] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.276] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\programdata\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.277] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="4ECCD1~1")) returned 1 [0066.277] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Windows") returned -1 [0066.277] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="$Recycle.bin") returned 1 [0066.277] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="System Volume Information") returned -1 [0066.277] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files") returned -1 [0066.277] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files (x86)") returned -1 [0066.277] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71") returned 118 [0066.277] StrStrIW (lpFirst="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpSrch=".ebal") returned 0x0 [0066.277] lstrcmpW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.277] lstrcmpW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="taridd") returned -1 [0066.277] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.277] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0066.277] GetTickCount () returned 0x1150f8d [0066.277] GetTickCount () returned 0x1150f8d [0066.277] GetTickCount () returned 0x1150f8d [0066.277] GetTickCount () returned 0x1150f8d [0066.277] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0066.277] GetProcessHeap () returned 0x3a00000 [0066.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0066.277] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x38, lpOverlapped=0x0) returned 1 [0066.278] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffffc8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.278] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x38, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x38, lpOverlapped=0x0) returned 1 [0066.279] GetProcessHeap () returned 0x3a00000 [0066.279] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0066.279] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.279] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0066.279] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0066.279] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0066.279] CloseHandle (hObject=0x43c) returned 1 [0066.280] GetProcessHeap () returned 0x3a00000 [0066.280] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.280] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal") returned 137 [0066.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal")) returned 1 [0066.280] GetProcessHeap () returned 0x3a00000 [0066.280] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0066.280] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="4ECCD1~1")) returned 0 [0066.280] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0066.280] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0066.280] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\s-1-5-18\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.281] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.282] CloseHandle (hObject=0x438) returned 1 [0066.282] GetProcessHeap () returned 0x3a00000 [0066.282] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.282] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c150294, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0066.282] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0066.282] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0066.282] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\rsa\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.282] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.284] CloseHandle (hObject=0x434) returned 1 [0066.284] GetProcessHeap () returned 0x3a00000 [0066.284] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.284] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xfe648d52, ftLastWriteTime.dwHighDateTime=0x1d32770, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1 [0066.284] lstrcmpiW (lpString1="SystemKeys", lpString2="Windows") returned -1 [0066.284] lstrcmpiW (lpString1="SystemKeys", lpString2="$Recycle.bin") returned 1 [0066.284] lstrcmpiW (lpString1="SystemKeys", lpString2="System Volume Information") returned 1 [0066.284] lstrcmpiW (lpString1="SystemKeys", lpString2="Program Files") returned 1 [0066.284] lstrcmpiW (lpString1="SystemKeys", lpString2="Program Files (x86)") returned 1 [0066.284] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys") returned 46 [0066.284] lstrcmpW (lpString1="SystemKeys", lpString2=".") returned 1 [0066.284] lstrcmpW (lpString1="SystemKeys", lpString2="..") returned 1 [0066.284] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.284] GetProcessHeap () returned 0x3a00000 [0066.284] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.284] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*") returned 48 [0066.284] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x7737cd02, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0066.285] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.285] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.285] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.286] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.286] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.286] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\.") returned 48 [0066.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.286] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.286] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.286] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.286] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.286] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\." (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.286] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x7737cd02, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.286] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.286] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.286] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.286] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.286] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.286] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\..") returned 49 [0066.286] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.286] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.286] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.286] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.286] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.286] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\.." (normalized: "c:\\programdata\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.286] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcc464582, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="709228~1")) returned 1 [0066.286] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Windows") returned -1 [0066.286] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="$Recycle.bin") returned 1 [0066.286] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="System Volume Information") returned -1 [0066.286] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files") returned -1 [0066.287] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files (x86)") returned -1 [0066.287] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267") returned 116 [0066.287] StrStrIW (lpFirst="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpSrch=".ebal") returned 0x0 [0066.287] lstrcmpW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.287] lstrcmpW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="taridd") returned -1 [0066.287] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.287] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.287] GetTickCount () returned 0x1150f9c [0066.287] GetTickCount () returned 0x1150f9c [0066.287] GetTickCount () returned 0x1150f9c [0066.287] GetTickCount () returned 0x1150f9c [0066.287] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.287] GetProcessHeap () returned 0x3a00000 [0066.287] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.287] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x61d, lpOverlapped=0x0) returned 1 [0066.288] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.288] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x61d, lpOverlapped=0x0) returned 1 [0066.289] GetProcessHeap () returned 0x3a00000 [0066.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.289] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.289] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.289] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.289] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.289] CloseHandle (hObject=0x438) returned 1 [0066.289] GetProcessHeap () returned 0x3a00000 [0066.289] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.289] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal") returned 135 [0066.289] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal")) returned 1 [0066.290] GetProcessHeap () returned 0x3a00000 [0066.290] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.290] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x1b8875cb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1b8875cb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x1b8875cb, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="D20D9E~1")) returned 1 [0066.290] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Windows") returned -1 [0066.290] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="$Recycle.bin") returned 1 [0066.290] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="System Volume Information") returned -1 [0066.290] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files") returned -1 [0066.290] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="Program Files (x86)") returned -1 [0066.290] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71") returned 116 [0066.290] StrStrIW (lpFirst="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpSrch=".ebal") returned 0x0 [0066.290] lstrcmpW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.290] lstrcmpW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", lpString2="taridd") returned -1 [0066.290] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.290] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.290] GetTickCount () returned 0x1150f9c [0066.290] GetTickCount () returned 0x1150f9c [0066.290] GetTickCount () returned 0x1150f9c [0066.290] GetTickCount () returned 0x1150f9c [0066.290] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.290] GetProcessHeap () returned 0x3a00000 [0066.290] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.291] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x61d, lpOverlapped=0x0) returned 1 [0066.292] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff9e3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.292] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x61d, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x61d, lpOverlapped=0x0) returned 1 [0066.292] GetProcessHeap () returned 0x3a00000 [0066.292] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.292] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.292] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.292] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.293] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.293] CloseHandle (hObject=0x438) returned 1 [0066.293] GetProcessHeap () returned 0x3a00000 [0066.293] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.293] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal") returned 135 [0066.293] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal")) returned 1 [0066.293] GetProcessHeap () returned 0x3a00000 [0066.293] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.293] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x1b8875cb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1b8875cb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x1b8875cb, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71", cAlternateFileName="D20D9E~1")) returned 0 [0066.293] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0066.293] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0066.293] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\systemkeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.294] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.294] CloseHandle (hObject=0x434) returned 1 [0066.295] GetProcessHeap () returned 0x3a00000 [0066.295] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.295] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xfe648d52, ftLastWriteTime.dwHighDateTime=0x1d32770, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 0 [0066.295] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0066.295] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0066.295] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\crypto\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.311] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.312] CloseHandle (hObject=0x430) returned 1 [0066.312] GetProcessHeap () returned 0x3a00000 [0066.312] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.312] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DataMart", cAlternateFileName="")) returned 1 [0066.312] lstrcmpiW (lpString1="DataMart", lpString2="Windows") returned -1 [0066.313] lstrcmpiW (lpString1="DataMart", lpString2="$Recycle.bin") returned 1 [0066.313] lstrcmpiW (lpString1="DataMart", lpString2="System Volume Information") returned -1 [0066.313] lstrcmpiW (lpString1="DataMart", lpString2="Program Files") returned -1 [0066.313] lstrcmpiW (lpString1="DataMart", lpString2="Program Files (x86)") returned -1 [0066.313] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart") returned 37 [0066.313] lstrcmpW (lpString1="DataMart", lpString2=".") returned 1 [0066.313] lstrcmpW (lpString1="DataMart", lpString2="..") returned 1 [0066.313] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.313] GetProcessHeap () returned 0x3a00000 [0066.313] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.313] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*") returned 39 [0066.313] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0066.314] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.314] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.314] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.314] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.314] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.314] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\.") returned 39 [0066.314] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.314] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.314] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.314] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.314] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.314] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.314] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.314] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\..") returned 40 [0066.314] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.314] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.314] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PaidWiFi", cAlternateFileName="")) returned 1 [0066.314] lstrcmpiW (lpString1="PaidWiFi", lpString2="Windows") returned -1 [0066.314] lstrcmpiW (lpString1="PaidWiFi", lpString2="$Recycle.bin") returned 1 [0066.314] lstrcmpiW (lpString1="PaidWiFi", lpString2="System Volume Information") returned -1 [0066.314] lstrcmpiW (lpString1="PaidWiFi", lpString2="Program Files") returned -1 [0066.314] lstrcmpiW (lpString1="PaidWiFi", lpString2="Program Files (x86)") returned -1 [0066.314] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi") returned 46 [0066.314] lstrcmpW (lpString1="PaidWiFi", lpString2=".") returned 1 [0066.314] lstrcmpW (lpString1="PaidWiFi", lpString2="..") returned 1 [0066.314] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.314] GetProcessHeap () returned 0x3a00000 [0066.314] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.314] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*") returned 48 [0066.314] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0066.315] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.315] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.315] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.315] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.315] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.315] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\.") returned 48 [0066.315] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.315] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.315] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.315] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.315] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.315] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.315] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.315] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\..") returned 49 [0066.315] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.315] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.315] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.315] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0066.317] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0066.317] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\datamart\\paidwifi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.319] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.319] CloseHandle (hObject=0x434) returned 1 [0066.320] GetProcessHeap () returned 0x3a00000 [0066.320] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.320] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PaidWiFi", cAlternateFileName="")) returned 0 [0066.320] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0066.320] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0066.320] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\datamart\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.320] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.321] CloseHandle (hObject=0x430) returned 1 [0066.321] GetProcessHeap () returned 0x3a00000 [0066.321] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.321] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0066.321] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0066.321] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0066.321] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0066.321] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0066.321] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0066.321] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage") returned 41 [0066.321] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0066.321] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0066.321] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.321] GetProcessHeap () returned 0x3a00000 [0066.321] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.321] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*") returned 43 [0066.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0066.322] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.322] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.322] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.322] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.322] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.322] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\.") returned 43 [0066.322] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.322] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.322] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.322] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.322] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.322] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.322] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.322] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\..") returned 44 [0066.322] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.322] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Device", cAlternateFileName="")) returned 1 [0066.322] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0066.322] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0066.322] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0066.322] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0066.322] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0066.322] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device") returned 48 [0066.322] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0066.322] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0066.322] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.322] GetProcessHeap () returned 0x3a00000 [0066.322] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.322] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*") returned 50 [0066.322] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0066.324] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.324] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.324] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.324] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.324] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.324] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\.") returned 50 [0066.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.324] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.324] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.324] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.324] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.324] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\..") returned 51 [0066.324] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.324] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0066.324] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0066.324] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0066.324] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0066.324] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0066.324] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0066.324] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 87 [0066.324] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0066.324] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0066.324] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.324] GetProcessHeap () returned 0x3a00000 [0066.325] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.325] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 89 [0066.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0066.326] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.326] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.326] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.326] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.326] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.326] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 89 [0066.326] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.326] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.326] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.326] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.326] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.326] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.326] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.327] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 90 [0066.327] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.327] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.327] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="background.png", cAlternateFileName="")) returned 1 [0066.327] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0066.327] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0066.327] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0066.327] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0066.327] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0066.327] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 102 [0066.327] StrStrIW (lpFirst="background.png", lpSrch=".ebal") returned 0x0 [0066.327] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.327] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0066.327] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.327] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.328] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0066.328] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0066.328] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0066.328] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0066.328] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0066.328] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0066.328] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 100 [0066.328] StrStrIW (lpFirst="behavior.xml", lpSrch=".ebal") returned 0x0 [0066.328] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.329] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0066.329] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.329] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="device.png", cAlternateFileName="")) returned 1 [0066.329] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0066.329] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0066.329] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0066.329] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0066.329] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0066.329] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 98 [0066.329] StrStrIW (lpFirst="device.png", lpSrch=".ebal") returned 0x0 [0066.329] lstrcmpW (lpString1="device.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.329] lstrcmpW (lpString1="device.png", lpString2="taridd") returned -1 [0066.329] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.330] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0066.330] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0066.330] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0066.330] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0066.330] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0066.330] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0066.330] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 99 [0066.330] StrStrIW (lpFirst="overlay.png", lpSrch=".ebal") returned 0x0 [0066.330] lstrcmpW (lpString1="overlay.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.331] lstrcmpW (lpString1="overlay.png", lpString2="taridd") returned -1 [0066.331] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.331] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.332] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0066.332] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0066.332] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0066.332] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0066.332] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0066.332] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0066.332] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 100 [0066.333] StrStrIW (lpFirst="superbar.png", lpSrch=".ebal") returned 0x0 [0066.333] lstrcmpW (lpString1="superbar.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.333] lstrcmpW (lpString1="superbar.png", lpString2="taridd") returned -1 [0066.333] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.pn", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.334] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0066.334] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0066.335] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0066.335] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.336] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.337] CloseHandle (hObject=0x438) returned 1 [0066.337] GetProcessHeap () returned 0x3a00000 [0066.337] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.337] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0066.337] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0066.337] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0066.337] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0066.337] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0066.337] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0066.337] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 87 [0066.337] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0066.337] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0066.337] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.337] GetProcessHeap () returned 0x3a00000 [0066.337] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.337] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 89 [0066.337] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0066.337] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.337] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.337] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.337] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.337] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.337] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 89 [0066.337] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.337] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.337] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.338] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.338] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.338] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 90 [0066.338] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.338] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.338] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="background.png", cAlternateFileName="")) returned 1 [0066.338] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0066.338] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0066.338] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0066.338] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0066.338] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0066.338] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 102 [0066.338] StrStrIW (lpFirst="background.png", lpSrch=".ebal") returned 0x0 [0066.338] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.338] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0066.338] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.338] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.340] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0066.340] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0066.340] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0066.340] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0066.340] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0066.340] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0066.340] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 100 [0066.340] StrStrIW (lpFirst="behavior.xml", lpSrch=".ebal") returned 0x0 [0066.340] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.340] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0066.340] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.340] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.340] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0066.340] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0066.340] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0066.340] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0066.340] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0066.341] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0066.341] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 101 [0066.341] StrStrIW (lpFirst="watermark.png", lpSrch=".ebal") returned 0x0 [0066.341] lstrcmpW (lpString1="watermark.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.341] lstrcmpW (lpString1="watermark.png", lpString2="taridd") returned 1 [0066.341] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.p", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.341] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0066.341] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0066.341] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0066.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.343] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.344] CloseHandle (hObject=0x438) returned 1 [0066.344] GetProcessHeap () returned 0x3a00000 [0066.344] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.344] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0066.344] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0066.344] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0066.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\device\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.346] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.347] CloseHandle (hObject=0x434) returned 1 [0066.347] GetProcessHeap () returned 0x3a00000 [0066.347] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.347] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Task", cAlternateFileName="")) returned 1 [0066.347] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0066.347] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0066.347] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0066.347] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0066.347] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0066.347] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task") returned 46 [0066.347] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0066.347] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0066.347] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.347] GetProcessHeap () returned 0x3a00000 [0066.347] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.347] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*") returned 48 [0066.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0066.348] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.348] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.348] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.348] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.348] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.348] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\.") returned 48 [0066.348] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.348] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.348] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.348] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.348] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.348] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.348] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.348] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\..") returned 49 [0066.348] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.348] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.348] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0066.348] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0066.348] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0066.348] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0066.348] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0066.348] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0066.348] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 85 [0066.348] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0066.348] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0066.349] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.349] GetProcessHeap () returned 0x3a00000 [0066.349] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.349] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 87 [0066.349] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0066.352] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.352] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.352] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.352] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.352] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.352] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 87 [0066.352] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.352] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.352] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.352] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.352] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.352] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.352] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.352] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 88 [0066.352] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.352] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.352] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0066.353] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0066.353] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0066.353] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0066.353] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0066.353] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0066.353] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 91 [0066.353] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0066.353] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0066.353] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.353] GetProcessHeap () returned 0x3a00000 [0066.353] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.353] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 93 [0066.353] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0066.353] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.353] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.353] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.353] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.353] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.353] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 93 [0066.353] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.353] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.353] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.353] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.353] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.353] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.353] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.353] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 94 [0066.353] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.353] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.354] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3de910b4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x11db3100, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0066.354] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0066.354] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0066.354] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0066.354] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0066.354] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0066.354] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 104 [0066.354] StrStrIW (lpFirst="resource.xml", lpSrch=".ebal") returned 0x0 [0066.354] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.354] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0066.354] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resourc", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.354] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.356] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3de910b4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x11db3100, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0066.356] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0066.356] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0066.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0066.357] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.358] CloseHandle (hObject=0x43c) returned 1 [0066.358] GetProcessHeap () returned 0x3a00000 [0066.358] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0066.358] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49316445, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0066.358] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0066.358] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0066.358] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0066.358] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0066.358] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0066.358] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 96 [0066.358] StrStrIW (lpFirst="folder.ico", lpSrch=".ebal") returned 0x0 [0066.358] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.358] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0066.358] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.358] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.359] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0066.359] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0066.359] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0066.359] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0066.360] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0066.360] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0066.360] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 96 [0066.360] StrStrIW (lpFirst="netfol.ico", lpSrch=".ebal") returned 0x0 [0066.360] lstrcmpW (lpString1="netfol.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.360] lstrcmpW (lpString1="netfol.ico", lpString2="taridd") returned -1 [0066.360] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.360] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0066.360] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0066.360] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0066.360] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0066.360] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0066.360] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0066.360] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 98 [0066.361] StrStrIW (lpFirst="pictures.ico", lpSrch=".ebal") returned 0x0 [0066.361] lstrcmpW (lpString1="pictures.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.361] lstrcmpW (lpString1="pictures.ico", lpString2="taridd") returned -1 [0066.361] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.361] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.361] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49362917, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49362917, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49362917, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0066.361] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0066.361] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0066.361] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0066.361] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0066.361] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0066.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 98 [0066.361] StrStrIW (lpFirst="resource.xml", lpSrch=".ebal") returned 0x0 [0066.361] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.361] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0066.361] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.361] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.361] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0066.361] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0066.361] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0066.361] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0066.361] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0066.361] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0066.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 99 [0066.361] StrStrIW (lpFirst="ringtones.ico", lpSrch=".ebal") returned 0x0 [0066.361] lstrcmpW (lpString1="ringtones.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.361] lstrcmpW (lpString1="ringtones.ico", lpString2="taridd") returned -1 [0066.361] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.362] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0066.362] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0066.362] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0066.362] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0066.362] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0066.362] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0066.362] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 98 [0066.362] StrStrIW (lpFirst="settings.ico", lpSrch=".ebal") returned 0x0 [0066.362] lstrcmpW (lpString1="settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.362] lstrcmpW (lpString1="settings.ico", lpString2="taridd") returned -1 [0066.362] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.363] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0066.363] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0066.363] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0066.363] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0066.363] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0066.363] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0066.363] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 94 [0066.363] StrStrIW (lpFirst="sync.ico", lpSrch=".ebal") returned 0x0 [0066.363] lstrcmpW (lpString1="sync.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.363] lstrcmpW (lpString1="sync.ico", lpString2="taridd") returned -1 [0066.367] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.367] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.367] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49316445, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0066.367] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0066.367] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0066.367] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0066.367] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0066.367] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0066.367] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 95 [0066.367] StrStrIW (lpFirst="tasks.xml", lpSrch=".ebal") returned 0x0 [0066.367] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.367] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0066.367] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.367] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.368] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0066.368] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0066.368] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0066.368] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0066.368] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0066.368] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0066.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 93 [0066.368] StrStrIW (lpFirst="wmp.ico", lpSrch=".ebal") returned 0x0 [0066.368] lstrcmpW (lpString1="wmp.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.368] lstrcmpW (lpString1="wmp.ico", lpString2="taridd") returned 1 [0066.368] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.368] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.368] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0066.368] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0066.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0066.368] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.368] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.369] CloseHandle (hObject=0x438) returned 1 [0066.369] GetProcessHeap () returned 0x3a00000 [0066.369] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.369] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0066.369] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0066.369] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0066.369] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0066.370] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0066.370] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0066.370] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 85 [0066.370] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0066.370] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0066.370] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.370] GetProcessHeap () returned 0x3a00000 [0066.370] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.370] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 87 [0066.370] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0066.371] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.371] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.371] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.371] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.371] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 87 [0066.371] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.371] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.371] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.371] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.371] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.371] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.371] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 88 [0066.371] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.371] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.371] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0066.372] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0066.372] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0066.372] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0066.372] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0066.372] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0066.372] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 91 [0066.372] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0066.372] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0066.372] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.372] GetProcessHeap () returned 0x3a00000 [0066.372] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.372] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 93 [0066.372] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0066.372] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.372] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.372] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.372] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.372] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.372] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 93 [0066.372] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.372] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.372] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.372] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.372] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.372] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.372] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.372] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 94 [0066.372] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.372] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.373] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf64479, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x781a2192, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x549d0900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0066.373] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0066.373] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0066.373] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0066.373] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0066.373] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0066.373] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 104 [0066.373] StrStrIW (lpFirst="resource.xml", lpSrch=".ebal") returned 0x0 [0066.373] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.373] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0066.373] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resourc", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.373] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.373] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf64479, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x781a2192, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x549d0900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0066.373] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0066.373] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0066.373] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0066.373] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.378] CloseHandle (hObject=0x43c) returned 1 [0066.378] GetProcessHeap () returned 0x3a00000 [0066.378] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0066.378] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0066.378] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0066.378] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0066.379] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0066.379] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0066.379] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0066.379] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 96 [0066.379] StrStrIW (lpFirst="folder.ico", lpSrch=".ebal") returned 0x0 [0066.379] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.379] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0066.379] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.379] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.379] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0066.379] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0066.379] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0066.379] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0066.379] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0066.379] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0066.379] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 100 [0066.379] StrStrIW (lpFirst="print_pref.ico", lpSrch=".ebal") returned 0x0 [0066.379] lstrcmpW (lpString1="print_pref.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.379] lstrcmpW (lpString1="print_pref.ico", lpString2="taridd") returned -1 [0066.379] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ic", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.379] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.379] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0066.379] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0066.379] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0066.379] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0066.380] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0066.380] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0066.380] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 104 [0066.380] StrStrIW (lpFirst="print_property.ico", lpSrch=".ebal") returned 0x0 [0066.380] lstrcmpW (lpString1="print_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.380] lstrcmpW (lpString1="print_property.ico", lpString2="taridd") returned -1 [0066.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_propert", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.380] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0066.380] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0066.380] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0066.380] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0066.380] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0066.380] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0066.380] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 101 [0066.380] StrStrIW (lpFirst="print_queue.ico", lpSrch=".ebal") returned 0x0 [0066.380] lstrcmpW (lpString1="print_queue.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.380] lstrcmpW (lpString1="print_queue.ico", lpString2="taridd") returned -1 [0066.380] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.i", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.380] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.380] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0066.380] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0066.380] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0066.380] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0066.380] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0066.380] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0066.380] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 95 [0066.380] StrStrIW (lpFirst="scan_.ico", lpSrch=".ebal") returned 0x0 [0066.380] lstrcmpW (lpString1="scan_.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.380] lstrcmpW (lpString1="scan_.ico", lpString2="taridd") returned -1 [0066.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.381] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0066.381] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0066.381] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0066.381] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0066.381] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0066.381] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0066.381] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 103 [0066.381] StrStrIW (lpFirst="scan_property.ico", lpSrch=".ebal") returned 0x0 [0066.381] lstrcmpW (lpString1="scan_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.381] lstrcmpW (lpString1="scan_property.ico", lpString2="taridd") returned -1 [0066.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.381] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0066.381] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0066.381] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0066.381] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0066.381] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0066.381] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0066.381] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 103 [0066.381] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".ebal") returned 0x0 [0066.381] lstrcmpW (lpString1="scan_settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.381] lstrcmpW (lpString1="scan_settings.ico", lpString2="taridd") returned -1 [0066.381] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.381] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.381] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0066.382] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0066.382] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0066.382] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0066.382] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0066.382] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0066.382] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 95 [0066.382] StrStrIW (lpFirst="tasks.xml", lpSrch=".ebal") returned 0x0 [0066.382] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.382] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0066.382] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.382] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0066.382] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0066.382] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0066.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.383] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.384] CloseHandle (hObject=0x438) returned 1 [0066.384] GetProcessHeap () returned 0x3a00000 [0066.384] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.384] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0066.384] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0066.384] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0066.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\task\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.386] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.387] CloseHandle (hObject=0x434) returned 1 [0066.387] GetProcessHeap () returned 0x3a00000 [0066.387] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.387] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Task", cAlternateFileName="")) returned 0 [0066.387] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0066.387] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0066.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\device stage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.387] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.388] CloseHandle (hObject=0x430) returned 1 [0066.388] GetProcessHeap () returned 0x3a00000 [0066.388] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.388] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0066.388] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0066.388] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0066.388] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0066.389] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0066.389] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0066.389] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync") returned 39 [0066.389] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0066.389] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0066.389] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.389] GetProcessHeap () returned 0x3a00000 [0066.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.389] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*") returned 41 [0066.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0066.408] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.408] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.408] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.409] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.409] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.409] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\.") returned 41 [0066.409] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.409] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.409] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.409] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.409] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.409] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.409] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.409] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\..") returned 42 [0066.409] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.409] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.409] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.409] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0066.409] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0066.409] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\devicesync\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.410] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.412] CloseHandle (hObject=0x430) returned 1 [0066.412] GetProcessHeap () returned 0x3a00000 [0066.412] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.412] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1 [0066.412] lstrcmpiW (lpString1="Diagnosis", lpString2="Windows") returned -1 [0066.412] lstrcmpiW (lpString1="Diagnosis", lpString2="$Recycle.bin") returned 1 [0066.412] lstrcmpiW (lpString1="Diagnosis", lpString2="System Volume Information") returned -1 [0066.412] lstrcmpiW (lpString1="Diagnosis", lpString2="Program Files") returned -1 [0066.412] lstrcmpiW (lpString1="Diagnosis", lpString2="Program Files (x86)") returned -1 [0066.412] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis") returned 38 [0066.412] lstrcmpW (lpString1="Diagnosis", lpString2=".") returned 1 [0066.412] lstrcmpW (lpString1="Diagnosis", lpString2="..") returned 1 [0066.412] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.412] GetProcessHeap () returned 0x3a00000 [0066.412] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.412] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*") returned 40 [0066.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0066.414] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.414] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.414] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.414] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.414] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.414] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\.") returned 40 [0066.414] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.414] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.414] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.414] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.414] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.414] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.414] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.414] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.414] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.414] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.414] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\..") returned 41 [0066.414] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.415] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.415] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.415] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.415] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.415] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.415] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\.." (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.415] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1 [0066.415] lstrcmpiW (lpString1="AsimovUploader", lpString2="Windows") returned -1 [0066.415] lstrcmpiW (lpString1="AsimovUploader", lpString2="$Recycle.bin") returned 1 [0066.415] lstrcmpiW (lpString1="AsimovUploader", lpString2="System Volume Information") returned -1 [0066.415] lstrcmpiW (lpString1="AsimovUploader", lpString2="Program Files") returned -1 [0066.415] lstrcmpiW (lpString1="AsimovUploader", lpString2="Program Files (x86)") returned -1 [0066.415] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader") returned 53 [0066.415] lstrcmpW (lpString1="AsimovUploader", lpString2=".") returned 1 [0066.415] lstrcmpW (lpString1="AsimovUploader", lpString2="..") returned 1 [0066.415] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.415] GetProcessHeap () returned 0x3a00000 [0066.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.415] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*") returned 55 [0066.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0066.415] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.415] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.415] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.415] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.415] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.415] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\.") returned 55 [0066.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.416] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.416] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.416] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.416] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.416] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.416] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.416] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.416] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.416] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.416] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.416] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\..") returned 56 [0066.416] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.416] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.416] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.416] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.416] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.416] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.416] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.416] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0066.416] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0066.416] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\asimovuploader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.418] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.418] CloseHandle (hObject=0x434) returned 1 [0066.418] GetProcessHeap () returned 0x3a00000 [0066.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.419] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d9a4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a88b65e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1 [0066.419] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Windows") returned -1 [0066.419] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="$Recycle.bin") returned 1 [0066.419] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="System Volume Information") returned -1 [0066.419] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Program Files") returned -1 [0066.419] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Program Files (x86)") returned -1 [0066.419] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios") returned 58 [0066.419] lstrcmpW (lpString1="DownloadedScenarios", lpString2=".") returned 1 [0066.419] lstrcmpW (lpString1="DownloadedScenarios", lpString2="..") returned 1 [0066.419] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.419] GetProcessHeap () returned 0x3a00000 [0066.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.419] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*") returned 60 [0066.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d9a4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a88b65e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0066.419] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.419] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.419] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.419] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\.") returned 60 [0066.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.419] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.419] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.419] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.419] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.420] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d9a4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a88b65e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.420] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.420] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.420] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.420] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.420] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\..") returned 61 [0066.420] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.420] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.420] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.420] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.420] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.420] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a88b65e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="windows.uif_ondemand.xml.inbox", cAlternateFileName="WINDOW~1.INB")) returned 1 [0066.420] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="Windows") returned 1 [0066.420] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="$Recycle.bin") returned 1 [0066.420] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="System Volume Information") returned 1 [0066.420] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="Program Files") returned 1 [0066.420] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="Program Files (x86)") returned 1 [0066.420] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox") returned 89 [0066.420] StrStrIW (lpFirst="windows.uif_ondemand.xml.inbox", lpSrch=".ebal") returned 0x0 [0066.420] lstrcmpW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.420] lstrcmpW (lpString1="windows.uif_ondemand.xml.inbox", lpString2="taridd") returned 1 [0066.420] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif_ondemand.xml.inbox"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.422] GetTickCount () returned 0x1151019 [0066.422] GetTickCount () returned 0x1151019 [0066.422] GetTickCount () returned 0x1151019 [0066.422] GetTickCount () returned 0x1151019 [0066.422] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.422] GetProcessHeap () returned 0x3a00000 [0066.422] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.422] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x9d0, lpOverlapped=0x0) returned 1 [0066.423] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff630, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.423] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x9d0, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x9d0, lpOverlapped=0x0) returned 1 [0066.424] GetProcessHeap () returned 0x3a00000 [0066.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.424] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.424] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.424] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.424] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.424] CloseHandle (hObject=0x438) returned 1 [0066.424] GetProcessHeap () returned 0x3a00000 [0066.424] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.424] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal") returned 108 [0066.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif_ondemand.xml.inbox"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal")) returned 1 [0066.425] GetProcessHeap () returned 0x3a00000 [0066.425] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.425] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a88b65e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="windows.uif_ondemand.xml.inbox", cAlternateFileName="WINDOW~1.INB")) returned 0 [0066.425] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0066.425] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0066.425] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedscenarios\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.427] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.428] CloseHandle (hObject=0x434) returned 1 [0066.428] GetProcessHeap () returned 0x3a00000 [0066.428] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.428] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4d8e7d9f, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4d8e7d9f, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1 [0066.428] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Windows") returned -1 [0066.428] lstrcmpiW (lpString1="DownloadedSettings", lpString2="$Recycle.bin") returned 1 [0066.428] lstrcmpiW (lpString1="DownloadedSettings", lpString2="System Volume Information") returned -1 [0066.428] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Program Files") returned -1 [0066.428] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Program Files (x86)") returned -1 [0066.428] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings") returned 57 [0066.428] lstrcmpW (lpString1="DownloadedSettings", lpString2=".") returned 1 [0066.428] lstrcmpW (lpString1="DownloadedSettings", lpString2="..") returned 1 [0066.428] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.428] GetProcessHeap () returned 0x3a00000 [0066.428] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.428] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*") returned 59 [0066.428] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4d8e7d9f, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4d8e7d9f, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0066.430] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.430] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.430] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.430] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.430] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.430] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\.") returned 59 [0066.430] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.430] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.430] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.430] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.430] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.430] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.431] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4d8e7d9f, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4d8e7d9f, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.431] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.431] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.431] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.431] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.431] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.431] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\..") returned 60 [0066.431] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.431] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.431] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.431] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.431] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.431] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.431] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.431] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x69d9f6fd, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x69d9f6fd, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x69e5dfd5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x623b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1 [0066.431] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Windows") returned -1 [0066.431] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="$Recycle.bin") returned 1 [0066.431] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="System Volume Information") returned 1 [0066.431] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Program Files") returned 1 [0066.431] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Program Files (x86)") returned 1 [0066.431] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned 91 [0066.431] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json", lpSrch=".ebal") returned 0x0 [0066.431] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.431] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="taridd") returned 1 [0066.431] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.431] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.432] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x44f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.ASM-WindowsDefault.json.bk", cAlternateFileName="TELEME~1.BK")) returned 1 [0066.432] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="Windows") returned -1 [0066.432] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="$Recycle.bin") returned 1 [0066.432] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="System Volume Information") returned 1 [0066.432] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="Program Files") returned 1 [0066.432] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="Program Files (x86)") returned 1 [0066.432] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk") returned 94 [0066.432] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json.bk", lpSrch=".ebal") returned 0x0 [0066.432] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.432] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json.bk", lpString2="taridd") returned 1 [0066.432] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.433] GetTickCount () returned 0x1151029 [0066.433] GetTickCount () returned 0x1151029 [0066.433] GetTickCount () returned 0x1151029 [0066.433] GetTickCount () returned 0x1151029 [0066.433] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.433] GetProcessHeap () returned 0x3a00000 [0066.433] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.433] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x44f, lpOverlapped=0x0) returned 1 [0066.435] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffbb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.435] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x44f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x44f, lpOverlapped=0x0) returned 1 [0066.435] GetProcessHeap () returned 0x3a00000 [0066.435] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.435] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.435] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.435] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.435] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.435] CloseHandle (hObject=0x438) returned 1 [0066.435] GetProcessHeap () returned 0x3a00000 [0066.435] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.435] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal") returned 113 [0066.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json.bk_r00t_{8ew5f6}.ebal")) returned 1 [0066.436] GetProcessHeap () returned 0x3a00000 [0066.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.436] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xb0c71bce, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xb0c71bce, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0xb0fb9083, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TELEMETRY.ASM-WINDOWSSQ.json", cAlternateFileName="TELEME~4.JSO")) returned 1 [0066.436] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Windows") returned -1 [0066.436] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="$Recycle.bin") returned 1 [0066.436] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="System Volume Information") returned 1 [0066.436] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Program Files") returned 1 [0066.436] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Program Files (x86)") returned 1 [0066.436] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json") returned 86 [0066.436] StrStrIW (lpFirst="TELEMETRY.ASM-WINDOWSSQ.json", lpSrch=".ebal") returned 0x0 [0066.436] lstrcmpW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.436] lstrcmpW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="taridd") returned 1 [0066.436] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowssq.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.437] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x2d95e660, ftCreationTime.dwHighDateTime=0x1d336e0, ftLastAccessTime.dwLowDateTime=0x2d95e660, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2e6edc8f, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", cAlternateFileName="TEA386~1.JSO")) returned 1 [0066.437] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Windows") returned -1 [0066.437] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="$Recycle.bin") returned 1 [0066.437] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="System Volume Information") returned 1 [0066.437] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Program Files") returned 1 [0066.438] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Program Files (x86)") returned 1 [0066.438] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json") returned 154 [0066.438] StrStrIW (lpFirst="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpSrch=".ebal") returned 0x0 [0066.438] lstrcmpW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.438] lstrcmpW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="taridd") returned 1 [0066.438] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7e", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.438] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.438] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7ea85252, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7ea85252, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7f139471, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", cAlternateFileName="TELEME~2.JSO")) returned 1 [0066.438] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Windows") returned -1 [0066.438] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="$Recycle.bin") returned 1 [0066.438] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="System Volume Information") returned 1 [0066.438] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Program Files") returned 1 [0066.438] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Program Files (x86)") returned 1 [0066.438] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json") returned 154 [0066.438] StrStrIW (lpFirst="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpSrch=".ebal") returned 0x0 [0066.439] lstrcmpW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.439] lstrcmpW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="taridd") returned 1 [0066.439] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d499676262", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.439] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.439] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7f139471, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7f139471, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7f4f45ae, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", cAlternateFileName="TELEME~3.JSO")) returned 1 [0066.439] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Windows") returned -1 [0066.439] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="$Recycle.bin") returned 1 [0066.439] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="System Volume Information") returned 1 [0066.439] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Program Files") returned 1 [0066.439] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Program Files (x86)") returned 1 [0066.439] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json") returned 154 [0066.439] StrStrIW (lpFirst="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpSrch=".ebal") returned 0x0 [0066.439] lstrcmpW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.439] lstrcmpW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="taridd") returned 1 [0066.439] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.439] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.440] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x698688ac, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x698688ac, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x69d06e63, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0xba4e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1 [0066.440] lstrcmpiW (lpString1="utc.app.json", lpString2="Windows") returned -1 [0066.440] lstrcmpiW (lpString1="utc.app.json", lpString2="$Recycle.bin") returned 1 [0066.440] lstrcmpiW (lpString1="utc.app.json", lpString2="System Volume Information") returned 1 [0066.440] lstrcmpiW (lpString1="utc.app.json", lpString2="Program Files") returned 1 [0066.440] lstrcmpiW (lpString1="utc.app.json", lpString2="Program Files (x86)") returned 1 [0066.440] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned 70 [0066.440] StrStrIW (lpFirst="utc.app.json", lpSrch=".ebal") returned 0x0 [0066.440] lstrcmpW (lpString1="utc.app.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.440] lstrcmpW (lpString1="utc.app.json", lpString2="taridd") returned 1 [0066.440] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.441] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x67f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.app.json.bk", cAlternateFileName="UTCAPP~1.BK")) returned 1 [0066.441] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="Windows") returned -1 [0066.441] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="$Recycle.bin") returned 1 [0066.441] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="System Volume Information") returned 1 [0066.441] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="Program Files") returned 1 [0066.441] lstrcmpiW (lpString1="utc.app.json.bk", lpString2="Program Files (x86)") returned 1 [0066.441] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk") returned 73 [0066.441] StrStrIW (lpFirst="utc.app.json.bk", lpSrch=".ebal") returned 0x0 [0066.441] lstrcmpW (lpString1="utc.app.json.bk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.441] lstrcmpW (lpString1="utc.app.json.bk", lpString2="taridd") returned 1 [0066.441] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.441] GetTickCount () returned 0x1151029 [0066.441] GetTickCount () returned 0x1151029 [0066.441] GetTickCount () returned 0x1151029 [0066.441] GetTickCount () returned 0x1151029 [0066.441] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.441] GetProcessHeap () returned 0x3a00000 [0066.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.442] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x67f, lpOverlapped=0x0) returned 1 [0066.443] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff981, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.443] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x67f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x67f, lpOverlapped=0x0) returned 1 [0066.443] GetProcessHeap () returned 0x3a00000 [0066.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.443] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.443] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.443] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.443] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.444] CloseHandle (hObject=0x438) returned 1 [0066.444] GetProcessHeap () returned 0x3a00000 [0066.444] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.444] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk_r00t_{8ew5f6}.ebal") returned 92 [0066.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json.bk_r00t_{8ew5f6}.ebal")) returned 1 [0066.444] GetProcessHeap () returned 0x3a00000 [0066.444] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.444] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7e8bf97d, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7e8bf97d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7ea85252, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.cert.json", cAlternateFileName="UTCCER~1.JSO")) returned 1 [0066.444] lstrcmpiW (lpString1="utc.cert.json", lpString2="Windows") returned -1 [0066.444] lstrcmpiW (lpString1="utc.cert.json", lpString2="$Recycle.bin") returned 1 [0066.444] lstrcmpiW (lpString1="utc.cert.json", lpString2="System Volume Information") returned 1 [0066.444] lstrcmpiW (lpString1="utc.cert.json", lpString2="Program Files") returned 1 [0066.444] lstrcmpiW (lpString1="utc.cert.json", lpString2="Program Files (x86)") returned 1 [0066.444] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json") returned 71 [0066.444] StrStrIW (lpFirst="utc.cert.json", lpSrch=".ebal") returned 0x0 [0066.444] lstrcmpW (lpString1="utc.cert.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.444] lstrcmpW (lpString1="utc.cert.json", lpString2="taridd") returned 1 [0066.444] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\utc.cert.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.445] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7e8bf97d, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7e8bf97d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7ea85252, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.cert.json", cAlternateFileName="UTCCER~1.JSO")) returned 0 [0066.445] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0066.445] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0066.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\downloadedsettings\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.445] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.446] CloseHandle (hObject=0x434) returned 1 [0066.446] GetProcessHeap () returned 0x3a00000 [0066.446] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.446] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ETLLogs", cAlternateFileName="")) returned 1 [0066.446] lstrcmpiW (lpString1="ETLLogs", lpString2="Windows") returned -1 [0066.446] lstrcmpiW (lpString1="ETLLogs", lpString2="$Recycle.bin") returned 1 [0066.446] lstrcmpiW (lpString1="ETLLogs", lpString2="System Volume Information") returned -1 [0066.446] lstrcmpiW (lpString1="ETLLogs", lpString2="Program Files") returned -1 [0066.446] lstrcmpiW (lpString1="ETLLogs", lpString2="Program Files (x86)") returned -1 [0066.446] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs") returned 46 [0066.446] lstrcmpW (lpString1="ETLLogs", lpString2=".") returned 1 [0066.446] lstrcmpW (lpString1="ETLLogs", lpString2="..") returned 1 [0066.446] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.446] GetProcessHeap () returned 0x3a00000 [0066.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.446] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*") returned 48 [0066.446] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0066.450] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.450] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.450] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.450] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\.") returned 48 [0066.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.450] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.450] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.451] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.451] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.451] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.451] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.451] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.451] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.451] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.451] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.451] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\..") returned 49 [0066.451] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.451] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.451] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.451] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.451] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.451] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d5cadbc, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2d5cadbc, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1 [0066.451] lstrcmpiW (lpString1="AutoLogger", lpString2="Windows") returned -1 [0066.451] lstrcmpiW (lpString1="AutoLogger", lpString2="$Recycle.bin") returned 1 [0066.451] lstrcmpiW (lpString1="AutoLogger", lpString2="System Volume Information") returned -1 [0066.451] lstrcmpiW (lpString1="AutoLogger", lpString2="Program Files") returned -1 [0066.451] lstrcmpiW (lpString1="AutoLogger", lpString2="Program Files (x86)") returned -1 [0066.451] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned 57 [0066.451] lstrcmpW (lpString1="AutoLogger", lpString2=".") returned 1 [0066.451] lstrcmpW (lpString1="AutoLogger", lpString2="..") returned 1 [0066.451] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.452] GetProcessHeap () returned 0x3a00000 [0066.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.452] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*") returned 59 [0066.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d5cadbc, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xcd8d859b, ftLastWriteTime.dwHighDateTime=0x1d34734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0066.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.452] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.") returned 59 [0066.452] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.452] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.452] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.452] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.452] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.452] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d5cadbc, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xcd8d859b, ftLastWriteTime.dwHighDateTime=0x1d34734, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.452] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\..") returned 60 [0066.452] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.452] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.452] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.453] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.453] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.453] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.453] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.453] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd8d859b, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xcd8d859b, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xac487de2, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0066.453] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Windows") returned -1 [0066.453] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="$Recycle.bin") returned 1 [0066.453] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="System Volume Information") returned -1 [0066.453] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files") returned -1 [0066.453] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files (x86)") returned -1 [0066.453] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl") returned 91 [0066.453] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch=".ebal") returned 0x0 [0066.453] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.453] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="taridd") returned -1 [0066.453] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.453] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0066.453] GetTickCount () returned 0x1151039 [0066.453] GetTickCount () returned 0x1151039 [0066.453] GetTickCount () returned 0x1151039 [0066.453] GetTickCount () returned 0x1151039 [0066.453] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0066.453] GetProcessHeap () returned 0x3a00000 [0066.453] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0066.453] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0066.456] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.456] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0066.456] GetProcessHeap () returned 0x3a00000 [0066.456] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0066.456] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.456] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0066.456] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0066.456] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0066.457] CloseHandle (hObject=0x43c) returned 1 [0066.457] GetProcessHeap () returned 0x3a00000 [0066.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.457] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal") returned 110 [0066.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\autologger-diagtrack-listener.etl_r00t_{8ew5f6}.ebal")) returned 1 [0066.458] GetProcessHeap () returned 0x3a00000 [0066.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0066.458] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd8d859b, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xcd8d859b, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xac487de2, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0 [0066.458] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0066.458] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0066.458] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\autologger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.458] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.459] CloseHandle (hObject=0x438) returned 1 [0066.462] GetProcessHeap () returned 0x3a00000 [0066.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.462] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ScenarioShutdownLogger", cAlternateFileName="SCENAR~1")) returned 1 [0066.462] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Windows") returned -1 [0066.462] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="$Recycle.bin") returned 1 [0066.462] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="System Volume Information") returned -1 [0066.462] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Program Files") returned 1 [0066.462] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Program Files (x86)") returned 1 [0066.462] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger") returned 69 [0066.462] lstrcmpW (lpString1="ScenarioShutdownLogger", lpString2=".") returned 1 [0066.462] lstrcmpW (lpString1="ScenarioShutdownLogger", lpString2="..") returned 1 [0066.462] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.462] GetProcessHeap () returned 0x3a00000 [0066.462] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.462] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\*") returned 71 [0066.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0066.462] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.463] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.463] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.463] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.463] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.") returned 71 [0066.463] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.463] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.463] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.463] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.463] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.463] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\scenarioshutdownlogger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.463] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.463] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.463] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.463] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.463] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.463] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\..") returned 72 [0066.463] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.463] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.463] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.463] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.463] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.463] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.463] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.463] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.464] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0066.464] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 101 [0066.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\scenarioshutdownlogger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.464] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.465] CloseHandle (hObject=0x438) returned 1 [0066.465] GetProcessHeap () returned 0x3a00000 [0066.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.465] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2d6afbff, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1 [0066.465] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Windows") returned -1 [0066.465] lstrcmpiW (lpString1="ShutdownLogger", lpString2="$Recycle.bin") returned 1 [0066.466] lstrcmpiW (lpString1="ShutdownLogger", lpString2="System Volume Information") returned -1 [0066.466] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Program Files") returned 1 [0066.466] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Program Files (x86)") returned 1 [0066.466] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned 61 [0066.466] lstrcmpW (lpString1="ShutdownLogger", lpString2=".") returned 1 [0066.466] lstrcmpW (lpString1="ShutdownLogger", lpString2="..") returned 1 [0066.466] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.466] GetProcessHeap () returned 0x3a00000 [0066.466] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.466] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*") returned 63 [0066.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb855a1cd, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0066.466] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.466] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.466] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.467] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.467] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.467] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.") returned 63 [0066.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.467] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.467] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.467] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.467] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb855a1cd, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.467] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.467] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.467] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.467] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.467] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.467] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\..") returned 64 [0066.467] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.467] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.467] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.467] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.467] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.467] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb855a1cd, ftCreationTime.dwHighDateTime=0x1d33839, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbc623573, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0066.467] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Windows") returned -1 [0066.467] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="$Recycle.bin") returned 1 [0066.467] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="System Volume Information") returned -1 [0066.467] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files") returned -1 [0066.467] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files (x86)") returned -1 [0066.468] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl") returned 95 [0066.468] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch=".ebal") returned 0x0 [0066.468] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.468] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="taridd") returned -1 [0066.468] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\autologger-diagtrack-listener.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.468] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb855a1cd, ftCreationTime.dwHighDateTime=0x1d33839, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbc623573, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0 [0066.468] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0066.468] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0066.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.468] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.469] CloseHandle (hObject=0x438) returned 1 [0066.469] GetProcessHeap () returned 0x3a00000 [0066.469] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.469] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2d6afbff, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2d6afbff, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 0 [0066.469] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0066.469] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0066.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\etllogs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.470] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.471] CloseHandle (hObject=0x434) returned 1 [0066.471] GetProcessHeap () returned 0x3a00000 [0066.471] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.471] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x666666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_CostDeferred.rbs", cAlternateFileName="EVENTS~3.RBS")) returned 1 [0066.471] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Windows") returned -1 [0066.471] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="$Recycle.bin") returned 1 [0066.471] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="System Volume Information") returned -1 [0066.471] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Program Files") returned -1 [0066.471] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Program Files (x86)") returned -1 [0066.471] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs") returned 62 [0066.471] StrStrIW (lpFirst="Events_CostDeferred.rbs", lpSrch=".ebal") returned 0x0 [0066.471] lstrcmpW (lpString1="Events_CostDeferred.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.471] lstrcmpW (lpString1="Events_CostDeferred.rbs", lpString2="taridd") returned -1 [0066.471] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_costdeferred.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.471] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b5e567a, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b5e567a, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x1000000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_Normal.rbs", cAlternateFileName="EVENTS~1.RBS")) returned 1 [0066.471] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Windows") returned -1 [0066.471] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="$Recycle.bin") returned 1 [0066.471] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="System Volume Information") returned -1 [0066.471] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Program Files") returned -1 [0066.471] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Program Files (x86)") returned -1 [0066.471] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Normal.rbs") returned 56 [0066.471] StrStrIW (lpFirst="Events_Normal.rbs", lpSrch=".ebal") returned 0x0 [0066.471] lstrcmpW (lpString1="Events_Normal.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.472] lstrcmpW (lpString1="Events_Normal.rbs", lpString2="taridd") returned -1 [0066.472] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Normal.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Normal.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_normal.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.472] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x666666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_NormalCritical.rbs", cAlternateFileName="EVENTS~2.RBS")) returned 1 [0066.472] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Windows") returned -1 [0066.472] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="$Recycle.bin") returned 1 [0066.472] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="System Volume Information") returned -1 [0066.472] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Program Files") returned -1 [0066.472] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Program Files (x86)") returned -1 [0066.472] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs") returned 64 [0066.472] StrStrIW (lpFirst="Events_NormalCritical.rbs", lpSrch=".ebal") returned 0x0 [0066.472] lstrcmpW (lpString1="Events_NormalCritical.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.472] lstrcmpW (lpString1="Events_NormalCritical.rbs", lpString2="taridd") returned -1 [0066.472] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_normalcritical.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.472] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x333333, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_Realtime.rbs", cAlternateFileName="EVENTS~4.RBS")) returned 1 [0066.472] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Windows") returned -1 [0066.472] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="$Recycle.bin") returned 1 [0066.472] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="System Volume Information") returned -1 [0066.472] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Program Files") returned -1 [0066.472] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Program Files (x86)") returned -1 [0066.472] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Realtime.rbs") returned 58 [0066.472] StrStrIW (lpFirst="Events_Realtime.rbs", lpSrch=".ebal") returned 0x0 [0066.472] lstrcmpW (lpString1="Events_Realtime.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.472] lstrcmpW (lpString1="Events_Realtime.rbs", lpString2="taridd") returned -1 [0066.472] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Realtime.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Events_Realtime.rbs" (normalized: "c:\\programdata\\microsoft\\diagnosis\\events_realtime.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.473] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1 [0066.473] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Windows") returned -1 [0066.473] lstrcmpiW (lpString1="LocalTraceStore", lpString2="$Recycle.bin") returned 1 [0066.473] lstrcmpiW (lpString1="LocalTraceStore", lpString2="System Volume Information") returned -1 [0066.473] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Program Files") returned -1 [0066.473] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Program Files (x86)") returned -1 [0066.473] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore") returned 54 [0066.473] lstrcmpW (lpString1="LocalTraceStore", lpString2=".") returned 1 [0066.473] lstrcmpW (lpString1="LocalTraceStore", lpString2="..") returned 1 [0066.473] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.473] GetProcessHeap () returned 0x3a00000 [0066.473] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.473] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*") returned 56 [0066.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0066.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.474] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.474] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.474] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.474] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\.") returned 56 [0066.474] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.474] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.474] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.474] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.474] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.474] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.474] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.474] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.474] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.474] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.474] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.474] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\..") returned 57 [0066.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.474] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.474] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.474] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.474] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.474] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.474] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0066.475] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0066.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\localtracestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.475] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.476] CloseHandle (hObject=0x434) returned 1 [0066.476] GetProcessHeap () returned 0x3a00000 [0066.476] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.476] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a3dd985, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8a3dd985, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x28facbb4, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="osver.txt", cAlternateFileName="")) returned 1 [0066.476] lstrcmpiW (lpString1="osver.txt", lpString2="Windows") returned -1 [0066.476] lstrcmpiW (lpString1="osver.txt", lpString2="$Recycle.bin") returned 1 [0066.476] lstrcmpiW (lpString1="osver.txt", lpString2="System Volume Information") returned -1 [0066.476] lstrcmpiW (lpString1="osver.txt", lpString2="Program Files") returned -1 [0066.476] lstrcmpiW (lpString1="osver.txt", lpString2="Program Files (x86)") returned -1 [0066.476] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt") returned 48 [0066.476] StrStrIW (lpFirst="osver.txt", lpSrch=".ebal") returned 0x0 [0066.476] lstrcmpW (lpString1="osver.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.476] lstrcmpW (lpString1="osver.txt", lpString2="taridd") returned -1 [0066.476] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\osver.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.476] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bfbb1de, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8bfbb1de, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8bfbb1de, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="parse.dat", cAlternateFileName="")) returned 1 [0066.476] lstrcmpiW (lpString1="parse.dat", lpString2="Windows") returned -1 [0066.476] lstrcmpiW (lpString1="parse.dat", lpString2="$Recycle.bin") returned 1 [0066.476] lstrcmpiW (lpString1="parse.dat", lpString2="System Volume Information") returned -1 [0066.476] lstrcmpiW (lpString1="parse.dat", lpString2="Program Files") returned -1 [0066.476] lstrcmpiW (lpString1="parse.dat", lpString2="Program Files (x86)") returned -1 [0066.476] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat") returned 48 [0066.476] StrStrIW (lpFirst="parse.dat", lpSrch=".ebal") returned 0x0 [0066.477] lstrcmpW (lpString1="parse.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.477] lstrcmpW (lpString1="parse.dat", lpString2="taridd") returned -1 [0066.477] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.477] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\parse.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.477] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Sideload", cAlternateFileName="")) returned 1 [0066.477] lstrcmpiW (lpString1="Sideload", lpString2="Windows") returned -1 [0066.477] lstrcmpiW (lpString1="Sideload", lpString2="$Recycle.bin") returned 1 [0066.477] lstrcmpiW (lpString1="Sideload", lpString2="System Volume Information") returned -1 [0066.477] lstrcmpiW (lpString1="Sideload", lpString2="Program Files") returned 1 [0066.477] lstrcmpiW (lpString1="Sideload", lpString2="Program Files (x86)") returned 1 [0066.477] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload") returned 47 [0066.477] lstrcmpW (lpString1="Sideload", lpString2=".") returned 1 [0066.477] lstrcmpW (lpString1="Sideload", lpString2="..") returned 1 [0066.477] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.477] GetProcessHeap () returned 0x3a00000 [0066.477] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.477] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*") returned 49 [0066.477] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0066.477] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.477] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.477] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.477] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.477] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.477] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\.") returned 49 [0066.477] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.477] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.477] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.478] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.478] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.478] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.478] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\..") returned 50 [0066.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.478] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.478] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.478] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.478] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.478] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.478] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0066.478] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0066.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\sideload\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.479] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.480] CloseHandle (hObject=0x434) returned 1 [0066.480] GetProcessHeap () returned 0x3a00000 [0066.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.480] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Siufloc", cAlternateFileName="")) returned 1 [0066.480] lstrcmpiW (lpString1="Siufloc", lpString2="Windows") returned -1 [0066.480] lstrcmpiW (lpString1="Siufloc", lpString2="$Recycle.bin") returned 1 [0066.480] lstrcmpiW (lpString1="Siufloc", lpString2="System Volume Information") returned -1 [0066.480] lstrcmpiW (lpString1="Siufloc", lpString2="Program Files") returned 1 [0066.480] lstrcmpiW (lpString1="Siufloc", lpString2="Program Files (x86)") returned 1 [0066.480] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc") returned 46 [0066.480] lstrcmpW (lpString1="Siufloc", lpString2=".") returned 1 [0066.480] lstrcmpW (lpString1="Siufloc", lpString2="..") returned 1 [0066.480] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.480] GetProcessHeap () returned 0x3a00000 [0066.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.480] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*") returned 48 [0066.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0066.481] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.481] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\.") returned 48 [0066.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.481] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.481] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.481] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.481] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.481] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.481] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\..") returned 49 [0066.481] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.481] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.481] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.481] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.481] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.481] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.482] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0066.482] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0066.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\siufloc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.482] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.483] CloseHandle (hObject=0x434) returned 1 [0066.483] GetProcessHeap () returned 0x3a00000 [0066.483] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.483] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1 [0066.483] lstrcmpiW (lpString1="SoftLanding", lpString2="Windows") returned -1 [0066.483] lstrcmpiW (lpString1="SoftLanding", lpString2="$Recycle.bin") returned 1 [0066.483] lstrcmpiW (lpString1="SoftLanding", lpString2="System Volume Information") returned -1 [0066.483] lstrcmpiW (lpString1="SoftLanding", lpString2="Program Files") returned 1 [0066.483] lstrcmpiW (lpString1="SoftLanding", lpString2="Program Files (x86)") returned 1 [0066.483] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding") returned 50 [0066.483] lstrcmpW (lpString1="SoftLanding", lpString2=".") returned 1 [0066.483] lstrcmpW (lpString1="SoftLanding", lpString2="..") returned 1 [0066.483] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.483] GetProcessHeap () returned 0x3a00000 [0066.484] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.484] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*") returned 52 [0066.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0066.505] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.505] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\.") returned 52 [0066.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.505] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.505] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.506] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.506] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.506] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.506] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.506] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.506] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.506] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.506] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.506] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\..") returned 53 [0066.506] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.506] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.507] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.507] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.507] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.507] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bfa790, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4de62c84, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", cAlternateFileName="03D1E1~1.XML")) returned 1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Windows") returned -1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="$Recycle.bin") returned 1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="System Volume Information") returned -1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Program Files") returned -1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Program Files (x86)") returned -1 [0066.507] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml") returned 96 [0066.507] StrStrIW (lpFirst="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpSrch=".ebal") returned 0x0 [0066.507] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.507] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="taridd") returned -1 [0066.507] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.507] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c20a14, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4defb5dd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x441b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", cAlternateFileName="03D1E1~2.XML")) returned 1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Windows") returned -1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Program Files") returned -1 [0066.507] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.507] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml") returned 100 [0066.507] StrStrIW (lpFirst="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.508] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.508] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="taridd") returned -1 [0066.508] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.520] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7750111, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4df6de00, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8128f6c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4180, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", cAlternateFileName="394B7B~1.XML")) returned 1 [0066.520] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Windows") returned -1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="$Recycle.bin") returned 1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="System Volume Information") returned -1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Program Files") returned -1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Program Files (x86)") returned -1 [0066.521] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml") returned 96 [0066.521] StrStrIW (lpFirst="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpSrch=".ebal") returned 0x0 [0066.521] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.521] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="taridd") returned -1 [0066.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.521] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7750111, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e006640, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb5c02e23, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", cAlternateFileName="394B7B~2.XML")) returned 1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Windows") returned -1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Program Files") returned -1 [0066.521] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.521] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml") returned 100 [0066.522] StrStrIW (lpFirst="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.522] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.522] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="taridd") returned -1 [0066.522] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.522] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.522] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c46c2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e09efaa, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x8625bd94, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", cAlternateFileName="75EF5B~1.XML")) returned 1 [0066.522] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Windows") returned -1 [0066.522] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="$Recycle.bin") returned 1 [0066.522] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="System Volume Information") returned -1 [0066.522] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Program Files") returned -1 [0066.522] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Program Files (x86)") returned -1 [0066.522] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml") returned 96 [0066.522] StrStrIW (lpFirst="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpSrch=".ebal") returned 0x0 [0066.522] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.522] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="taridd") returned -1 [0066.522] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.522] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.523] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c46c2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e0c51fa, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x86556ca1, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4473, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", cAlternateFileName="75EF5B~2.XML")) returned 1 [0066.523] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Windows") returned -1 [0066.523] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.523] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.523] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Program Files") returned -1 [0066.523] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.523] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml") returned 100 [0066.523] StrStrIW (lpFirst="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.523] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.523] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="taridd") returned -1 [0066.523] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.523] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7776347, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e15dbbf, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbbc2bb3b, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", cAlternateFileName="9984EC~1.XML")) returned 1 [0066.523] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Windows") returned -1 [0066.523] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="$Recycle.bin") returned 1 [0066.523] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="System Volume Information") returned -1 [0066.523] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Program Files") returned -1 [0066.523] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Program Files (x86)") returned -1 [0066.523] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml") returned 96 [0066.523] StrStrIW (lpFirst="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpSrch=".ebal") returned 0x0 [0066.523] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.523] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="taridd") returned -1 [0066.523] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.524] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7776347, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e1f64ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbbb6d045, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", cAlternateFileName="9984EC~2.XML")) returned 1 [0066.524] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Windows") returned -1 [0066.524] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.524] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.524] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Program Files") returned -1 [0066.524] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.524] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml") returned 100 [0066.524] StrStrIW (lpFirst="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.524] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.524] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="taridd") returned -1 [0066.524] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.524] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.524] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e24298b, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb9eacc8c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x433c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", cAlternateFileName="ACAE42~1.XML")) returned 1 [0066.524] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Windows") returned -1 [0066.524] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="$Recycle.bin") returned 1 [0066.524] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="System Volume Information") returned -1 [0066.524] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Program Files") returned -1 [0066.524] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Program Files (x86)") returned -1 [0066.524] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml") returned 96 [0066.524] StrStrIW (lpFirst="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpSrch=".ebal") returned 0x0 [0066.524] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.524] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="taridd") returned -1 [0066.524] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.524] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.525] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e28ee3c, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xba09c6cc, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x443f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", cAlternateFileName="ACAE42~2.XML")) returned 1 [0066.525] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Windows") returned -1 [0066.525] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.525] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.525] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Program Files") returned -1 [0066.525] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.525] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml") returned 100 [0066.525] StrStrIW (lpFirst="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.525] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.525] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="taridd") returned -1 [0066.525] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.525] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e2b5071, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8d3a091, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x442d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", cAlternateFileName="C08025~1.XML")) returned 1 [0066.525] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Windows") returned -1 [0066.525] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="$Recycle.bin") returned 1 [0066.525] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="System Volume Information") returned -1 [0066.525] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Program Files") returned -1 [0066.526] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Program Files (x86)") returned -1 [0066.526] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml") returned 96 [0066.526] StrStrIW (lpFirst="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpSrch=".ebal") returned 0x0 [0066.526] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.526] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="taridd") returned -1 [0066.526] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.526] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.526] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77c27a6, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e2db2dd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8c553ea, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", cAlternateFileName="C08025~2.XML")) returned 1 [0066.526] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Windows") returned -1 [0066.526] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.526] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.526] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Program Files") returned -1 [0066.526] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.526] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml") returned 100 [0066.526] StrStrIW (lpFirst="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.526] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.526] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="taridd") returned -1 [0066.526] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.526] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.526] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77c27a6, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e301522, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbb0b32d3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", cAlternateFileName="E80C85~1.XML")) returned 1 [0066.526] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Windows") returned -1 [0066.526] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="$Recycle.bin") returned 1 [0066.526] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="System Volume Information") returned -1 [0066.526] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Program Files") returned -1 [0066.526] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Program Files (x86)") returned -1 [0066.526] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml") returned 96 [0066.527] StrStrIW (lpFirst="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpSrch=".ebal") returned 0x0 [0066.527] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.527] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="taridd") returned -1 [0066.527] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.527] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.527] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77e89d5, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e34d9d0, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbaf35d10, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4172, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", cAlternateFileName="E80C85~2.XML")) returned 1 [0066.527] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Windows") returned -1 [0066.527] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.527] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.527] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Program Files") returned -1 [0066.527] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.527] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml") returned 100 [0066.527] StrStrIW (lpFirst="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.527] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.527] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="taridd") returned -1 [0066.527] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.528] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c930e8, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e399e7e, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x8507a310, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5c3a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", cAlternateFileName="E9D217~1.XML")) returned 1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Windows") returned -1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="$Recycle.bin") returned 1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="System Volume Information") returned -1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Program Files") returned -1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Program Files (x86)") returned -1 [0066.528] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned 96 [0066.528] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpSrch=".ebal") returned 0x0 [0066.528] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.528] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="taridd") returned -1 [0066.528] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.528] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c930e8, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e458a8d, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x85007c03, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x424c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", cAlternateFileName="E9D217~2.XML")) returned 1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Windows") returned -1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Program Files") returned -1 [0066.528] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.528] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned 100 [0066.528] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.528] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.528] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="taridd") returned -1 [0066.528] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.529] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4a4f18, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb806a476, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x43ad, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", cAlternateFileName="FFFD8B~1.XML")) returned 1 [0066.529] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Windows") returned -1 [0066.529] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="$Recycle.bin") returned 1 [0066.529] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="System Volume Information") returned -1 [0066.529] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Program Files") returned -1 [0066.529] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Program Files (x86)") returned -1 [0066.529] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml") returned 96 [0066.529] StrStrIW (lpFirst="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpSrch=".ebal") returned 0x0 [0066.529] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.529] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="taridd") returned -1 [0066.529] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.530] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 1 [0066.530] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Windows") returned -1 [0066.530] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0066.530] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="System Volume Information") returned -1 [0066.530] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Program Files") returned -1 [0066.530] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0066.530] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml") returned 100 [0066.530] StrStrIW (lpFirst="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpSrch=".ebal") returned 0x0 [0066.530] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.530] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="taridd") returned -1 [0066.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.530] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 0 [0066.530] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0066.531] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0066.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlanding\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.532] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.533] CloseHandle (hObject=0x434) returned 1 [0066.533] GetProcessHeap () returned 0x3a00000 [0066.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.533] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1 [0066.533] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Windows") returned -1 [0066.533] lstrcmpiW (lpString1="SoftLandingStage", lpString2="$Recycle.bin") returned 1 [0066.533] lstrcmpiW (lpString1="SoftLandingStage", lpString2="System Volume Information") returned -1 [0066.533] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Program Files") returned 1 [0066.533] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Program Files (x86)") returned 1 [0066.533] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage") returned 55 [0066.533] lstrcmpW (lpString1="SoftLandingStage", lpString2=".") returned 1 [0066.534] lstrcmpW (lpString1="SoftLandingStage", lpString2="..") returned 1 [0066.534] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.534] GetProcessHeap () returned 0x3a00000 [0066.534] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.534] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*") returned 57 [0066.534] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0066.534] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.534] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.534] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.534] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.534] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.534] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\.") returned 57 [0066.534] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.534] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.534] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.534] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.534] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.534] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.534] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.534] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.534] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.534] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.534] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.535] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\..") returned 58 [0066.535] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.535] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.535] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.535] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.535] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.535] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.535] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.535] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0066.535] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0066.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\softlandingstage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.535] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.536] CloseHandle (hObject=0x434) returned 1 [0066.536] GetProcessHeap () returned 0x3a00000 [0066.536] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.537] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TenantStorage", cAlternateFileName="TENANT~1")) returned 1 [0066.537] lstrcmpiW (lpString1="TenantStorage", lpString2="Windows") returned -1 [0066.537] lstrcmpiW (lpString1="TenantStorage", lpString2="$Recycle.bin") returned 1 [0066.537] lstrcmpiW (lpString1="TenantStorage", lpString2="System Volume Information") returned 1 [0066.537] lstrcmpiW (lpString1="TenantStorage", lpString2="Program Files") returned 1 [0066.537] lstrcmpiW (lpString1="TenantStorage", lpString2="Program Files (x86)") returned 1 [0066.537] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage") returned 52 [0066.537] lstrcmpW (lpString1="TenantStorage", lpString2=".") returned 1 [0066.537] lstrcmpW (lpString1="TenantStorage", lpString2="..") returned 1 [0066.537] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.537] GetProcessHeap () returned 0x3a00000 [0066.537] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.537] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\*") returned 54 [0066.537] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0066.537] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.537] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.537] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.537] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.537] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.537] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\.") returned 54 [0066.537] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.537] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.537] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.537] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.537] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.537] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\." (normalized: "c:\\programdata\\microsoft\\diagnosis\\tenantstorage\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.538] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.538] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.538] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.538] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.538] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.538] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.538] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\..") returned 55 [0066.538] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.538] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.538] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.538] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.538] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.538] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\.." (normalized: "c:\\programdata\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.538] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6b11c43, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b37da3, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="P-ARIA", cAlternateFileName="")) returned 1 [0066.538] lstrcmpiW (lpString1="P-ARIA", lpString2="Windows") returned -1 [0066.538] lstrcmpiW (lpString1="P-ARIA", lpString2="$Recycle.bin") returned 1 [0066.538] lstrcmpiW (lpString1="P-ARIA", lpString2="System Volume Information") returned -1 [0066.538] lstrcmpiW (lpString1="P-ARIA", lpString2="Program Files") returned -1 [0066.538] lstrcmpiW (lpString1="P-ARIA", lpString2="Program Files (x86)") returned -1 [0066.538] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA") returned 59 [0066.538] lstrcmpW (lpString1="P-ARIA", lpString2=".") returned 1 [0066.538] lstrcmpW (lpString1="P-ARIA", lpString2="..") returned 1 [0066.538] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.538] GetProcessHeap () returned 0x3a00000 [0066.538] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.538] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\*") returned 61 [0066.538] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="叨Φ￿￿扨@￿￿叨Φ\x05")) returned 0xffffffff [0066.549] GetProcessHeap () returned 0x3a00000 [0066.549] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.549] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6b11c43, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b37da3, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="P-ARIA", cAlternateFileName="")) returned 0 [0066.549] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0066.549] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0066.549] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\tenantstorage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.550] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.551] CloseHandle (hObject=0x434) returned 1 [0066.551] GetProcessHeap () returned 0x3a00000 [0066.551] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.551] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x774ff760, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VortexSchemaRequests.dat", cAlternateFileName="VORTEX~1.DAT")) returned 1 [0066.551] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Windows") returned -1 [0066.551] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="$Recycle.bin") returned 1 [0066.552] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="System Volume Information") returned 1 [0066.552] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Program Files") returned 1 [0066.552] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Program Files (x86)") returned 1 [0066.552] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat") returned 63 [0066.552] StrStrIW (lpFirst="VortexSchemaRequests.dat", lpSrch=".ebal") returned 0x0 [0066.552] lstrcmpW (lpString1="VortexSchemaRequests.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.552] lstrcmpW (lpString1="VortexSchemaRequests.dat", lpString2="taridd") returned 1 [0066.552] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.552] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat" (normalized: "c:\\programdata\\microsoft\\diagnosis\\vortexschemarequests.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.552] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x774ff760, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VortexSchemaRequests.dat", cAlternateFileName="VORTEX~1.DAT")) returned 0 [0066.552] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0066.553] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 70 [0066.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\diagnosis\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.553] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.554] CloseHandle (hObject=0x430) returned 1 [0066.554] GetProcessHeap () returned 0x3a00000 [0066.554] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.554] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DRM", cAlternateFileName="")) returned 1 [0066.554] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0066.554] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0066.554] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0066.554] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0066.554] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0066.554] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM") returned 32 [0066.554] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0066.554] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0066.554] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.554] GetProcessHeap () returned 0x3a00000 [0066.554] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.554] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*") returned 34 [0066.554] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0066.554] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.554] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.555] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.555] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.555] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.555] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\.") returned 34 [0066.555] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.555] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.555] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.555] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.555] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.555] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.555] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.555] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\..") returned 35 [0066.555] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.555] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.555] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 1 [0066.555] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0066.555] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0066.555] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0066.555] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0066.555] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0066.555] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server") returned 39 [0066.555] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0066.555] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0066.555] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.555] GetProcessHeap () returned 0x3a00000 [0066.555] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.555] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*") returned 41 [0066.555] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0066.556] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.556] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.556] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.556] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.556] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.556] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.") returned 41 [0066.556] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.556] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0066.556] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.556] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0066.556] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\." (normalized: "c:\\programdata\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.556] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.556] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.557] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.557] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.557] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.557] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.557] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..") returned 42 [0066.557] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.557] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.557] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0066.557] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0066.557] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0066.557] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.557] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\programdata\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.557] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.557] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0066.557] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0066.557] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\drm\\server\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.557] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.558] CloseHandle (hObject=0x434) returned 1 [0066.558] GetProcessHeap () returned 0x3a00000 [0066.558] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.558] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 0 [0066.559] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0066.559] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0066.559] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\drm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.559] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.560] CloseHandle (hObject=0x430) returned 1 [0066.560] GetProcessHeap () returned 0x3a00000 [0066.560] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.560] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x40368daa, ftLastAccessTime.dwHighDateTime=0x1d39f5f, ftLastWriteTime.dwLowDateTime=0x40368daa, ftLastWriteTime.dwHighDateTime=0x1d39f5f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0066.560] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0066.560] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0066.560] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0066.560] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0066.560] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0066.560] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer") returned 41 [0066.560] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0066.560] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0066.560] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.560] GetProcessHeap () returned 0x3a00000 [0066.560] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.560] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*") returned 43 [0066.560] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x40368daa, ftLastAccessTime.dwHighDateTime=0x1d39f5f, ftLastWriteTime.dwLowDateTime=0xfbfe5ab1, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0066.561] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.561] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.561] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.561] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.561] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.561] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\.") returned 43 [0066.561] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.561] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0x40368daa, ftLastAccessTime.dwHighDateTime=0x1d39f5f, ftLastWriteTime.dwLowDateTime=0xfbfe5ab1, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.561] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.562] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.562] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.562] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.562] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.562] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\..") returned 44 [0066.562] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.562] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.562] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Views", cAlternateFileName="")) returned 1 [0066.562] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0066.562] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0066.562] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0066.562] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0066.562] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0066.562] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views") returned 47 [0066.562] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0066.562] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0066.562] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.562] GetProcessHeap () returned 0x3a00000 [0066.562] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.562] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*") returned 49 [0066.562] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0066.562] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.562] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.562] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.562] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.562] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.562] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\.") returned 49 [0066.562] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.562] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.563] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.563] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.563] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.563] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.563] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.563] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\..") returned 50 [0066.563] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.563] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.563] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0066.563] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0066.563] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0066.563] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0066.563] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0066.563] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0066.563] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 72 [0066.563] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0066.563] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0066.563] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.563] GetProcessHeap () returned 0x3a00000 [0066.563] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.563] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 74 [0066.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0066.563] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.563] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.563] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.563] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.563] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.563] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 74 [0066.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.564] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.564] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.564] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 75 [0066.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.564] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.564] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0066.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0066.564] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\applicationviewsrootnode\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.565] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.566] CloseHandle (hObject=0x438) returned 1 [0066.566] GetProcessHeap () returned 0x3a00000 [0066.566] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.566] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0066.566] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0066.566] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0066.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\views\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.567] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.568] CloseHandle (hObject=0x434) returned 1 [0066.568] GetProcessHeap () returned 0x3a00000 [0066.568] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.568] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Views", cAlternateFileName="")) returned 0 [0066.568] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0066.568] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0066.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\event viewer\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.568] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.569] CloseHandle (hObject=0x430) returned 1 [0066.569] GetProcessHeap () returned 0x3a00000 [0066.569] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.569] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0066.569] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0066.569] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0066.569] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0066.569] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0066.569] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0066.570] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL") returned 40 [0066.570] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0066.570] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0066.570] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.570] GetProcessHeap () returned 0x3a00000 [0066.570] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.570] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*") returned 42 [0066.570] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0066.570] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.570] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.570] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.570] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.570] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.570] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\.") returned 42 [0066.570] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.570] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.570] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.570] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.570] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.570] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.570] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.570] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\..") returned 43 [0066.570] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.570] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.570] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7b0839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="INT", cAlternateFileName="")) returned 1 [0066.570] lstrcmpiW (lpString1="INT", lpString2="Windows") returned -1 [0066.570] lstrcmpiW (lpString1="INT", lpString2="$Recycle.bin") returned 1 [0066.570] lstrcmpiW (lpString1="INT", lpString2="System Volume Information") returned -1 [0066.571] lstrcmpiW (lpString1="INT", lpString2="Program Files") returned -1 [0066.571] lstrcmpiW (lpString1="INT", lpString2="Program Files (x86)") returned -1 [0066.571] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT") returned 44 [0066.571] lstrcmpW (lpString1="INT", lpString2=".") returned 1 [0066.571] lstrcmpW (lpString1="INT", lpString2="..") returned 1 [0066.571] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.571] GetProcessHeap () returned 0x3a00000 [0066.571] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.571] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*") returned 46 [0066.571] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7b0839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0066.571] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.571] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.571] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.571] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.571] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.571] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\.") returned 46 [0066.571] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.571] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7b0839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.571] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.571] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.571] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.571] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.571] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.571] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\..") returned 47 [0066.571] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.571] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.571] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0066.571] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Windows") returned -1 [0066.571] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="$Recycle.bin") returned 1 [0066.571] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="System Volume Information") returned -1 [0066.572] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files") returned -1 [0066.572] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files (x86)") returned -1 [0066.572] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll") returned 63 [0066.572] StrStrIW (lpFirst="ppcrlconfig600.dll", lpSrch=".ebal") returned 0x0 [0066.572] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.572] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="taridd") returned -1 [0066.572] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.572] GetTickCount () returned 0x11510b6 [0066.572] GetTickCount () returned 0x11510b6 [0066.572] GetTickCount () returned 0x11510b6 [0066.572] GetTickCount () returned 0x11510b6 [0066.572] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.572] GetProcessHeap () returned 0x3a00000 [0066.572] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.572] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.574] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.574] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.575] GetProcessHeap () returned 0x3a00000 [0066.575] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.575] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.575] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.575] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.575] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.575] CloseHandle (hObject=0x438) returned 1 [0066.575] GetProcessHeap () returned 0x3a00000 [0066.575] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.575] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal") returned 82 [0066.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal")) returned 1 [0066.576] GetProcessHeap () returned 0x3a00000 [0066.576] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.576] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x62e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 0 [0066.576] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0066.576] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0066.576] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\int\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.577] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.578] CloseHandle (hObject=0x434) returned 1 [0066.578] GetProcessHeap () returned 0x3a00000 [0066.578] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.578] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1 [0066.578] lstrcmpiW (lpString1="production", lpString2="Windows") returned -1 [0066.578] lstrcmpiW (lpString1="production", lpString2="$Recycle.bin") returned 1 [0066.578] lstrcmpiW (lpString1="production", lpString2="System Volume Information") returned -1 [0066.578] lstrcmpiW (lpString1="production", lpString2="Program Files") returned -1 [0066.578] lstrcmpiW (lpString1="production", lpString2="Program Files (x86)") returned -1 [0066.578] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production") returned 51 [0066.578] lstrcmpW (lpString1="production", lpString2=".") returned 1 [0066.578] lstrcmpW (lpString1="production", lpString2="..") returned 1 [0066.578] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.578] GetProcessHeap () returned 0x3a00000 [0066.578] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.578] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*") returned 53 [0066.578] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0066.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.578] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\.") returned 53 [0066.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.578] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.579] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.579] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.579] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.579] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.579] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.579] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\..") returned 54 [0066.579] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.579] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.579] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x97ce8d28, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x60e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll", cAlternateFileName="PPCRLC~1.DLL")) returned 1 [0066.579] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Windows") returned -1 [0066.579] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="$Recycle.bin") returned 1 [0066.579] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="System Volume Information") returned -1 [0066.579] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files") returned -1 [0066.579] lstrcmpiW (lpString1="ppcrlconfig600.dll", lpString2="Program Files (x86)") returned -1 [0066.579] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll") returned 70 [0066.579] StrStrIW (lpFirst="ppcrlconfig600.dll", lpSrch=".ebal") returned 0x0 [0066.579] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.579] lstrcmpW (lpString1="ppcrlconfig600.dll", lpString2="taridd") returned -1 [0066.579] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.579] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.579] GetTickCount () returned 0x11510b6 [0066.579] GetTickCount () returned 0x11510b6 [0066.579] GetTickCount () returned 0x11510b6 [0066.579] GetTickCount () returned 0x11510b6 [0066.580] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.580] GetProcessHeap () returned 0x3a00000 [0066.580] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.580] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.584] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.584] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.585] GetProcessHeap () returned 0x3a00000 [0066.585] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.585] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.585] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.585] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.585] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.585] CloseHandle (hObject=0x438) returned 1 [0066.585] GetProcessHeap () returned 0x3a00000 [0066.585] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.585] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal") returned 89 [0066.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal")) returned 1 [0066.586] GetProcessHeap () returned 0x3a00000 [0066.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.586] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="temp", cAlternateFileName="")) returned 1 [0066.586] lstrcmpiW (lpString1="temp", lpString2="Windows") returned -1 [0066.586] lstrcmpiW (lpString1="temp", lpString2="$Recycle.bin") returned 1 [0066.586] lstrcmpiW (lpString1="temp", lpString2="System Volume Information") returned 1 [0066.586] lstrcmpiW (lpString1="temp", lpString2="Program Files") returned 1 [0066.586] lstrcmpiW (lpString1="temp", lpString2="Program Files (x86)") returned 1 [0066.586] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp") returned 56 [0066.586] lstrcmpW (lpString1="temp", lpString2=".") returned 1 [0066.586] lstrcmpW (lpString1="temp", lpString2="..") returned 1 [0066.586] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.586] GetProcessHeap () returned 0x3a00000 [0066.586] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.586] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*") returned 58 [0066.586] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0066.592] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.592] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.592] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\.") returned 58 [0066.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.592] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\..") returned 59 [0066.592] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.592] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.592] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.592] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0066.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0066.592] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.593] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.594] CloseHandle (hObject=0x438) returned 1 [0066.594] GetProcessHeap () returned 0x3a00000 [0066.594] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.594] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="temp", cAlternateFileName="")) returned 0 [0066.594] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0066.594] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0066.594] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\production\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.597] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.598] CloseHandle (hObject=0x434) returned 1 [0066.598] GetProcessHeap () returned 0x3a00000 [0066.598] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.598] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x46b00d5c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x46b00d5c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="production", cAlternateFileName="PRODUC~1")) returned 0 [0066.598] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0066.599] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0066.599] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\identitycrl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.599] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.600] CloseHandle (hObject=0x430) returned 1 [0066.600] GetProcessHeap () returned 0x3a00000 [0066.600] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.600] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MapData", cAlternateFileName="")) returned 1 [0066.600] lstrcmpiW (lpString1="MapData", lpString2="Windows") returned -1 [0066.600] lstrcmpiW (lpString1="MapData", lpString2="$Recycle.bin") returned 1 [0066.600] lstrcmpiW (lpString1="MapData", lpString2="System Volume Information") returned -1 [0066.601] lstrcmpiW (lpString1="MapData", lpString2="Program Files") returned -1 [0066.601] lstrcmpiW (lpString1="MapData", lpString2="Program Files (x86)") returned -1 [0066.601] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData") returned 36 [0066.601] lstrcmpW (lpString1="MapData", lpString2=".") returned 1 [0066.601] lstrcmpW (lpString1="MapData", lpString2="..") returned 1 [0066.601] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MapData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.601] GetProcessHeap () returned 0x3a00000 [0066.601] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.601] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*") returned 38 [0066.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0066.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.601] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\.") returned 38 [0066.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.601] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.601] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\..") returned 39 [0066.602] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.602] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.602] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.602] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0066.602] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0066.602] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\mapdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.603] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.604] CloseHandle (hObject=0x430) returned 1 [0066.604] GetProcessHeap () returned 0x3a00000 [0066.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.604] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80d7aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MF", cAlternateFileName="")) returned 1 [0066.604] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0066.604] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0066.604] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0066.604] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0066.604] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0066.604] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF") returned 31 [0066.604] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0066.604] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0066.604] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\MF", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.604] GetProcessHeap () returned 0x3a00000 [0066.604] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.604] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*") returned 33 [0066.604] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80d7aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0066.604] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.604] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.604] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.604] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.604] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.604] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\.") returned 33 [0066.605] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.605] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80d7aa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8b18c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.605] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\..") returned 34 [0066.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.605] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Active.GRL", cAlternateFileName="")) returned 1 [0066.605] lstrcmpiW (lpString1="Active.GRL", lpString2="Windows") returned -1 [0066.605] lstrcmpiW (lpString1="Active.GRL", lpString2="$Recycle.bin") returned 1 [0066.605] lstrcmpiW (lpString1="Active.GRL", lpString2="System Volume Information") returned -1 [0066.605] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files") returned -1 [0066.605] lstrcmpiW (lpString1="Active.GRL", lpString2="Program Files (x86)") returned -1 [0066.605] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL") returned 42 [0066.605] StrStrIW (lpFirst="Active.GRL", lpSrch=".ebal") returned 0x0 [0066.605] lstrcmpW (lpString1="Active.GRL", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.605] lstrcmpW (lpString1="Active.GRL", lpString2="taridd") returned -1 [0066.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.605] GetTickCount () returned 0x11510d5 [0066.605] GetTickCount () returned 0x11510d5 [0066.605] GetTickCount () returned 0x11510d5 [0066.605] GetTickCount () returned 0x11510d5 [0066.605] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0066.606] GetProcessHeap () returned 0x3a00000 [0066.606] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.606] ReadFile (in: hFile=0x434, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0066.607] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.608] WriteFile (in: hFile=0x434, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0066.608] GetProcessHeap () returned 0x3a00000 [0066.608] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.608] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.608] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0066.609] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0066.609] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0066.609] CloseHandle (hObject=0x434) returned 1 [0066.609] GetProcessHeap () returned 0x3a00000 [0066.609] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.609] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL_r00t_{8ew5f6}.ebal") returned 61 [0066.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Active.GRL_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\mf\\active.grl_r00t_{8ew5f6}.ebal")) returned 1 [0066.609] GetProcessHeap () returned 0x3a00000 [0066.609] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.609] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Pending.GRL", cAlternateFileName="")) returned 1 [0066.609] lstrcmpiW (lpString1="Pending.GRL", lpString2="Windows") returned -1 [0066.609] lstrcmpiW (lpString1="Pending.GRL", lpString2="$Recycle.bin") returned 1 [0066.609] lstrcmpiW (lpString1="Pending.GRL", lpString2="System Volume Information") returned -1 [0066.610] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files") returned -1 [0066.610] lstrcmpiW (lpString1="Pending.GRL", lpString2="Program Files (x86)") returned -1 [0066.610] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL") returned 43 [0066.610] StrStrIW (lpFirst="Pending.GRL", lpSrch=".ebal") returned 0x0 [0066.610] lstrcmpW (lpString1="Pending.GRL", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.610] lstrcmpW (lpString1="Pending.GRL", lpString2="taridd") returned -1 [0066.610] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.610] GetTickCount () returned 0x11510d5 [0066.610] GetTickCount () returned 0x11510d5 [0066.610] GetTickCount () returned 0x11510d5 [0066.610] GetTickCount () returned 0x11510d5 [0066.611] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0066.611] GetProcessHeap () returned 0x3a00000 [0066.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.611] ReadFile (in: hFile=0x434, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0066.612] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.613] WriteFile (in: hFile=0x434, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0066.613] GetProcessHeap () returned 0x3a00000 [0066.613] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.613] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.613] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0066.613] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0066.613] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0066.613] CloseHandle (hObject=0x434) returned 1 [0066.613] GetProcessHeap () returned 0x3a00000 [0066.613] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.613] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL_r00t_{8ew5f6}.ebal") returned 62 [0066.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\Pending.GRL_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\mf\\pending.grl_r00t_{8ew5f6}.ebal")) returned 1 [0066.614] GetProcessHeap () returned 0x3a00000 [0066.614] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.614] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3a7c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Pending.GRL", cAlternateFileName="")) returned 0 [0066.614] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0066.614] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 63 [0066.614] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\mf\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.614] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.615] CloseHandle (hObject=0x430) returned 1 [0066.615] GetProcessHeap () returned 0x3a00000 [0066.615] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.615] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0066.615] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0066.615] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0066.615] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0066.615] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0066.615] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0066.615] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework") returned 41 [0066.615] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0066.615] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0066.615] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.616] GetProcessHeap () returned 0x3a00000 [0066.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.616] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*") returned 43 [0066.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0066.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.616] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.616] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.616] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\.") returned 43 [0066.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.616] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.616] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.616] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.616] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\..") returned 44 [0066.616] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.616] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.616] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0066.616] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0066.616] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0066.616] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0066.616] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0066.616] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0066.617] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore") returned 57 [0066.617] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0066.617] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0066.617] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.617] GetProcessHeap () returned 0x3a00000 [0066.617] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.617] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 59 [0066.617] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0066.617] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.617] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.617] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.617] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.617] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.617] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 59 [0066.617] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.617] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.617] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.617] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.617] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.617] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.617] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.617] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 60 [0066.617] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.617] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.617] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.617] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0066.617] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0066.618] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\breadcrumbstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.618] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.619] CloseHandle (hObject=0x434) returned 1 [0066.620] GetProcessHeap () returned 0x3a00000 [0066.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.620] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0066.620] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0066.620] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0066.620] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\netframework\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.620] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.621] CloseHandle (hObject=0x430) returned 1 [0066.621] GetProcessHeap () returned 0x3a00000 [0066.621] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.622] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Network", cAlternateFileName="")) returned 1 [0066.622] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0066.622] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0066.622] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0066.622] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0066.622] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0066.622] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network") returned 36 [0066.622] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0066.622] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0066.622] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.622] GetProcessHeap () returned 0x3a00000 [0066.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.622] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*") returned 38 [0066.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0066.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.622] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.622] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\.") returned 38 [0066.622] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.622] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.622] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.622] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.622] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.622] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.622] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.622] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\..") returned 39 [0066.623] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.623] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.623] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0066.623] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0066.623] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0066.623] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0066.623] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0066.623] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0066.623] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections") returned 48 [0066.623] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0066.623] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0066.623] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.623] GetProcessHeap () returned 0x3a00000 [0066.623] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.623] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*") returned 50 [0066.623] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0066.623] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.623] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.623] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.623] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.623] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.623] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\.") returned 50 [0066.623] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.623] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.624] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\..") returned 51 [0066.624] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.624] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cm", cAlternateFileName="")) returned 1 [0066.624] lstrcmpiW (lpString1="Cm", lpString2="Windows") returned -1 [0066.624] lstrcmpiW (lpString1="Cm", lpString2="$Recycle.bin") returned 1 [0066.624] lstrcmpiW (lpString1="Cm", lpString2="System Volume Information") returned -1 [0066.624] lstrcmpiW (lpString1="Cm", lpString2="Program Files") returned -1 [0066.624] lstrcmpiW (lpString1="Cm", lpString2="Program Files (x86)") returned -1 [0066.624] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm") returned 51 [0066.624] lstrcmpW (lpString1="Cm", lpString2=".") returned 1 [0066.624] lstrcmpW (lpString1="Cm", lpString2="..") returned 1 [0066.624] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.624] GetProcessHeap () returned 0x3a00000 [0066.624] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.624] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\*") returned 53 [0066.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0066.625] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.625] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.625] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.625] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.625] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.625] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\.") returned 53 [0066.625] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.625] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.625] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.625] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.625] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.625] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.625] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\..") returned 54 [0066.625] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.625] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.625] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.625] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0066.625] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0066.625] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\cm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.626] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.627] CloseHandle (hObject=0x438) returned 1 [0066.627] GetProcessHeap () returned 0x3a00000 [0066.627] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.627] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CM_old", cAlternateFileName="")) returned 1 [0066.627] lstrcmpiW (lpString1="CM_old", lpString2="Windows") returned -1 [0066.627] lstrcmpiW (lpString1="CM_old", lpString2="$Recycle.bin") returned 1 [0066.627] lstrcmpiW (lpString1="CM_old", lpString2="System Volume Information") returned -1 [0066.627] lstrcmpiW (lpString1="CM_old", lpString2="Program Files") returned -1 [0066.627] lstrcmpiW (lpString1="CM_old", lpString2="Program Files (x86)") returned -1 [0066.627] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old") returned 55 [0066.627] lstrcmpW (lpString1="CM_old", lpString2=".") returned 1 [0066.627] lstrcmpW (lpString1="CM_old", lpString2="..") returned 1 [0066.627] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.627] GetProcessHeap () returned 0x3a00000 [0066.627] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.627] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\*") returned 57 [0066.627] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0066.628] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.628] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.628] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.628] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.628] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\.") returned 57 [0066.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.628] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.628] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.628] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.628] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\..") returned 58 [0066.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.628] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0066.628] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0066.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0066.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\cm_old\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.629] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.642] CloseHandle (hObject=0x438) returned 1 [0066.642] GetProcessHeap () returned 0x3a00000 [0066.642] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.642] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CM_old", cAlternateFileName="")) returned 0 [0066.642] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0066.643] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0066.643] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\connections\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.643] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.644] CloseHandle (hObject=0x434) returned 1 [0066.644] GetProcessHeap () returned 0x3a00000 [0066.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.644] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0066.644] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0066.644] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0066.644] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0066.644] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0066.644] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0066.644] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader") returned 47 [0066.644] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0066.644] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0066.644] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.644] GetProcessHeap () returned 0x3a00000 [0066.644] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.644] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*") returned 49 [0066.644] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0066.644] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.644] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.645] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.645] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.645] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\.") returned 49 [0066.645] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.645] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.645] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.645] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.645] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.645] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.645] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\..") returned 50 [0066.645] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.645] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.645] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe9e73558, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0066.645] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0066.645] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0066.645] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0066.645] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0066.645] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0066.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk") returned 55 [0066.645] StrStrIW (lpFirst="edb.chk", lpSrch=".ebal") returned 0x0 [0066.645] lstrcmpW (lpString1="edb.chk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.645] lstrcmpW (lpString1="edb.chk", lpString2="taridd") returned -1 [0066.645] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.645] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.646] GetTickCount () returned 0x1151104 [0066.646] GetTickCount () returned 0x1151104 [0066.646] GetTickCount () returned 0x1151104 [0066.646] GetTickCount () returned 0x1151104 [0066.646] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.646] GetProcessHeap () returned 0x3a00000 [0066.646] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.646] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0066.646] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.646] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0066.646] GetProcessHeap () returned 0x3a00000 [0066.646] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.646] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.646] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.647] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.647] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.647] CloseHandle (hObject=0x438) returned 1 [0066.647] GetProcessHeap () returned 0x3a00000 [0066.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.647] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk_r00t_{8ew5f6}.ebal") returned 74 [0066.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.chk"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.chk_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.chk_r00t_{8ew5f6}.ebal")) returned 1 [0066.647] GetProcessHeap () returned 0x3a00000 [0066.647] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.647] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e26fff, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e26fff, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576f6993, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0066.648] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0066.648] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0066.648] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0066.648] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0066.648] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0066.648] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log") returned 55 [0066.648] StrStrIW (lpFirst="edb.log", lpSrch=".ebal") returned 0x0 [0066.648] lstrcmpW (lpString1="edb.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.648] lstrcmpW (lpString1="edb.log", lpString2="taridd") returned -1 [0066.648] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edb.log" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.648] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e4d293, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e4d293, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc5e734dc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0066.648] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0066.648] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0066.648] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0066.648] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0066.648] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0066.648] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs") returned 63 [0066.648] StrStrIW (lpFirst="edbres00001.jrs", lpSrch=".ebal") returned 0x0 [0066.648] lstrcmpW (lpString1="edbres00001.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.648] lstrcmpW (lpString1="edbres00001.jrs", lpString2="taridd") returned -1 [0066.648] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.649] GetTickCount () returned 0x1151104 [0066.649] GetTickCount () returned 0x1151104 [0066.649] GetTickCount () returned 0x1151104 [0066.649] GetTickCount () returned 0x1151104 [0066.649] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.649] GetProcessHeap () returned 0x3a00000 [0066.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.649] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.651] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.651] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.652] GetProcessHeap () returned 0x3a00000 [0066.652] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.652] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.652] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.676] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.676] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.683] CloseHandle (hObject=0x438) returned 1 [0066.684] GetProcessHeap () returned 0x3a00000 [0066.684] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.684] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs_r00t_{8ew5f6}.ebal") returned 82 [0066.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00001.jrs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00001.jrs_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00001.jrs_r00t_{8ew5f6}.ebal")) returned 1 [0066.684] GetProcessHeap () returned 0x3a00000 [0066.684] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.684] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc5e734dc, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0066.684] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0066.684] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0066.684] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0066.684] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0066.684] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0066.684] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs") returned 63 [0066.684] StrStrIW (lpFirst="edbres00002.jrs", lpSrch=".ebal") returned 0x0 [0066.684] lstrcmpW (lpString1="edbres00002.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.684] lstrcmpW (lpString1="edbres00002.jrs", lpString2="taridd") returned -1 [0066.684] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.685] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.685] GetTickCount () returned 0x1151123 [0066.685] GetTickCount () returned 0x1151123 [0066.685] GetTickCount () returned 0x1151123 [0066.685] GetTickCount () returned 0x1151123 [0066.685] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.685] GetProcessHeap () returned 0x3a00000 [0066.685] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.685] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.687] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.687] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.688] GetProcessHeap () returned 0x3a00000 [0066.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.688] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.688] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.713] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.713] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.713] CloseHandle (hObject=0x438) returned 1 [0066.713] GetProcessHeap () returned 0x3a00000 [0066.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs_r00t_{8ew5f6}.ebal") returned 82 [0066.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00002.jrs"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbres00002.jrs_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbres00002.jrs_r00t_{8ew5f6}.ebal")) returned 1 [0066.714] GetProcessHeap () returned 0x3a00000 [0066.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e26fff, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e4d293, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc63d09b3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0066.714] lstrcmpiW (lpString1="edbtmp.log", lpString2="Windows") returned -1 [0066.714] lstrcmpiW (lpString1="edbtmp.log", lpString2="$Recycle.bin") returned 1 [0066.714] lstrcmpiW (lpString1="edbtmp.log", lpString2="System Volume Information") returned -1 [0066.714] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files") returned -1 [0066.714] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files (x86)") returned -1 [0066.714] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log") returned 58 [0066.714] StrStrIW (lpFirst="edbtmp.log", lpSrch=".ebal") returned 0x0 [0066.714] lstrcmpW (lpString1="edbtmp.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.714] lstrcmpW (lpString1="edbtmp.log", lpString2="taridd") returned -1 [0066.714] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.714] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.715] GetTickCount () returned 0x1151142 [0066.715] GetTickCount () returned 0x1151142 [0066.715] GetTickCount () returned 0x1151142 [0066.715] GetTickCount () returned 0x1151142 [0066.715] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.715] GetProcessHeap () returned 0x3a00000 [0066.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.715] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.717] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.717] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0066.717] GetProcessHeap () returned 0x3a00000 [0066.717] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.717] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.717] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.718] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.718] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.718] CloseHandle (hObject=0x438) returned 1 [0066.718] GetProcessHeap () returned 0x3a00000 [0066.718] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.718] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log_r00t_{8ew5f6}.ebal") returned 77 [0066.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbtmp.log"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\edbtmp.log_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\edbtmp.log_r00t_{8ew5f6}.ebal")) returned 1 [0066.718] GetProcessHeap () returned 0x3a00000 [0066.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.719] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5e99732, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e99732, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe49b4985, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.db", cAlternateFileName="")) returned 1 [0066.719] lstrcmpiW (lpString1="qmgr.db", lpString2="Windows") returned -1 [0066.719] lstrcmpiW (lpString1="qmgr.db", lpString2="$Recycle.bin") returned 1 [0066.719] lstrcmpiW (lpString1="qmgr.db", lpString2="System Volume Information") returned -1 [0066.719] lstrcmpiW (lpString1="qmgr.db", lpString2="Program Files") returned 1 [0066.719] lstrcmpiW (lpString1="qmgr.db", lpString2="Program Files (x86)") returned 1 [0066.719] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db") returned 55 [0066.719] StrStrIW (lpFirst="qmgr.db", lpSrch=".ebal") returned 0x0 [0066.719] lstrcmpW (lpString1="qmgr.db", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.719] lstrcmpW (lpString1="qmgr.db", lpString2="taridd") returned -1 [0066.719] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.719] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.719] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576d0867, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.jfm", cAlternateFileName="")) returned 1 [0066.719] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Windows") returned -1 [0066.719] lstrcmpiW (lpString1="qmgr.jfm", lpString2="$Recycle.bin") returned 1 [0066.719] lstrcmpiW (lpString1="qmgr.jfm", lpString2="System Volume Information") returned -1 [0066.719] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Program Files") returned 1 [0066.719] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Program Files (x86)") returned 1 [0066.719] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm") returned 56 [0066.719] StrStrIW (lpFirst="qmgr.jfm", lpSrch=".ebal") returned 0x0 [0066.719] lstrcmpW (lpString1="qmgr.jfm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.719] lstrcmpW (lpString1="qmgr.jfm", lpString2="taridd") returned -1 [0066.719] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.719] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.jfm" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.jfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.720] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576d0867, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.jfm", cAlternateFileName="")) returned 0 [0066.720] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0066.720] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0066.720] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.725] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.726] CloseHandle (hObject=0x434) returned 1 [0066.726] GetProcessHeap () returned 0x3a00000 [0066.726] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.726] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc6206d3e, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xc6206d3e, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0066.726] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0066.726] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0066.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\network\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.726] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.727] CloseHandle (hObject=0x430) returned 1 [0066.727] GetProcessHeap () returned 0x3a00000 [0066.727] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.727] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Office", cAlternateFileName="")) returned 1 [0066.727] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0066.728] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0066.728] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0066.728] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0066.728] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0066.728] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office") returned 35 [0066.728] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0066.728] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0066.728] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Office", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.728] GetProcessHeap () returned 0x3a00000 [0066.728] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.728] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*") returned 37 [0066.728] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0066.728] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.728] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.728] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.728] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.728] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.728] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\.") returned 37 [0066.728] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.728] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.728] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.728] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.728] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.728] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.728] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.728] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\..") returned 38 [0066.728] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.729] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0066.729] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Windows") returned -1 [0066.729] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="$Recycle.bin") returned 1 [0066.729] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="System Volume Information") returned -1 [0066.729] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Program Files") returned -1 [0066.729] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Program Files (x86)") returned -1 [0066.729] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker") returned 59 [0066.729] StrStrIW (lpFirst="ClickToRunPackageLocker", lpSrch=".ebal") returned 0x0 [0066.729] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.729] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="taridd") returned -1 [0066.729] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.729] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\ClickToRunPackageLocker" (normalized: "c:\\programdata\\microsoft\\office\\clicktorunpackagelocker"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.729] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 0 [0066.729] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0066.729] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0066.729] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\office\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0066.729] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0066.730] CloseHandle (hObject=0x430) returned 1 [0066.730] GetProcessHeap () returned 0x3a00000 [0066.730] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0066.730] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0066.730] lstrcmpiW (lpString1="Provisioning", lpString2="Windows") returned -1 [0066.731] lstrcmpiW (lpString1="Provisioning", lpString2="$Recycle.bin") returned 1 [0066.731] lstrcmpiW (lpString1="Provisioning", lpString2="System Volume Information") returned -1 [0066.731] lstrcmpiW (lpString1="Provisioning", lpString2="Program Files") returned 1 [0066.731] lstrcmpiW (lpString1="Provisioning", lpString2="Program Files (x86)") returned 1 [0066.731] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning") returned 41 [0066.731] lstrcmpW (lpString1="Provisioning", lpString2=".") returned 1 [0066.731] lstrcmpW (lpString1="Provisioning", lpString2="..") returned 1 [0066.731] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.731] GetProcessHeap () returned 0x3a00000 [0066.731] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0066.731] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*") returned 43 [0066.731] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0066.732] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.732] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.732] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.732] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.732] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.732] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\.") returned 43 [0066.732] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.732] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.733] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.733] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.733] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.733] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.733] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.733] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\..") returned 44 [0066.733] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.733] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.733] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60aed0fe, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x60aed0fe, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x60aed0fe, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70bb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="countrytable.xml", cAlternateFileName="")) returned 1 [0066.733] lstrcmpiW (lpString1="countrytable.xml", lpString2="Windows") returned -1 [0066.733] lstrcmpiW (lpString1="countrytable.xml", lpString2="$Recycle.bin") returned 1 [0066.733] lstrcmpiW (lpString1="countrytable.xml", lpString2="System Volume Information") returned -1 [0066.733] lstrcmpiW (lpString1="countrytable.xml", lpString2="Program Files") returned -1 [0066.733] lstrcmpiW (lpString1="countrytable.xml", lpString2="Program Files (x86)") returned -1 [0066.733] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml") returned 58 [0066.733] StrStrIW (lpFirst="countrytable.xml", lpSrch=".ebal") returned 0x0 [0066.733] lstrcmpW (lpString1="countrytable.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.733] lstrcmpW (lpString1="countrytable.xml", lpString2="taridd") returned -1 [0066.733] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.733] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0066.735] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1 [0066.735] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Windows") returned -1 [0066.735] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="$Recycle.bin") returned 1 [0066.735] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="System Volume Information") returned -1 [0066.735] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Program Files") returned -1 [0066.735] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Program Files (x86)") returned -1 [0066.735] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 80 [0066.735] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2=".") returned 1 [0066.735] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="..") returned 1 [0066.735] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.735] GetProcessHeap () returned 0x3a00000 [0066.735] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.735] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*") returned 82 [0066.735] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0066.736] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.736] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.736] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.736] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.736] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.736] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\.") returned 82 [0066.736] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.736] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.736] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.736] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.736] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.736] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.736] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.736] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\..") returned 83 [0066.736] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.736] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.736] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ea7c91, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ea7c91, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ea7c91, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x98c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0066.736] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0066.736] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0066.736] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0066.737] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0066.737] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0066.737] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml") returned 99 [0066.737] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0066.737] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.737] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0066.737] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.737] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.737] GetTickCount () returned 0x1151152 [0066.737] GetTickCount () returned 0x1151152 [0066.737] GetTickCount () returned 0x1151152 [0066.737] GetTickCount () returned 0x1151152 [0066.737] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.737] GetProcessHeap () returned 0x3a00000 [0066.737] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.737] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x98c, lpOverlapped=0x0) returned 1 [0066.741] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff674, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.741] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x98c, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x98c, lpOverlapped=0x0) returned 1 [0066.741] GetProcessHeap () returned 0x3a00000 [0066.741] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.741] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.741] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.741] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.741] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.741] CloseHandle (hObject=0x438) returned 1 [0066.741] GetProcessHeap () returned 0x3a00000 [0066.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.742] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0066.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.742] GetProcessHeap () returned 0x3a00000 [0066.742] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.742] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0066.742] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0066.742] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0066.742] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0066.742] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0066.742] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0066.742] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml") returned 100 [0066.742] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0066.742] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.742] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0066.742] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.742] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.744] GetTickCount () returned 0x1151161 [0066.744] GetTickCount () returned 0x1151161 [0066.744] GetTickCount () returned 0x1151161 [0066.744] GetTickCount () returned 0x1151161 [0066.744] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.744] GetProcessHeap () returned 0x3a00000 [0066.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.744] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0066.745] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.745] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0066.745] GetProcessHeap () returned 0x3a00000 [0066.745] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.745] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.745] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.746] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.746] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.747] CloseHandle (hObject=0x438) returned 1 [0066.747] GetProcessHeap () returned 0x3a00000 [0066.747] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.747] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0066.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.747] GetProcessHeap () returned 0x3a00000 [0066.747] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.747] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0066.747] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0066.747] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0066.747] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0066.747] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0066.747] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0066.748] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned 85 [0066.748] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0066.748] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0066.748] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.748] GetProcessHeap () returned 0x3a00000 [0066.748] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.748] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*") returned 87 [0066.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0066.748] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.748] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.748] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.748] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.748] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.748] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\.") returned 87 [0066.748] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.748] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.748] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.748] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.748] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.748] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.748] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.748] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\..") returned 88 [0066.748] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.748] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.748] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0066.748] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0066.748] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0066.748] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0066.749] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0066.749] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0066.749] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned 93 [0066.749] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0066.749] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0066.749] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.749] GetProcessHeap () returned 0x3a00000 [0066.749] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*") returned 95 [0066.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0066.749] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.749] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.749] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.749] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.749] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\.") returned 95 [0066.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.749] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.749] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.749] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.749] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.749] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.749] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\..") returned 96 [0066.749] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.749] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e3557c, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e3557c, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e3557c, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0066.750] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0066.750] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0066.750] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0066.750] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0066.750] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0066.750] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0066.750] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0066.750] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.750] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0066.750] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0066.750] GetTickCount () returned 0x1151161 [0066.750] GetTickCount () returned 0x1151161 [0066.751] GetTickCount () returned 0x1151161 [0066.751] GetTickCount () returned 0x1151161 [0066.751] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0066.751] GetProcessHeap () returned 0x3a00000 [0066.751] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0066.751] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x71e, lpOverlapped=0x0) returned 1 [0066.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff8e2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x71e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x71e, lpOverlapped=0x0) returned 1 [0066.752] GetProcessHeap () returned 0x3a00000 [0066.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0066.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0066.752] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0066.753] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0066.753] CloseHandle (hObject=0x440) returned 1 [0066.753] GetProcessHeap () returned 0x3a00000 [0066.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0066.753] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0066.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0066.753] GetProcessHeap () returned 0x3a00000 [0066.753] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0066.753] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e3557c, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e3557c, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e3557c, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0066.753] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0066.753] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0066.753] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0066.754] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.755] CloseHandle (hObject=0x43c) returned 1 [0066.755] GetProcessHeap () returned 0x3a00000 [0066.755] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0066.755] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0066.755] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0066.755] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0066.755] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0066.755] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0066.755] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0066.755] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml") returned 97 [0066.755] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0066.755] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.755] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0066.755] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.755] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0066.756] GetTickCount () returned 0x1151171 [0066.756] GetTickCount () returned 0x1151171 [0066.756] GetTickCount () returned 0x1151171 [0066.756] GetTickCount () returned 0x1151171 [0066.756] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0066.756] GetProcessHeap () returned 0x3a00000 [0066.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0066.756] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x243, lpOverlapped=0x0) returned 1 [0066.757] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffdbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.757] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x243, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x243, lpOverlapped=0x0) returned 1 [0066.757] GetProcessHeap () returned 0x3a00000 [0066.757] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0066.757] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.757] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0066.758] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0066.758] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0066.758] CloseHandle (hObject=0x43c) returned 1 [0066.758] GetProcessHeap () returned 0x3a00000 [0066.758] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.758] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0066.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.759] GetProcessHeap () returned 0x3a00000 [0066.759] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0066.759] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x243, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0066.759] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0066.759] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0066.759] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.760] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0066.760] CloseHandle (hObject=0x438) returned 1 [0066.761] GetProcessHeap () returned 0x3a00000 [0066.761] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.761] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0066.761] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0066.761] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0066.761] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0066.763] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0066.765] CloseHandle (hObject=0x434) returned 1 [0066.765] GetProcessHeap () returned 0x3a00000 [0066.765] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0066.765] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1 [0066.765] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Windows") returned -1 [0066.765] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="$Recycle.bin") returned 1 [0066.765] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="System Volume Information") returned -1 [0066.765] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Program Files") returned -1 [0066.765] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Program Files (x86)") returned -1 [0066.765] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 80 [0066.765] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2=".") returned 1 [0066.765] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="..") returned 1 [0066.765] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.765] GetProcessHeap () returned 0x3a00000 [0066.765] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0066.765] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*") returned 82 [0066.765] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0066.771] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.771] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.771] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.771] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.771] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.771] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\.") returned 82 [0066.771] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.771] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.772] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.772] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.772] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.772] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.772] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.772] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\..") returned 83 [0066.772] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.772] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.772] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ebc18d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ebc18d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ebc18d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0066.772] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0066.772] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0066.772] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0066.772] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0066.772] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0066.772] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml") returned 99 [0066.772] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0066.772] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.772] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0066.772] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.772] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.772] GetTickCount () returned 0x1151181 [0066.773] GetTickCount () returned 0x1151181 [0066.773] GetTickCount () returned 0x1151181 [0066.773] GetTickCount () returned 0x1151181 [0066.773] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.773] GetProcessHeap () returned 0x3a00000 [0066.773] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.773] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x504, lpOverlapped=0x0) returned 1 [0066.774] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffafc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.775] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x504, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x504, lpOverlapped=0x0) returned 1 [0066.775] GetProcessHeap () returned 0x3a00000 [0066.775] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.775] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.775] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.775] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.775] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.775] CloseHandle (hObject=0x438) returned 1 [0066.775] GetProcessHeap () returned 0x3a00000 [0066.775] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0066.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.780] GetProcessHeap () returned 0x3a00000 [0066.780] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.780] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ebc18d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ebc18d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ebc18d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0066.780] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0066.780] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0066.780] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0066.780] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0066.780] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0066.780] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml") returned 100 [0066.780] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0066.780] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.780] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0066.780] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.780] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0066.781] GetTickCount () returned 0x1151181 [0066.781] GetTickCount () returned 0x1151181 [0066.781] GetTickCount () returned 0x1151181 [0066.781] GetTickCount () returned 0x1151181 [0066.781] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0066.781] GetProcessHeap () returned 0x3a00000 [0066.781] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0066.781] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0066.782] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.782] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0066.782] GetProcessHeap () returned 0x3a00000 [0066.782] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0066.782] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.782] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0066.801] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0066.801] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0066.801] CloseHandle (hObject=0x438) returned 1 [0066.801] GetProcessHeap () returned 0x3a00000 [0066.801] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.801] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0066.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0066.802] GetProcessHeap () returned 0x3a00000 [0066.802] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0066.802] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0066.802] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0066.802] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0066.802] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0066.802] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0066.802] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0066.802] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned 85 [0066.802] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0066.802] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0066.802] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.802] GetProcessHeap () returned 0x3a00000 [0066.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0066.802] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*") returned 87 [0066.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0066.848] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.848] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.848] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.848] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.848] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.848] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\.") returned 87 [0066.848] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.849] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.849] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.849] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.849] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.849] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.849] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.849] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\..") returned 88 [0066.849] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.849] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0066.849] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0066.849] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0066.849] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0066.849] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0066.849] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0066.849] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned 93 [0066.849] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0066.849] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0066.849] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0066.849] GetProcessHeap () returned 0x3a00000 [0066.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0066.849] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*") returned 95 [0066.849] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0066.850] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0066.850] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0066.850] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0066.850] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0066.850] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0066.850] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\.") returned 95 [0066.850] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0066.850] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0066.850] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0066.850] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0066.850] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0066.850] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0066.850] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0066.850] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\..") returned 96 [0066.850] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0066.850] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0066.850] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e6fcbc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e6fcbc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Controls.provxml", cAlternateFileName="")) returned 1 [0066.850] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="Windows") returned -1 [0066.850] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="$Recycle.bin") returned 1 [0066.850] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="System Volume Information") returned -1 [0066.850] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="Program Files") returned -1 [0066.850] lstrcmpiW (lpString1="0__Power_Controls.provxml", lpString2="Program Files (x86)") returned -1 [0066.850] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml") returned 119 [0066.850] StrStrIW (lpFirst="0__Power_Controls.provxml", lpSrch=".ebal") returned 0x0 [0066.850] lstrcmpW (lpString1="0__Power_Controls.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.850] lstrcmpW (lpString1="0__Power_Controls.provxml", lpString2="taridd") returned -1 [0066.850] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.851] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\0__power_controls.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0066.851] GetTickCount () returned 0x11511cf [0066.851] GetTickCount () returned 0x11511cf [0066.851] GetTickCount () returned 0x11511cf [0066.851] GetTickCount () returned 0x11511cf [0066.851] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0066.851] GetProcessHeap () returned 0x3a00000 [0066.851] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0066.851] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x168, lpOverlapped=0x0) returned 1 [0066.852] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.852] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x168, lpOverlapped=0x0) returned 1 [0066.852] GetProcessHeap () returned 0x3a00000 [0066.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0066.852] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.853] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0066.895] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0066.895] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0066.895] CloseHandle (hObject=0x440) returned 1 [0066.895] GetProcessHeap () returned 0x3a00000 [0066.895] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0066.895] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml_r00t_{8ew5f6}.ebal") returned 138 [0066.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\0__power_controls.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\0__power_controls.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0066.896] GetProcessHeap () returned 0x3a00000 [0066.896] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0066.896] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Controls.provxml", cAlternateFileName="")) returned 1 [0066.896] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="Windows") returned -1 [0066.896] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="$Recycle.bin") returned 1 [0066.896] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="System Volume Information") returned -1 [0066.896] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="Program Files") returned -1 [0066.896] lstrcmpiW (lpString1="1__Power_Controls.provxml", lpString2="Program Files (x86)") returned -1 [0066.896] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml") returned 119 [0066.896] StrStrIW (lpFirst="1__Power_Controls.provxml", lpSrch=".ebal") returned 0x0 [0066.896] lstrcmpW (lpString1="1__Power_Controls.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0066.896] lstrcmpW (lpString1="1__Power_Controls.provxml", lpString2="taridd") returned -1 [0066.896] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0066.897] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\1__power_controls.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0066.942] GetTickCount () returned 0x115122d [0066.942] GetTickCount () returned 0x115122d [0066.942] GetTickCount () returned 0x115122d [0066.942] GetTickCount () returned 0x115122d [0066.942] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0066.942] GetProcessHeap () returned 0x3a00000 [0066.942] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0066.942] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x168, lpOverlapped=0x0) returned 1 [0066.943] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0066.943] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x168, lpOverlapped=0x0) returned 1 [0066.944] GetProcessHeap () returned 0x3a00000 [0066.944] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0066.944] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.944] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.031] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.031] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.032] CloseHandle (hObject=0x440) returned 1 [0067.032] GetProcessHeap () returned 0x3a00000 [0067.032] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.032] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml_r00t_{8ew5f6}.ebal") returned 138 [0067.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\1__power_controls.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\1__power_controls.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.032] GetProcessHeap () returned 0x3a00000 [0067.033] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.033] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x168, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Controls.provxml", cAlternateFileName="")) returned 0 [0067.033] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0067.033] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.033] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.033] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.034] CloseHandle (hObject=0x43c) returned 1 [0067.034] GetProcessHeap () returned 0x3a00000 [0067.034] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.034] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.034] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.034] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.034] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.034] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.034] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.034] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml") returned 97 [0067.034] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.034] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.034] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.034] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.034] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.035] GetTickCount () returned 0x115127b [0067.035] GetTickCount () returned 0x115127b [0067.035] GetTickCount () returned 0x115127b [0067.035] GetTickCount () returned 0x115127b [0067.035] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.035] GetProcessHeap () returned 0x3a00000 [0067.035] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.035] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x1ab, lpOverlapped=0x0) returned 1 [0067.036] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe55, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.036] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x1ab, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x1ab, lpOverlapped=0x0) returned 1 [0067.036] GetProcessHeap () returned 0x3a00000 [0067.036] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.036] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.036] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.040] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.041] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.041] CloseHandle (hObject=0x43c) returned 1 [0067.041] GetProcessHeap () returned 0x3a00000 [0067.041] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.041] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.041] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.041] GetProcessHeap () returned 0x3a00000 [0067.041] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.041] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e95f21, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.041] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0067.042] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.042] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.042] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.043] CloseHandle (hObject=0x438) returned 1 [0067.043] GetProcessHeap () returned 0x3a00000 [0067.043] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.043] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d139154, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d139154, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.043] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0067.043] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.043] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.047] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.047] CloseHandle (hObject=0x434) returned 1 [0067.047] GetProcessHeap () returned 0x3a00000 [0067.047] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.047] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1 [0067.048] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Windows") returned -1 [0067.048] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="$Recycle.bin") returned 1 [0067.048] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="System Volume Information") returned -1 [0067.048] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Program Files") returned -1 [0067.048] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Program Files (x86)") returned -1 [0067.048] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 80 [0067.048] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2=".") returned 1 [0067.048] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="..") returned 1 [0067.048] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.048] GetProcessHeap () returned 0x3a00000 [0067.048] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.048] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*") returned 82 [0067.048] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0067.048] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.048] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.048] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.048] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.048] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.048] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\.") returned 82 [0067.048] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.048] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.048] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.048] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.049] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.049] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.049] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.049] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\..") returned 83 [0067.049] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.049] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.049] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540f90a7, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x540f90a7, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x540f90a7, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcb9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.049] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.049] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.049] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.049] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.049] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.049] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml") returned 99 [0067.049] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.049] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.049] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.049] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.049] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.056] GetTickCount () returned 0x115129a [0067.056] GetTickCount () returned 0x115129a [0067.056] GetTickCount () returned 0x115129a [0067.056] GetTickCount () returned 0x115129a [0067.056] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.056] GetProcessHeap () returned 0x3a00000 [0067.056] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.056] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0xcb9, lpOverlapped=0x0) returned 1 [0067.057] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff347, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.057] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0xcb9, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0xcb9, lpOverlapped=0x0) returned 1 [0067.058] GetProcessHeap () returned 0x3a00000 [0067.058] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.058] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.058] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.058] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.058] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.058] CloseHandle (hObject=0x438) returned 1 [0067.058] GetProcessHeap () returned 0x3a00000 [0067.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.058] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.059] GetProcessHeap () returned 0x3a00000 [0067.059] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.059] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5408696e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.059] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.059] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.059] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.059] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.059] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.059] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml") returned 100 [0067.059] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.059] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.059] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.059] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.060] GetTickCount () returned 0x115129a [0067.060] GetTickCount () returned 0x115129a [0067.060] GetTickCount () returned 0x115129a [0067.060] GetTickCount () returned 0x115129a [0067.060] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.060] GetProcessHeap () returned 0x3a00000 [0067.060] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.060] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.061] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.061] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.061] GetProcessHeap () returned 0x3a00000 [0067.061] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.061] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.061] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.062] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.062] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.062] CloseHandle (hObject=0x438) returned 1 [0067.062] GetProcessHeap () returned 0x3a00000 [0067.062] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.062] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.062] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.063] GetProcessHeap () returned 0x3a00000 [0067.063] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.063] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.063] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.063] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.063] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.063] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.063] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.063] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned 85 [0067.063] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.063] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.063] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.063] GetProcessHeap () returned 0x3a00000 [0067.063] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.063] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*") returned 87 [0067.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0067.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.064] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\.") returned 87 [0067.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.064] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.064] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.064] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.064] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\..") returned 88 [0067.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.064] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.064] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.064] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.064] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.064] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.064] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.064] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned 93 [0067.064] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.064] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.064] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.064] GetProcessHeap () returned 0x3a00000 [0067.064] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.064] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*") returned 95 [0067.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0067.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.065] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\.") returned 95 [0067.065] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.065] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.065] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\..") returned 96 [0067.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.065] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54060701, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54060701, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54060701, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0067.065] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.065] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.065] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.065] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.065] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.065] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0067.065] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.065] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.065] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.065] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.066] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.067] GetTickCount () returned 0x11512aa [0067.067] GetTickCount () returned 0x11512aa [0067.067] GetTickCount () returned 0x11512aa [0067.067] GetTickCount () returned 0x11512aa [0067.067] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.067] GetProcessHeap () returned 0x3a00000 [0067.067] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.067] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0xcdd, lpOverlapped=0x0) returned 1 [0067.068] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff323, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.068] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0xcdd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0xcdd, lpOverlapped=0x0) returned 1 [0067.069] GetProcessHeap () returned 0x3a00000 [0067.069] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.069] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.069] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.069] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.069] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.069] CloseHandle (hObject=0x440) returned 1 [0067.069] GetProcessHeap () returned 0x3a00000 [0067.069] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.069] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.069] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.070] GetProcessHeap () returned 0x3a00000 [0067.070] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.070] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54060701, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54060701, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54060701, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0067.070] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0067.070] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.070] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.070] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.071] CloseHandle (hObject=0x43c) returned 1 [0067.071] GetProcessHeap () returned 0x3a00000 [0067.071] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.071] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5408696e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.071] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.071] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.071] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.071] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.071] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.071] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml") returned 97 [0067.071] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.071] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.071] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.071] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.071] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.072] GetTickCount () returned 0x11512aa [0067.072] GetTickCount () returned 0x11512aa [0067.072] GetTickCount () returned 0x11512aa [0067.072] GetTickCount () returned 0x11512aa [0067.072] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.072] GetProcessHeap () returned 0x3a00000 [0067.072] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.072] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0067.073] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.073] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0067.073] GetProcessHeap () returned 0x3a00000 [0067.073] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.073] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.073] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.074] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.074] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.074] CloseHandle (hObject=0x43c) returned 1 [0067.074] GetProcessHeap () returned 0x3a00000 [0067.074] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.074] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.074] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.075] GetProcessHeap () returned 0x3a00000 [0067.075] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.075] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5408696e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.075] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0067.075] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.075] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.075] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.076] CloseHandle (hObject=0x438) returned 1 [0067.076] GetProcessHeap () returned 0x3a00000 [0067.076] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.076] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.076] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0067.076] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.076] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.078] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.079] CloseHandle (hObject=0x434) returned 1 [0067.079] GetProcessHeap () returned 0x3a00000 [0067.079] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.079] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", cAlternateFileName="{268C4~1")) returned 1 [0067.079] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Windows") returned -1 [0067.079] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="$Recycle.bin") returned 1 [0067.079] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="System Volume Information") returned -1 [0067.079] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Program Files") returned -1 [0067.079] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Program Files (x86)") returned -1 [0067.079] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}") returned 80 [0067.079] lstrcmpW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2=".") returned 1 [0067.079] lstrcmpW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="..") returned 1 [0067.079] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.079] GetProcessHeap () returned 0x3a00000 [0067.079] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.079] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\*") returned 82 [0067.079] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0067.080] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.080] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.080] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.080] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\.") returned 82 [0067.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.080] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.080] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\..") returned 83 [0067.080] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.080] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.080] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e3557c, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x65f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.080] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.080] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.080] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.080] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.080] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.080] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml") returned 99 [0067.080] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.080] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.081] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.081] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.081] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.081] GetTickCount () returned 0x11512aa [0067.081] GetTickCount () returned 0x11512aa [0067.081] GetTickCount () returned 0x11512aa [0067.081] GetTickCount () returned 0x11512aa [0067.081] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.081] GetProcessHeap () returned 0x3a00000 [0067.081] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.081] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x65f, lpOverlapped=0x0) returned 1 [0067.083] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff9a1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.083] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x65f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x65f, lpOverlapped=0x0) returned 1 [0067.083] GetProcessHeap () returned 0x3a00000 [0067.083] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.083] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.084] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.084] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.084] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.084] CloseHandle (hObject=0x438) returned 1 [0067.084] GetProcessHeap () returned 0x3a00000 [0067.084] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.084] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.084] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.085] GetProcessHeap () returned 0x3a00000 [0067.085] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.085] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.085] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.085] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.085] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.085] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.085] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.085] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml") returned 100 [0067.085] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.085] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.085] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.085] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.085] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.085] GetTickCount () returned 0x11512b9 [0067.086] GetTickCount () returned 0x11512b9 [0067.086] GetTickCount () returned 0x11512b9 [0067.086] GetTickCount () returned 0x11512b9 [0067.086] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.086] GetProcessHeap () returned 0x3a00000 [0067.086] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.086] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.087] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.087] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.087] GetProcessHeap () returned 0x3a00000 [0067.087] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.087] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.087] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.088] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.088] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.089] CloseHandle (hObject=0x438) returned 1 [0067.089] GetProcessHeap () returned 0x3a00000 [0067.089] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.089] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.089] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.089] GetProcessHeap () returned 0x3a00000 [0067.089] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.089] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.089] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.089] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.090] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.090] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.090] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.090] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov") returned 85 [0067.090] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.090] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.090] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.090] GetProcessHeap () returned 0x3a00000 [0067.090] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.090] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\*") returned 87 [0067.090] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0067.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.091] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.091] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.091] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\.") returned 87 [0067.091] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.091] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.091] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.091] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.091] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.091] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.091] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.091] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\..") returned 88 [0067.091] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.091] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.091] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.091] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.091] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.092] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.092] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.092] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.092] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime") returned 93 [0067.092] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.092] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.092] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.092] GetProcessHeap () returned 0x3a00000 [0067.092] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.092] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\*") returned 95 [0067.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0067.092] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.092] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.092] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.092] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.092] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.092] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\.") returned 95 [0067.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.093] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.093] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.093] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.093] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.093] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.093] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.093] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\..") returned 96 [0067.093] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.093] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.093] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53dc2e6f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53dc2e6f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x3a7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0067.093] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.093] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.093] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.093] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.093] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.093] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0067.093] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.093] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.093] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.093] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.093] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.094] GetTickCount () returned 0x11512b9 [0067.094] GetTickCount () returned 0x11512b9 [0067.094] GetTickCount () returned 0x11512b9 [0067.094] GetTickCount () returned 0x11512b9 [0067.094] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.094] GetProcessHeap () returned 0x3a00000 [0067.094] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.094] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x3a7, lpOverlapped=0x0) returned 1 [0067.122] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc59, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.122] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x3a7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x3a7, lpOverlapped=0x0) returned 1 [0067.122] GetProcessHeap () returned 0x3a00000 [0067.122] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.122] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.122] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.122] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.122] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.123] CloseHandle (hObject=0x440) returned 1 [0067.123] GetProcessHeap () returned 0x3a00000 [0067.123] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.123] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.124] GetProcessHeap () returned 0x3a00000 [0067.124] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.124] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53dc2e6f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53dc2e6f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x3a7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0067.124] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0067.124] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.124] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.125] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.126] CloseHandle (hObject=0x43c) returned 1 [0067.126] GetProcessHeap () returned 0x3a00000 [0067.126] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.126] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.126] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.126] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.126] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.126] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.126] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.126] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml") returned 97 [0067.126] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.127] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.127] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.127] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.127] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.127] GetTickCount () returned 0x11512d8 [0067.127] GetTickCount () returned 0x11512d8 [0067.127] GetTickCount () returned 0x11512d8 [0067.127] GetTickCount () returned 0x11512d8 [0067.127] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.127] GetProcessHeap () returned 0x3a00000 [0067.127] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.127] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x1ac, lpOverlapped=0x0) returned 1 [0067.129] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe54, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.129] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x1ac, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x1ac, lpOverlapped=0x0) returned 1 [0067.129] GetProcessHeap () returned 0x3a00000 [0067.129] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.129] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.130] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.130] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.130] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.131] CloseHandle (hObject=0x43c) returned 1 [0067.131] GetProcessHeap () returned 0x3a00000 [0067.131] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.131] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.131] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.131] GetProcessHeap () returned 0x3a00000 [0067.132] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.132] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53de90cb, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.132] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0067.132] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.132] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.132] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.133] CloseHandle (hObject=0x438) returned 1 [0067.133] GetProcessHeap () returned 0x3a00000 [0067.133] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.133] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d26a2f7, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d26a2f7, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.134] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0067.134] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.134] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.136] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.137] CloseHandle (hObject=0x434) returned 1 [0067.137] GetProcessHeap () returned 0x3a00000 [0067.137] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.137] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", cAlternateFileName="{33D78~1")) returned 1 [0067.137] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Windows") returned -1 [0067.137] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="$Recycle.bin") returned 1 [0067.137] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="System Volume Information") returned -1 [0067.137] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Program Files") returned -1 [0067.137] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Program Files (x86)") returned -1 [0067.137] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}") returned 80 [0067.137] lstrcmpW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2=".") returned 1 [0067.137] lstrcmpW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="..") returned 1 [0067.137] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.137] GetProcessHeap () returned 0x3a00000 [0067.137] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.137] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\*") returned 82 [0067.137] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0067.138] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.138] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.138] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.138] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.138] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.138] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\.") returned 82 [0067.138] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.138] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.138] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.138] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.138] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.138] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.138] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.138] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\..") returned 83 [0067.138] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.139] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.139] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef7d10, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.139] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.139] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.139] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.139] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.139] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.139] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml") returned 99 [0067.139] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.139] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.139] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.139] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.139] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.139] GetTickCount () returned 0x11512e8 [0067.139] GetTickCount () returned 0x11512e8 [0067.139] GetTickCount () returned 0x11512e8 [0067.139] GetTickCount () returned 0x11512e8 [0067.139] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.139] GetProcessHeap () returned 0x3a00000 [0067.139] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.139] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x59f, lpOverlapped=0x0) returned 1 [0067.141] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffa61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.141] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x59f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x59f, lpOverlapped=0x0) returned 1 [0067.141] GetProcessHeap () returned 0x3a00000 [0067.141] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.141] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.141] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.141] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.141] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.141] CloseHandle (hObject=0x438) returned 1 [0067.141] GetProcessHeap () returned 0x3a00000 [0067.141] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.141] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.142] GetProcessHeap () returned 0x3a00000 [0067.142] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.142] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ed1a9f, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.142] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.142] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.142] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.142] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.142] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.142] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml") returned 100 [0067.142] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.142] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.142] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.142] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.142] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.143] GetTickCount () returned 0x11512e8 [0067.143] GetTickCount () returned 0x11512e8 [0067.143] GetTickCount () returned 0x11512e8 [0067.143] GetTickCount () returned 0x11512e8 [0067.143] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.143] GetProcessHeap () returned 0x3a00000 [0067.143] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.143] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.144] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.144] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.144] GetProcessHeap () returned 0x3a00000 [0067.144] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.144] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.144] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.145] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.145] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.145] CloseHandle (hObject=0x438) returned 1 [0067.146] GetProcessHeap () returned 0x3a00000 [0067.146] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.146] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.146] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.146] GetProcessHeap () returned 0x3a00000 [0067.146] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.146] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.146] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.146] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.146] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.146] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.146] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.146] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov") returned 85 [0067.146] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.146] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.146] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.146] GetProcessHeap () returned 0x3a00000 [0067.146] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.147] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\*") returned 87 [0067.147] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0067.147] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.147] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.147] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.147] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.147] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.147] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\.") returned 87 [0067.147] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.147] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.147] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.148] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.148] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.148] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.148] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.148] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\..") returned 88 [0067.148] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.148] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.148] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.148] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.148] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.148] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.148] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.148] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.148] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime") returned 93 [0067.148] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.148] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.148] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.148] GetProcessHeap () returned 0x3a00000 [0067.148] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.148] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\*") returned 95 [0067.148] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0067.148] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.148] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.148] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.148] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.148] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.148] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\.") returned 95 [0067.148] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.149] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.149] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.149] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.149] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.149] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.149] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.149] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\..") returned 96 [0067.149] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.149] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.149] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eab83a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53eab83a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53eab83a, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0067.149] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.149] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.149] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.149] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.149] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.149] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0067.149] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.149] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.149] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.149] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.149] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.149] GetTickCount () returned 0x11512f8 [0067.149] GetTickCount () returned 0x11512f8 [0067.149] GetTickCount () returned 0x11512f8 [0067.149] GetTickCount () returned 0x11512f8 [0067.149] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.150] GetProcessHeap () returned 0x3a00000 [0067.150] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.150] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x360, lpOverlapped=0x0) returned 1 [0067.151] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.151] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x360, lpOverlapped=0x0) returned 1 [0067.151] GetProcessHeap () returned 0x3a00000 [0067.151] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.151] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.151] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.151] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.151] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.152] CloseHandle (hObject=0x440) returned 1 [0067.152] GetProcessHeap () returned 0x3a00000 [0067.152] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.152] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.152] GetProcessHeap () returned 0x3a00000 [0067.152] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.152] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eab83a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53eab83a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53eab83a, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0067.152] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0067.152] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.152] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.153] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.154] CloseHandle (hObject=0x43c) returned 1 [0067.154] GetProcessHeap () returned 0x3a00000 [0067.154] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.154] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ed1a9f, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.154] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.154] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.154] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.154] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.154] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.154] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml") returned 97 [0067.154] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.154] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.154] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.154] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.154] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.154] GetTickCount () returned 0x11512f8 [0067.154] GetTickCount () returned 0x11512f8 [0067.154] GetTickCount () returned 0x11512f8 [0067.154] GetTickCount () returned 0x11512f8 [0067.154] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.154] GetProcessHeap () returned 0x3a00000 [0067.154] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.155] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0067.155] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.155] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0067.156] GetProcessHeap () returned 0x3a00000 [0067.156] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.156] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.156] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.156] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.157] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.157] CloseHandle (hObject=0x43c) returned 1 [0067.157] GetProcessHeap () returned 0x3a00000 [0067.157] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.157] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.157] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.157] GetProcessHeap () returned 0x3a00000 [0067.157] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.157] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ed1a9f, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.157] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0067.157] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.180] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.181] CloseHandle (hObject=0x438) returned 1 [0067.181] GetProcessHeap () returned 0x3a00000 [0067.181] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.181] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.181] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0067.182] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.182] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.184] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.184] CloseHandle (hObject=0x434) returned 1 [0067.185] GetProcessHeap () returned 0x3a00000 [0067.185] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.185] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1 [0067.185] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Windows") returned -1 [0067.185] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="$Recycle.bin") returned 1 [0067.185] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="System Volume Information") returned -1 [0067.185] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Program Files") returned -1 [0067.185] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Program Files (x86)") returned -1 [0067.185] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 80 [0067.185] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2=".") returned 1 [0067.185] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="..") returned 1 [0067.185] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.185] GetProcessHeap () returned 0x3a00000 [0067.185] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.185] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*") returned 82 [0067.185] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0067.187] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.187] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.187] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.187] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.187] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.187] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\.") returned 82 [0067.187] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.187] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.187] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.187] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.187] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.187] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.187] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.187] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\..") returned 83 [0067.187] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.187] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.187] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5410e9a1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5410e9a1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54134c0b, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1144, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0067.187] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.187] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.187] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.187] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.187] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.187] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml") returned 99 [0067.188] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.188] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.188] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.188] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.188] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.188] GetTickCount () returned 0x1151317 [0067.188] GetTickCount () returned 0x1151317 [0067.188] GetTickCount () returned 0x1151317 [0067.188] GetTickCount () returned 0x1151317 [0067.188] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.189] GetProcessHeap () returned 0x3a00000 [0067.189] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.189] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x1144, lpOverlapped=0x0) returned 1 [0067.190] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffeebc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.190] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x1144, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x1144, lpOverlapped=0x0) returned 1 [0067.190] GetProcessHeap () returned 0x3a00000 [0067.190] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.190] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.190] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.190] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.191] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.191] CloseHandle (hObject=0x438) returned 1 [0067.191] GetProcessHeap () returned 0x3a00000 [0067.191] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.191] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.191] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.191] GetProcessHeap () returned 0x3a00000 [0067.191] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.191] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540c24cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x540c24cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x540c24cc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.191] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.192] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.192] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.192] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.192] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.192] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml") returned 100 [0067.192] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.192] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.192] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.192] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.192] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.192] GetTickCount () returned 0x1151327 [0067.192] GetTickCount () returned 0x1151327 [0067.192] GetTickCount () returned 0x1151327 [0067.192] GetTickCount () returned 0x1151327 [0067.192] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.193] GetProcessHeap () returned 0x3a00000 [0067.193] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.193] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.193] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.194] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.194] GetProcessHeap () returned 0x3a00000 [0067.194] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.194] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.194] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.195] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.195] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.195] CloseHandle (hObject=0x438) returned 1 [0067.195] GetProcessHeap () returned 0x3a00000 [0067.195] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.195] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.195] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.195] GetProcessHeap () returned 0x3a00000 [0067.195] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.195] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.195] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.195] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.195] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.196] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.196] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.196] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned 85 [0067.196] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.196] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.196] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.196] GetProcessHeap () returned 0x3a00000 [0067.196] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.196] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*") returned 87 [0067.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0067.196] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.196] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.196] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.196] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.196] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.196] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\.") returned 87 [0067.196] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.196] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.196] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.196] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.196] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.196] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.196] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.196] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\..") returned 88 [0067.196] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.196] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.196] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.196] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.196] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.197] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.197] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.197] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.197] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned 93 [0067.197] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.197] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.197] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.197] GetProcessHeap () returned 0x3a00000 [0067.197] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.197] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*") returned 95 [0067.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0067.197] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.197] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.197] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.197] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.197] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.197] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\.") returned 95 [0067.197] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.197] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.197] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.197] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.197] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.197] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.197] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\..") returned 96 [0067.197] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.197] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.197] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54075ff8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54075ff8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x720, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 1 [0067.198] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.198] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.198] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.198] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.198] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.198] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0067.198] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.198] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.198] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.198] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.198] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.198] GetTickCount () returned 0x1151327 [0067.198] GetTickCount () returned 0x1151327 [0067.198] GetTickCount () returned 0x1151327 [0067.198] GetTickCount () returned 0x1151327 [0067.198] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.198] GetProcessHeap () returned 0x3a00000 [0067.198] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.198] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x720, lpOverlapped=0x0) returned 1 [0067.200] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff8e0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.200] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x720, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x720, lpOverlapped=0x0) returned 1 [0067.200] GetProcessHeap () returned 0x3a00000 [0067.200] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.200] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.200] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.200] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.200] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.200] CloseHandle (hObject=0x440) returned 1 [0067.200] GetProcessHeap () returned 0x3a00000 [0067.200] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.200] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.200] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.201] GetProcessHeap () returned 0x3a00000 [0067.201] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.201] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="1__POW~1.PRO")) returned 1 [0067.201] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.201] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.201] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.201] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.201] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.201] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml") returned 117 [0067.201] StrStrIW (lpFirst="1__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.201] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.201] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.201] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\1__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.202] GetTickCount () returned 0x1151327 [0067.202] GetTickCount () returned 0x1151327 [0067.202] GetTickCount () returned 0x1151327 [0067.202] GetTickCount () returned 0x1151327 [0067.202] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.202] GetProcessHeap () returned 0x3a00000 [0067.202] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.202] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x905, lpOverlapped=0x0) returned 1 [0067.203] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff6fb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.203] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x905, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x905, lpOverlapped=0x0) returned 1 [0067.203] GetProcessHeap () returned 0x3a00000 [0067.203] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.203] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.203] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.203] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.204] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.204] CloseHandle (hObject=0x440) returned 1 [0067.204] GetProcessHeap () returned 0x3a00000 [0067.204] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.204] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\1__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\1__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.204] GetProcessHeap () returned 0x3a00000 [0067.204] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.204] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x905, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="1__POW~1.PRO")) returned 0 [0067.204] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0067.204] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.204] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.206] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.208] CloseHandle (hObject=0x43c) returned 1 [0067.208] GetProcessHeap () returned 0x3a00000 [0067.208] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.208] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x257, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.208] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.208] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.208] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.208] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.208] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.208] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml") returned 97 [0067.208] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.208] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.208] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.208] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.208] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.208] GetTickCount () returned 0x1151336 [0067.208] GetTickCount () returned 0x1151336 [0067.208] GetTickCount () returned 0x1151336 [0067.208] GetTickCount () returned 0x1151336 [0067.209] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.209] GetProcessHeap () returned 0x3a00000 [0067.209] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.209] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x257, lpOverlapped=0x0) returned 1 [0067.210] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffda9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.210] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x257, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x257, lpOverlapped=0x0) returned 1 [0067.210] GetProcessHeap () returned 0x3a00000 [0067.210] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.210] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.210] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.211] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.211] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.211] CloseHandle (hObject=0x43c) returned 1 [0067.211] GetProcessHeap () returned 0x3a00000 [0067.211] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.211] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.211] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.211] GetProcessHeap () returned 0x3a00000 [0067.211] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.211] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5409c262, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x257, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.211] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0067.214] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.214] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.215] CloseHandle (hObject=0x438) returned 1 [0067.215] GetProcessHeap () returned 0x3a00000 [0067.215] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.215] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.215] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0067.216] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.216] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.216] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.217] CloseHandle (hObject=0x434) returned 1 [0067.217] GetProcessHeap () returned 0x3a00000 [0067.217] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.217] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1 [0067.217] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Windows") returned -1 [0067.217] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="$Recycle.bin") returned 1 [0067.217] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="System Volume Information") returned -1 [0067.217] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Program Files") returned -1 [0067.217] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Program Files (x86)") returned -1 [0067.217] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 80 [0067.218] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2=".") returned 1 [0067.218] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="..") returned 1 [0067.218] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.218] GetProcessHeap () returned 0x3a00000 [0067.218] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*") returned 82 [0067.218] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0067.218] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.218] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.218] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.218] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.218] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\.") returned 82 [0067.218] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.218] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.218] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.218] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.218] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.218] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.218] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\..") returned 83 [0067.218] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.218] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.218] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fff1c4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fff1c4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fff1c4, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x13d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.218] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.218] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.218] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.218] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.219] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.219] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml") returned 99 [0067.219] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.219] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.219] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.219] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.219] GetTickCount () returned 0x1151336 [0067.219] GetTickCount () returned 0x1151336 [0067.219] GetTickCount () returned 0x1151336 [0067.219] GetTickCount () returned 0x1151336 [0067.219] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.219] GetProcessHeap () returned 0x3a00000 [0067.219] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.219] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x13d8, lpOverlapped=0x0) returned 1 [0067.230] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffec28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.230] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x13d8, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x13d8, lpOverlapped=0x0) returned 1 [0067.230] GetProcessHeap () returned 0x3a00000 [0067.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.230] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.230] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.230] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.231] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.231] CloseHandle (hObject=0x438) returned 1 [0067.231] GetProcessHeap () returned 0x3a00000 [0067.231] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.231] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.231] GetProcessHeap () returned 0x3a00000 [0067.231] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.231] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f8cab3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f8cab3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f8cab3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.231] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.231] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.231] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.231] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.232] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.232] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml") returned 100 [0067.232] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.232] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.232] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.232] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.232] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.232] GetTickCount () returned 0x1151346 [0067.232] GetTickCount () returned 0x1151346 [0067.232] GetTickCount () returned 0x1151346 [0067.232] GetTickCount () returned 0x1151346 [0067.232] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.232] GetProcessHeap () returned 0x3a00000 [0067.232] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.232] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.233] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.233] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.233] GetProcessHeap () returned 0x3a00000 [0067.233] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.233] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.233] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.235] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.235] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.235] CloseHandle (hObject=0x438) returned 1 [0067.235] GetProcessHeap () returned 0x3a00000 [0067.235] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.235] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.235] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.236] GetProcessHeap () returned 0x3a00000 [0067.236] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.236] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.236] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.236] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.236] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.236] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.236] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.236] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned 85 [0067.236] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.236] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.236] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.236] GetProcessHeap () returned 0x3a00000 [0067.236] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.236] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*") returned 87 [0067.236] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0067.237] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.237] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.237] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.237] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.237] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.237] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\.") returned 87 [0067.237] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.237] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.237] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.237] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.237] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.237] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.237] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.237] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\..") returned 88 [0067.237] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.237] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.237] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.237] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.237] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.237] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.237] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.238] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.238] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned 93 [0067.238] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.238] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.238] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.238] GetProcessHeap () returned 0x3a00000 [0067.238] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.238] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*") returned 95 [0067.238] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0067.238] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.238] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.238] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.238] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.238] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.238] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\.") returned 95 [0067.238] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.238] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.240] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.240] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.240] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.240] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.240] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.240] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\..") returned 96 [0067.240] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.240] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.240] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f405fa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f405fa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xcec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0067.240] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.240] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.240] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.240] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.240] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.240] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0067.240] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.240] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.240] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.240] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.240] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.241] GetTickCount () returned 0x1151355 [0067.241] GetTickCount () returned 0x1151355 [0067.241] GetTickCount () returned 0x1151355 [0067.241] GetTickCount () returned 0x1151355 [0067.241] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.241] GetProcessHeap () returned 0x3a00000 [0067.241] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.241] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0xcec, lpOverlapped=0x0) returned 1 [0067.242] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff314, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.242] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0xcec, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0xcec, lpOverlapped=0x0) returned 1 [0067.242] GetProcessHeap () returned 0x3a00000 [0067.242] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.242] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.242] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.242] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.243] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.243] CloseHandle (hObject=0x440) returned 1 [0067.243] GetProcessHeap () returned 0x3a00000 [0067.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.243] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.243] GetProcessHeap () returned 0x3a00000 [0067.244] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.244] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0067.244] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.244] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.244] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.244] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.244] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.244] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml") returned 117 [0067.244] StrStrIW (lpFirst="1__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.244] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.244] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.244] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\1__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.244] GetTickCount () returned 0x1151355 [0067.244] GetTickCount () returned 0x1151355 [0067.244] GetTickCount () returned 0x1151355 [0067.244] GetTickCount () returned 0x1151355 [0067.244] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.244] GetProcessHeap () returned 0x3a00000 [0067.244] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.244] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x716, lpOverlapped=0x0) returned 1 [0067.246] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff8ea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.246] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x716, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x716, lpOverlapped=0x0) returned 1 [0067.246] GetProcessHeap () returned 0x3a00000 [0067.246] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.246] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.246] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.246] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.246] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.246] CloseHandle (hObject=0x440) returned 1 [0067.246] GetProcessHeap () returned 0x3a00000 [0067.246] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.246] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\1__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\1__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.247] GetProcessHeap () returned 0x3a00000 [0067.247] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.247] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x716, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0067.247] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0067.247] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.251] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.252] CloseHandle (hObject=0x43c) returned 1 [0067.252] GetProcessHeap () returned 0x3a00000 [0067.252] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.252] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x23f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.252] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.252] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.252] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.252] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.252] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.252] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml") returned 97 [0067.252] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.252] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.252] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.252] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.252] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.252] GetTickCount () returned 0x1151355 [0067.253] GetTickCount () returned 0x1151355 [0067.253] GetTickCount () returned 0x1151355 [0067.253] GetTickCount () returned 0x1151355 [0067.253] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.253] GetProcessHeap () returned 0x3a00000 [0067.253] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.253] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x23f, lpOverlapped=0x0) returned 1 [0067.254] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffdc1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.254] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x23f, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x23f, lpOverlapped=0x0) returned 1 [0067.254] GetProcessHeap () returned 0x3a00000 [0067.254] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.254] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.255] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.255] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.255] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.256] CloseHandle (hObject=0x43c) returned 1 [0067.256] GetProcessHeap () returned 0x3a00000 [0067.256] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.256] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.256] GetProcessHeap () returned 0x3a00000 [0067.256] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.256] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66853, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x23f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.256] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0067.256] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.256] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.257] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.258] CloseHandle (hObject=0x438) returned 1 [0067.258] GetProcessHeap () returned 0x3a00000 [0067.258] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.258] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1d195e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1d195e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.258] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0067.258] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.260] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.261] CloseHandle (hObject=0x434) returned 1 [0067.261] GetProcessHeap () returned 0x3a00000 [0067.261] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.261] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", cAlternateFileName="{8D196~1")) returned 1 [0067.261] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Windows") returned -1 [0067.261] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="$Recycle.bin") returned 1 [0067.261] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="System Volume Information") returned -1 [0067.261] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Program Files") returned -1 [0067.261] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Program Files (x86)") returned -1 [0067.261] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}") returned 80 [0067.261] lstrcmpW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2=".") returned 1 [0067.261] lstrcmpW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="..") returned 1 [0067.261] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.261] GetProcessHeap () returned 0x3a00000 [0067.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.261] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\*") returned 82 [0067.261] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0067.262] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.262] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.262] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.262] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.263] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\.") returned 82 [0067.263] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.263] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.263] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.263] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.263] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.263] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.263] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\..") returned 83 [0067.263] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.263] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.263] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f19b66, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.263] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.263] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.263] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.263] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.263] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml") returned 99 [0067.263] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.263] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.263] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.263] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.263] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.264] GetTickCount () returned 0x1151365 [0067.264] GetTickCount () returned 0x1151365 [0067.264] GetTickCount () returned 0x1151365 [0067.264] GetTickCount () returned 0x1151365 [0067.264] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.264] GetProcessHeap () returned 0x3a00000 [0067.264] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.264] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x34d, lpOverlapped=0x0) returned 1 [0067.279] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.279] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x34d, lpOverlapped=0x0) returned 1 [0067.279] GetProcessHeap () returned 0x3a00000 [0067.279] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.279] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.279] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.279] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.279] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.279] CloseHandle (hObject=0x438) returned 1 [0067.279] GetProcessHeap () returned 0x3a00000 [0067.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.280] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.280] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.280] GetProcessHeap () returned 0x3a00000 [0067.280] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.280] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef390d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.280] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.280] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.280] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.280] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.280] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.281] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml") returned 100 [0067.281] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.281] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.281] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.281] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.281] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.282] GetTickCount () returned 0x1151375 [0067.282] GetTickCount () returned 0x1151375 [0067.282] GetTickCount () returned 0x1151375 [0067.282] GetTickCount () returned 0x1151375 [0067.282] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.282] GetProcessHeap () returned 0x3a00000 [0067.282] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.282] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.283] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.283] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.283] GetProcessHeap () returned 0x3a00000 [0067.283] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.283] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.283] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.284] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.284] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.284] CloseHandle (hObject=0x438) returned 1 [0067.284] GetProcessHeap () returned 0x3a00000 [0067.284] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.284] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.284] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.285] GetProcessHeap () returned 0x3a00000 [0067.285] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.285] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.285] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.285] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.285] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.285] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.285] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.285] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov") returned 85 [0067.285] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.285] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.285] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.285] GetProcessHeap () returned 0x3a00000 [0067.285] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.285] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\*") returned 87 [0067.285] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0067.285] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.285] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.285] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.285] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.285] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.285] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\.") returned 87 [0067.285] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.285] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.286] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.286] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.286] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.286] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.286] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.286] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\..") returned 88 [0067.286] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.286] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.286] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.286] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.286] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.286] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.286] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.286] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.286] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime") returned 93 [0067.286] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.286] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.286] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.286] GetProcessHeap () returned 0x3a00000 [0067.286] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.286] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\*") returned 95 [0067.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0067.286] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.286] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.286] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.286] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.286] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.286] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\.") returned 95 [0067.286] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.287] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.287] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.287] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.287] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.287] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.287] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\..") returned 96 [0067.287] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.287] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ecd6b4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ecd6b4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ecd6b4, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0067.287] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0067.287] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0067.287] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0067.287] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0067.287] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0067.287] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0067.287] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0067.287] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.287] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0067.287] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.287] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.288] GetTickCount () returned 0x1151384 [0067.288] GetTickCount () returned 0x1151384 [0067.288] GetTickCount () returned 0x1151384 [0067.288] GetTickCount () returned 0x1151384 [0067.288] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.288] GetProcessHeap () returned 0x3a00000 [0067.288] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.288] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x1cf, lpOverlapped=0x0) returned 1 [0067.289] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.289] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x1cf, lpOverlapped=0x0) returned 1 [0067.289] GetProcessHeap () returned 0x3a00000 [0067.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.289] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.289] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.291] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.291] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.291] CloseHandle (hObject=0x440) returned 1 [0067.291] GetProcessHeap () returned 0x3a00000 [0067.291] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.291] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0067.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.292] GetProcessHeap () returned 0x3a00000 [0067.292] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.292] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ecd6b4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ecd6b4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ecd6b4, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0067.292] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0067.292] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.292] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.293] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.293] CloseHandle (hObject=0x43c) returned 1 [0067.293] GetProcessHeap () returned 0x3a00000 [0067.294] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.294] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef390d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.294] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.294] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.294] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.294] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.294] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.294] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml") returned 97 [0067.294] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.294] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.294] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.294] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.294] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.294] GetTickCount () returned 0x1151384 [0067.294] GetTickCount () returned 0x1151384 [0067.294] GetTickCount () returned 0x1151384 [0067.294] GetTickCount () returned 0x1151384 [0067.294] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.294] GetProcessHeap () returned 0x3a00000 [0067.294] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.294] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x102, lpOverlapped=0x0) returned 1 [0067.296] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.296] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x102, lpOverlapped=0x0) returned 1 [0067.296] GetProcessHeap () returned 0x3a00000 [0067.296] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.296] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.296] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.305] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.305] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.305] CloseHandle (hObject=0x43c) returned 1 [0067.305] GetProcessHeap () returned 0x3a00000 [0067.305] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.305] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.305] GetProcessHeap () returned 0x3a00000 [0067.306] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.306] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53ef390d, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.306] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0067.306] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.306] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.307] CloseHandle (hObject=0x438) returned 1 [0067.307] GetProcessHeap () returned 0x3a00000 [0067.307] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.307] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.307] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0067.307] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.307] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.309] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.310] CloseHandle (hObject=0x434) returned 1 [0067.310] GetProcessHeap () returned 0x3a00000 [0067.310] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.310] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1 [0067.310] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Windows") returned -1 [0067.310] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="$Recycle.bin") returned 1 [0067.310] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="System Volume Information") returned -1 [0067.310] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Program Files") returned -1 [0067.310] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Program Files (x86)") returned -1 [0067.310] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 80 [0067.310] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2=".") returned 1 [0067.310] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="..") returned 1 [0067.310] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.310] GetProcessHeap () returned 0x3a00000 [0067.310] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.310] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*") returned 82 [0067.310] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0067.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.311] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.311] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.311] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\.") returned 82 [0067.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.311] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.311] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.311] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.311] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.311] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.311] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.311] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\..") returned 83 [0067.311] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.311] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fedfc8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fedfc8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fedfc8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x380, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.311] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.311] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.311] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.311] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.311] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.311] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml") returned 99 [0067.311] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.311] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.311] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.311] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.311] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.312] GetTickCount () returned 0x1151394 [0067.312] GetTickCount () returned 0x1151394 [0067.312] GetTickCount () returned 0x1151394 [0067.312] GetTickCount () returned 0x1151394 [0067.312] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.312] GetProcessHeap () returned 0x3a00000 [0067.312] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.312] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x380, lpOverlapped=0x0) returned 1 [0067.313] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffc80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.313] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x380, lpOverlapped=0x0) returned 1 [0067.314] GetProcessHeap () returned 0x3a00000 [0067.314] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.314] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.314] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.314] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.314] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.314] CloseHandle (hObject=0x438) returned 1 [0067.314] GetProcessHeap () returned 0x3a00000 [0067.314] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.314] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.315] GetProcessHeap () returned 0x3a00000 [0067.315] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.315] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.315] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.315] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.315] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.315] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.315] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.315] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml") returned 100 [0067.315] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.315] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.315] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.315] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.315] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.315] GetTickCount () returned 0x1151394 [0067.315] GetTickCount () returned 0x1151394 [0067.315] GetTickCount () returned 0x1151394 [0067.315] GetTickCount () returned 0x1151394 [0067.315] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.316] GetProcessHeap () returned 0x3a00000 [0067.316] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.316] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.317] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.317] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.317] GetProcessHeap () returned 0x3a00000 [0067.317] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.317] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.317] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.318] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.318] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.318] CloseHandle (hObject=0x438) returned 1 [0067.318] GetProcessHeap () returned 0x3a00000 [0067.318] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.319] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.319] GetProcessHeap () returned 0x3a00000 [0067.319] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.319] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.319] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.319] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.319] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.319] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.319] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.319] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned 85 [0067.319] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.319] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.319] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.319] GetProcessHeap () returned 0x3a00000 [0067.319] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.319] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*") returned 87 [0067.319] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0067.320] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.320] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.320] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.320] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.320] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.320] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\.") returned 87 [0067.320] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.320] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.320] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.320] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.321] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.321] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.321] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.321] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\..") returned 88 [0067.321] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.321] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.321] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.321] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.321] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.321] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.321] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.321] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.321] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned 93 [0067.321] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.321] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.321] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.321] GetProcessHeap () returned 0x3a00000 [0067.321] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.321] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*") returned 95 [0067.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0067.321] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.321] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.321] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.321] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.321] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.321] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\.") returned 95 [0067.321] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.321] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.322] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.322] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.322] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.322] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.322] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.322] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\..") returned 96 [0067.322] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.322] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.322] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0067.322] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0067.322] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0067.322] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0067.322] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0067.322] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0067.322] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0067.322] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0067.322] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.322] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0067.322] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.322] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.322] GetTickCount () returned 0x11513a4 [0067.322] GetTickCount () returned 0x11513a4 [0067.322] GetTickCount () returned 0x11513a4 [0067.322] GetTickCount () returned 0x11513a4 [0067.322] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.323] GetProcessHeap () returned 0x3a00000 [0067.323] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.323] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x21b, lpOverlapped=0x0) returned 1 [0067.332] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffde5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.332] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x21b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x21b, lpOverlapped=0x0) returned 1 [0067.333] GetProcessHeap () returned 0x3a00000 [0067.333] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.333] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.333] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.334] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.334] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.334] CloseHandle (hObject=0x440) returned 1 [0067.334] GetProcessHeap () returned 0x3a00000 [0067.334] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.334] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0067.334] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.335] GetProcessHeap () returned 0x3a00000 [0067.335] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.335] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x21b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0067.335] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0067.335] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.335] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.336] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.336] CloseHandle (hObject=0x43c) returned 1 [0067.336] GetProcessHeap () returned 0x3a00000 [0067.336] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.337] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.337] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.337] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.337] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.337] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.337] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.337] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml") returned 97 [0067.337] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.337] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.337] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.337] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.337] GetTickCount () returned 0x11513b3 [0067.337] GetTickCount () returned 0x11513b3 [0067.337] GetTickCount () returned 0x11513b3 [0067.337] GetTickCount () returned 0x11513b3 [0067.337] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.337] GetProcessHeap () returned 0x3a00000 [0067.337] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.337] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x102, lpOverlapped=0x0) returned 1 [0067.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffefe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.339] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x102, lpOverlapped=0x0) returned 1 [0067.339] GetProcessHeap () returned 0x3a00000 [0067.339] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.339] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.339] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.340] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.342] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.342] CloseHandle (hObject=0x43c) returned 1 [0067.342] GetProcessHeap () returned 0x3a00000 [0067.342] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.342] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.342] GetProcessHeap () returned 0x3a00000 [0067.342] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.342] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x102, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.343] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0067.343] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.343] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.343] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.344] CloseHandle (hObject=0x438) returned 1 [0067.344] GetProcessHeap () returned 0x3a00000 [0067.344] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.344] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.344] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0067.344] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.346] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.347] CloseHandle (hObject=0x434) returned 1 [0067.347] GetProcessHeap () returned 0x3a00000 [0067.347] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.347] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1 [0067.347] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Windows") returned -1 [0067.347] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="$Recycle.bin") returned 1 [0067.347] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="System Volume Information") returned -1 [0067.347] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Program Files") returned -1 [0067.347] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Program Files (x86)") returned -1 [0067.347] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 80 [0067.347] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2=".") returned 1 [0067.347] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="..") returned 1 [0067.347] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.347] GetProcessHeap () returned 0x3a00000 [0067.347] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.347] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*") returned 82 [0067.347] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0067.348] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.348] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.348] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.349] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.349] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.349] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\.") returned 82 [0067.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.349] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.349] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.349] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.349] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\..") returned 83 [0067.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.349] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e5b7d8, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x8c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.349] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.349] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.349] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.349] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.349] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.349] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml") returned 99 [0067.349] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.350] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.350] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.350] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.350] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.350] GetTickCount () returned 0x11513c3 [0067.350] GetTickCount () returned 0x11513c3 [0067.350] GetTickCount () returned 0x11513c3 [0067.350] GetTickCount () returned 0x11513c3 [0067.350] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.350] GetProcessHeap () returned 0x3a00000 [0067.350] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.350] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x8c7, lpOverlapped=0x0) returned 1 [0067.352] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff739, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.352] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x8c7, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x8c7, lpOverlapped=0x0) returned 1 [0067.352] GetProcessHeap () returned 0x3a00000 [0067.352] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.352] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.353] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.353] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.353] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.353] CloseHandle (hObject=0x438) returned 1 [0067.353] GetProcessHeap () returned 0x3a00000 [0067.353] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.353] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.354] GetProcessHeap () returned 0x3a00000 [0067.354] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.354] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.354] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.354] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.354] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.354] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.354] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.354] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml") returned 100 [0067.354] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.354] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.354] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.354] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.354] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.355] GetTickCount () returned 0x11513c3 [0067.355] GetTickCount () returned 0x11513c3 [0067.355] GetTickCount () returned 0x11513c3 [0067.355] GetTickCount () returned 0x11513c3 [0067.355] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.355] GetProcessHeap () returned 0x3a00000 [0067.355] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.355] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.357] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.357] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.357] GetProcessHeap () returned 0x3a00000 [0067.357] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.357] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.357] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.359] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.359] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.359] CloseHandle (hObject=0x438) returned 1 [0067.359] GetProcessHeap () returned 0x3a00000 [0067.359] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.359] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.360] GetProcessHeap () returned 0x3a00000 [0067.360] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.360] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.360] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.360] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.360] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.360] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.360] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.360] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned 85 [0067.360] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.360] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.360] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.360] GetProcessHeap () returned 0x3a00000 [0067.360] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.360] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*") returned 87 [0067.360] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0067.360] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.360] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.360] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.361] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.361] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\.") returned 87 [0067.361] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.361] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.361] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.361] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.361] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.361] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.361] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\..") returned 88 [0067.361] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.361] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.361] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.361] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.361] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.361] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.361] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.361] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned 93 [0067.361] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.361] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.361] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.361] GetProcessHeap () returned 0x3a00000 [0067.361] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.362] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*") returned 95 [0067.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0067.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.362] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.362] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.362] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\.") returned 95 [0067.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.362] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.362] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\..") returned 96 [0067.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.362] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0067.363] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0067.363] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0067.363] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0067.363] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0067.363] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0067.363] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0067.363] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0067.363] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.363] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0067.363] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.363] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.363] GetTickCount () returned 0x11513c3 [0067.363] GetTickCount () returned 0x11513c3 [0067.363] GetTickCount () returned 0x11513c3 [0067.363] GetTickCount () returned 0x11513c3 [0067.363] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.364] GetProcessHeap () returned 0x3a00000 [0067.364] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.364] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x670, lpOverlapped=0x0) returned 1 [0067.370] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff990, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.370] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x670, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x670, lpOverlapped=0x0) returned 1 [0067.370] GetProcessHeap () returned 0x3a00000 [0067.370] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.370] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.370] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.370] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.370] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.370] CloseHandle (hObject=0x440) returned 1 [0067.370] GetProcessHeap () returned 0x3a00000 [0067.370] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.370] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0067.370] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.371] GetProcessHeap () returned 0x3a00000 [0067.371] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.371] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0067.371] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0067.371] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.371] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.371] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.372] CloseHandle (hObject=0x43c) returned 1 [0067.372] GetProcessHeap () returned 0x3a00000 [0067.372] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.372] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.372] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.372] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.373] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.373] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.373] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.373] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml") returned 97 [0067.373] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.373] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.373] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.373] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.373] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.373] GetTickCount () returned 0x11513d2 [0067.373] GetTickCount () returned 0x11513d2 [0067.373] GetTickCount () returned 0x11513d2 [0067.373] GetTickCount () returned 0x11513d2 [0067.373] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.373] GetProcessHeap () returned 0x3a00000 [0067.373] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.373] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0067.381] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.381] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0067.382] GetProcessHeap () returned 0x3a00000 [0067.382] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.382] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.382] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.385] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.385] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.385] CloseHandle (hObject=0x43c) returned 1 [0067.385] GetProcessHeap () returned 0x3a00000 [0067.385] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.386] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.386] GetProcessHeap () returned 0x3a00000 [0067.386] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.386] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53e0f327, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.386] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0067.386] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.386] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.389] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.390] CloseHandle (hObject=0x438) returned 1 [0067.390] GetProcessHeap () returned 0x3a00000 [0067.390] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.390] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1854d2, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1854d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.390] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0067.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.390] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.392] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.393] CloseHandle (hObject=0x434) returned 1 [0067.393] GetProcessHeap () returned 0x3a00000 [0067.393] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.393] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1 [0067.393] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Windows") returned -1 [0067.393] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="$Recycle.bin") returned 1 [0067.393] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="System Volume Information") returned -1 [0067.393] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Program Files") returned -1 [0067.393] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Program Files (x86)") returned -1 [0067.393] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 80 [0067.393] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2=".") returned 1 [0067.393] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="..") returned 1 [0067.393] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.393] GetProcessHeap () returned 0x3a00000 [0067.393] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.393] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*") returned 82 [0067.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0067.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.393] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.393] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.393] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.393] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.393] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\.") returned 82 [0067.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.393] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.394] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.394] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.394] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.394] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.394] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.394] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\..") returned 83 [0067.394] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.394] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5410decf, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5410decf, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x5410decf, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.394] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.394] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.394] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.394] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.394] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.394] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml") returned 99 [0067.394] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.394] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.394] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.394] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.394] GetTickCount () returned 0x11513e2 [0067.394] GetTickCount () returned 0x11513e2 [0067.394] GetTickCount () returned 0x11513e2 [0067.394] GetTickCount () returned 0x11513e2 [0067.394] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.396] GetProcessHeap () returned 0x3a00000 [0067.396] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.396] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x1cc1, lpOverlapped=0x0) returned 1 [0067.397] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe33f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.397] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x1cc1, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x1cc1, lpOverlapped=0x0) returned 1 [0067.398] GetProcessHeap () returned 0x3a00000 [0067.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.398] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.398] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.398] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.398] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.398] CloseHandle (hObject=0x438) returned 1 [0067.398] GetProcessHeap () returned 0x3a00000 [0067.398] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.398] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.399] GetProcessHeap () returned 0x3a00000 [0067.399] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.399] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54002dee, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.399] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.399] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.399] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.399] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.399] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.399] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml") returned 100 [0067.399] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.399] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.399] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.399] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.399] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.400] GetTickCount () returned 0x11513f2 [0067.400] GetTickCount () returned 0x11513f2 [0067.400] GetTickCount () returned 0x11513f2 [0067.400] GetTickCount () returned 0x11513f2 [0067.400] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.400] GetProcessHeap () returned 0x3a00000 [0067.400] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.400] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.401] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.401] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.401] GetProcessHeap () returned 0x3a00000 [0067.401] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.401] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.401] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.402] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.402] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.402] CloseHandle (hObject=0x438) returned 1 [0067.402] GetProcessHeap () returned 0x3a00000 [0067.402] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.402] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.402] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.403] GetProcessHeap () returned 0x3a00000 [0067.403] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.403] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.403] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.403] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.403] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.403] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.403] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.403] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned 85 [0067.403] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.403] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.403] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.403] GetProcessHeap () returned 0x3a00000 [0067.403] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.403] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*") returned 87 [0067.403] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0067.403] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.404] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.404] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.404] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.404] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.404] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\.") returned 87 [0067.404] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.404] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.404] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.404] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.404] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.404] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.404] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.404] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\..") returned 88 [0067.404] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.404] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.404] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.404] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.404] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.404] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.404] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.404] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.404] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned 93 [0067.404] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.404] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.404] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.404] GetProcessHeap () returned 0x3a00000 [0067.404] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.404] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*") returned 95 [0067.404] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0067.405] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.405] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.405] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.405] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.405] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.405] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\.") returned 95 [0067.405] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.405] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.405] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.405] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.405] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.405] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.405] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.405] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\..") returned 96 [0067.406] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.406] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fdcb85, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fdcb85, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fdcb85, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0067.406] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0067.406] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0067.406] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0067.406] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0067.406] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0067.406] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0067.406] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0067.406] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.406] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0067.406] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.407] GetTickCount () returned 0x11513f2 [0067.407] GetTickCount () returned 0x11513f2 [0067.407] GetTickCount () returned 0x11513f2 [0067.407] GetTickCount () returned 0x11513f2 [0067.407] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.407] GetProcessHeap () returned 0x3a00000 [0067.407] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.407] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x1bae, lpOverlapped=0x0) returned 1 [0067.409] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffe452, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.409] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x1bae, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x1bae, lpOverlapped=0x0) returned 1 [0067.409] GetProcessHeap () returned 0x3a00000 [0067.409] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.409] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.409] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.409] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.410] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.410] CloseHandle (hObject=0x440) returned 1 [0067.410] GetProcessHeap () returned 0x3a00000 [0067.410] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.410] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0067.410] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.411] GetProcessHeap () returned 0x3a00000 [0067.411] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.411] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fdcb85, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fdcb85, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fdcb85, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1bae, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0067.412] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0067.412] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.412] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.412] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.413] CloseHandle (hObject=0x43c) returned 1 [0067.413] GetProcessHeap () returned 0x3a00000 [0067.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.413] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54002dee, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.413] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.413] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.413] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.413] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.413] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.413] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml") returned 97 [0067.414] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.414] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.414] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.414] GetTickCount () returned 0x1151401 [0067.414] GetTickCount () returned 0x1151401 [0067.414] GetTickCount () returned 0x1151401 [0067.414] GetTickCount () returned 0x1151401 [0067.414] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.414] GetProcessHeap () returned 0x3a00000 [0067.414] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.414] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0067.415] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.415] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0067.415] GetProcessHeap () returned 0x3a00000 [0067.415] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.415] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.415] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.416] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.416] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.416] CloseHandle (hObject=0x43c) returned 1 [0067.416] GetProcessHeap () returned 0x3a00000 [0067.416] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.416] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.417] GetProcessHeap () returned 0x3a00000 [0067.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.417] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x54002dee, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.417] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0067.417] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.417] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.418] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.419] CloseHandle (hObject=0x438) returned 1 [0067.419] GetProcessHeap () returned 0x3a00000 [0067.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.419] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.419] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0067.419] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.421] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.421] CloseHandle (hObject=0x434) returned 1 [0067.422] GetProcessHeap () returned 0x3a00000 [0067.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.422] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1 [0067.422] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Windows") returned -1 [0067.422] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="$Recycle.bin") returned 1 [0067.422] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="System Volume Information") returned -1 [0067.422] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Program Files") returned -1 [0067.422] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Program Files (x86)") returned -1 [0067.422] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 80 [0067.422] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2=".") returned 1 [0067.422] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="..") returned 1 [0067.422] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.422] GetProcessHeap () returned 0x3a00000 [0067.422] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.422] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*") returned 82 [0067.422] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0067.423] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.423] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.423] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.423] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.423] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.423] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\.") returned 82 [0067.423] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.423] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.424] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.424] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.424] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.424] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.424] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.424] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\..") returned 83 [0067.424] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.424] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.424] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f9117b, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f9117b, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f9117b, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x85a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0067.424] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.424] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.424] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.424] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.424] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.424] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml") returned 99 [0067.424] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.424] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.424] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.424] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.424] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.424] GetTickCount () returned 0x1151401 [0067.424] GetTickCount () returned 0x1151401 [0067.424] GetTickCount () returned 0x1151401 [0067.424] GetTickCount () returned 0x1151401 [0067.424] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.425] GetProcessHeap () returned 0x3a00000 [0067.425] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.425] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x85a, lpOverlapped=0x0) returned 1 [0067.473] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff7a6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.473] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x85a, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x85a, lpOverlapped=0x0) returned 1 [0067.474] GetProcessHeap () returned 0x3a00000 [0067.474] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.474] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.474] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.474] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.474] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.474] CloseHandle (hObject=0x438) returned 1 [0067.474] GetProcessHeap () returned 0x3a00000 [0067.474] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.475] GetProcessHeap () returned 0x3a00000 [0067.475] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.475] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f6af14, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f6af14, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f6af14, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.475] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.475] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.475] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.475] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.475] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.475] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml") returned 100 [0067.475] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.475] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.475] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.475] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.476] GetTickCount () returned 0x1151440 [0067.476] GetTickCount () returned 0x1151440 [0067.476] GetTickCount () returned 0x1151440 [0067.476] GetTickCount () returned 0x1151440 [0067.476] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.476] GetProcessHeap () returned 0x3a00000 [0067.476] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.476] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.478] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.478] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.478] GetProcessHeap () returned 0x3a00000 [0067.478] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.478] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.478] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.479] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.479] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.479] CloseHandle (hObject=0x438) returned 1 [0067.479] GetProcessHeap () returned 0x3a00000 [0067.479] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.479] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.479] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.480] GetProcessHeap () returned 0x3a00000 [0067.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.480] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.480] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.480] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.480] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.480] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.480] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.480] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned 85 [0067.480] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.480] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.480] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.480] GetProcessHeap () returned 0x3a00000 [0067.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.480] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*") returned 87 [0067.480] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0067.480] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.481] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.481] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.481] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.481] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.481] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\.") returned 87 [0067.481] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.481] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.481] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.481] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.481] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.481] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.481] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.481] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\..") returned 88 [0067.481] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.481] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.481] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.481] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.481] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.481] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.481] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.481] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.481] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned 93 [0067.481] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.481] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.481] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.481] GetProcessHeap () returned 0x3a00000 [0067.481] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.481] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*") returned 95 [0067.481] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0067.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.482] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\.") returned 95 [0067.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.482] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.482] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\..") returned 96 [0067.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.482] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1ea40, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1ea40, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 1 [0067.482] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0067.482] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0067.482] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0067.482] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0067.482] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0067.482] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0067.482] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0067.482] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.482] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0067.482] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.483] GetTickCount () returned 0x1151440 [0067.483] GetTickCount () returned 0x1151440 [0067.483] GetTickCount () returned 0x1151440 [0067.483] GetTickCount () returned 0x1151440 [0067.483] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.483] GetProcessHeap () returned 0x3a00000 [0067.483] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.483] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x710, lpOverlapped=0x0) returned 1 [0067.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff8f0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x710, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x710, lpOverlapped=0x0) returned 1 [0067.484] GetProcessHeap () returned 0x3a00000 [0067.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.485] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.485] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.485] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.485] CloseHandle (hObject=0x440) returned 1 [0067.485] GetProcessHeap () returned 0x3a00000 [0067.485] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.485] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0067.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.485] GetProcessHeap () returned 0x3a00000 [0067.485] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.485] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1ea40, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1ea40, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x710, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 0 [0067.486] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0067.486] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.486] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.487] CloseHandle (hObject=0x43c) returned 1 [0067.487] GetProcessHeap () returned 0x3a00000 [0067.487] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.487] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f44caa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f44caa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.487] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.487] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.487] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.487] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.487] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.487] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml") returned 97 [0067.487] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.487] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.487] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.487] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.487] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.488] GetTickCount () returned 0x1151440 [0067.488] GetTickCount () returned 0x1151440 [0067.488] GetTickCount () returned 0x1151440 [0067.488] GetTickCount () returned 0x1151440 [0067.488] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.488] GetProcessHeap () returned 0x3a00000 [0067.488] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.488] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0067.489] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.489] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0067.489] GetProcessHeap () returned 0x3a00000 [0067.489] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.489] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.490] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.490] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.491] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.491] CloseHandle (hObject=0x43c) returned 1 [0067.491] GetProcessHeap () returned 0x3a00000 [0067.491] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.491] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.491] GetProcessHeap () returned 0x3a00000 [0067.491] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.491] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f44caa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f44caa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f44caa, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.491] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0067.491] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.492] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.493] CloseHandle (hObject=0x438) returned 1 [0067.496] GetProcessHeap () returned 0x3a00000 [0067.496] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.496] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1f7bd0, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1f7bd0, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.496] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0067.496] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.496] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.497] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.498] CloseHandle (hObject=0x434) returned 1 [0067.498] GetProcessHeap () returned 0x3a00000 [0067.498] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.498] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1 [0067.498] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Windows") returned -1 [0067.498] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="$Recycle.bin") returned 1 [0067.498] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="System Volume Information") returned -1 [0067.498] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Program Files") returned -1 [0067.498] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Program Files (x86)") returned -1 [0067.498] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 80 [0067.498] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2=".") returned 1 [0067.498] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="..") returned 1 [0067.498] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.498] GetProcessHeap () returned 0x3a00000 [0067.498] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.498] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*") returned 82 [0067.499] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0067.499] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.499] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.499] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.499] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.499] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.499] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\.") returned 82 [0067.499] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.499] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.499] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.500] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.500] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.500] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.500] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.500] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\..") returned 83 [0067.500] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.500] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.500] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fb24d6, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fb24d6, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fb24d6, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x8b5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.500] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.500] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.500] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.500] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.500] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.500] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml") returned 99 [0067.500] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.500] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.500] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.500] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.500] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.500] GetTickCount () returned 0x115144f [0067.500] GetTickCount () returned 0x115144f [0067.500] GetTickCount () returned 0x115144f [0067.500] GetTickCount () returned 0x115144f [0067.501] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.501] GetProcessHeap () returned 0x3a00000 [0067.501] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.501] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x8b5, lpOverlapped=0x0) returned 1 [0067.502] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff74b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.502] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x8b5, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x8b5, lpOverlapped=0x0) returned 1 [0067.502] GetProcessHeap () returned 0x3a00000 [0067.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.502] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.502] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.503] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.503] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.503] CloseHandle (hObject=0x438) returned 1 [0067.503] GetProcessHeap () returned 0x3a00000 [0067.503] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.503] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.503] GetProcessHeap () returned 0x3a00000 [0067.503] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.503] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f8c279, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f8c279, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f8c279, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.503] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.503] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.503] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.504] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.504] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.504] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml") returned 100 [0067.504] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.504] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.504] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.504] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.504] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.507] GetTickCount () returned 0x115145f [0067.507] GetTickCount () returned 0x115145f [0067.507] GetTickCount () returned 0x115145f [0067.507] GetTickCount () returned 0x115145f [0067.507] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.507] GetProcessHeap () returned 0x3a00000 [0067.507] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.507] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.508] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.509] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.509] GetProcessHeap () returned 0x3a00000 [0067.509] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.509] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.509] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.509] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.510] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.510] CloseHandle (hObject=0x438) returned 1 [0067.510] GetProcessHeap () returned 0x3a00000 [0067.510] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.510] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.510] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.510] GetProcessHeap () returned 0x3a00000 [0067.510] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.510] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.510] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.510] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.511] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.511] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.511] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.511] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned 85 [0067.511] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.511] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.511] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.511] GetProcessHeap () returned 0x3a00000 [0067.511] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.511] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*") returned 87 [0067.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0067.514] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.514] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.514] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.514] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.514] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.514] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\.") returned 87 [0067.514] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.514] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.514] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.514] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.514] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.514] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.514] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.514] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\..") returned 88 [0067.514] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.514] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.514] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.514] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.514] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.514] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.514] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.515] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.515] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned 93 [0067.515] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.515] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.515] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.515] GetProcessHeap () returned 0x3a00000 [0067.515] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.515] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*") returned 95 [0067.515] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0067.515] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.515] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.515] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.515] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.515] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.515] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\.") returned 95 [0067.515] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.515] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.515] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.515] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.515] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.515] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.515] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.515] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\..") returned 96 [0067.515] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.515] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.515] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0067.515] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0067.515] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0067.516] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0067.516] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0067.516] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0067.516] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0067.516] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0067.516] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.516] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0067.516] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.516] GetTickCount () returned 0x115145f [0067.516] GetTickCount () returned 0x115145f [0067.516] GetTickCount () returned 0x115145f [0067.516] GetTickCount () returned 0x115145f [0067.516] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.516] GetProcessHeap () returned 0x3a00000 [0067.516] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.516] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x663, lpOverlapped=0x0) returned 1 [0067.518] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff99d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.518] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x663, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x663, lpOverlapped=0x0) returned 1 [0067.518] GetProcessHeap () returned 0x3a00000 [0067.518] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.518] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.518] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.518] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.518] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.518] CloseHandle (hObject=0x440) returned 1 [0067.518] GetProcessHeap () returned 0x3a00000 [0067.518] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.518] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0067.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.519] GetProcessHeap () returned 0x3a00000 [0067.519] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.519] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0067.519] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0067.519] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.520] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.522] CloseHandle (hObject=0x43c) returned 1 [0067.522] GetProcessHeap () returned 0x3a00000 [0067.522] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.522] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.522] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.522] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.522] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.522] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.522] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.522] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml") returned 97 [0067.522] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.522] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.522] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.522] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.523] GetTickCount () returned 0x115146f [0067.523] GetTickCount () returned 0x115146f [0067.523] GetTickCount () returned 0x115146f [0067.523] GetTickCount () returned 0x115146f [0067.523] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.523] GetProcessHeap () returned 0x3a00000 [0067.523] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.523] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0067.524] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.524] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0067.524] GetProcessHeap () returned 0x3a00000 [0067.524] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.524] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.524] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.525] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.525] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.525] CloseHandle (hObject=0x43c) returned 1 [0067.525] GetProcessHeap () returned 0x3a00000 [0067.525] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.525] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.525] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.526] GetProcessHeap () returned 0x3a00000 [0067.526] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.526] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.526] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0067.526] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.526] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.526] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.527] CloseHandle (hObject=0x438) returned 1 [0067.527] GetProcessHeap () returned 0x3a00000 [0067.527] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.527] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d1ab71b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d1ab71b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.527] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0067.527] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.527] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.529] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.530] CloseHandle (hObject=0x434) returned 1 [0067.530] GetProcessHeap () returned 0x3a00000 [0067.530] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.530] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1 [0067.530] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Windows") returned -1 [0067.530] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="$Recycle.bin") returned 1 [0067.530] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="System Volume Information") returned -1 [0067.530] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Program Files") returned -1 [0067.530] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Program Files (x86)") returned -1 [0067.530] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned 80 [0067.530] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2=".") returned 1 [0067.530] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="..") returned 1 [0067.530] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.530] GetProcessHeap () returned 0x3a00000 [0067.530] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.530] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*") returned 82 [0067.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0067.531] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.531] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.531] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.531] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.531] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.531] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\.") returned 82 [0067.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.531] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.531] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.531] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.531] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.531] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.531] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.531] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\..") returned 83 [0067.531] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.531] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.531] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fc7d5e, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x67b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0067.531] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.531] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.531] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.531] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.531] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.531] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml") returned 99 [0067.531] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.531] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.531] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.531] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.532] GetTickCount () returned 0x115146f [0067.532] GetTickCount () returned 0x115146f [0067.532] GetTickCount () returned 0x115146f [0067.532] GetTickCount () returned 0x115146f [0067.532] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.532] GetProcessHeap () returned 0x3a00000 [0067.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.532] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x67b, lpOverlapped=0x0) returned 1 [0067.533] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff985, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.533] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x67b, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x67b, lpOverlapped=0x0) returned 1 [0067.533] GetProcessHeap () returned 0x3a00000 [0067.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.533] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.533] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.534] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.534] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.534] CloseHandle (hObject=0x438) returned 1 [0067.534] GetProcessHeap () returned 0x3a00000 [0067.534] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.534] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.534] GetProcessHeap () returned 0x3a00000 [0067.534] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.534] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0067.534] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.534] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.535] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.535] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.535] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.535] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml") returned 100 [0067.535] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.535] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.535] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.535] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.547] GetTickCount () returned 0x115147e [0067.547] GetTickCount () returned 0x115147e [0067.547] GetTickCount () returned 0x115147e [0067.547] GetTickCount () returned 0x115147e [0067.547] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.547] GetProcessHeap () returned 0x3a00000 [0067.547] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.547] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.548] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.548] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.548] GetProcessHeap () returned 0x3a00000 [0067.548] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.548] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.548] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.549] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.549] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.550] CloseHandle (hObject=0x438) returned 1 [0067.550] GetProcessHeap () returned 0x3a00000 [0067.550] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.550] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.550] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.550] GetProcessHeap () returned 0x3a00000 [0067.550] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.550] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.550] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.550] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.550] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.550] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.550] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.550] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned 85 [0067.550] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.550] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.551] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.551] GetProcessHeap () returned 0x3a00000 [0067.551] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.551] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*") returned 87 [0067.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0067.551] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.551] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.551] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.551] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.551] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.551] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\.") returned 87 [0067.551] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.551] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.551] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.551] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.551] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.552] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.552] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.552] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\..") returned 88 [0067.552] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.552] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.552] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.552] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.552] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.552] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.552] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.552] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.552] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned 93 [0067.552] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.552] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.552] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.552] GetProcessHeap () returned 0x3a00000 [0067.552] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*") returned 95 [0067.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0067.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\.") returned 95 [0067.552] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.552] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.552] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.553] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.553] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.553] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.553] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\..") returned 96 [0067.553] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.553] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.553] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f7b887, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f7b887, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f7b887, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0067.553] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0067.553] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0067.553] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0067.553] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0067.553] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0067.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0067.553] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0067.553] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.553] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0067.553] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.554] GetTickCount () returned 0x115148e [0067.554] GetTickCount () returned 0x115148e [0067.554] GetTickCount () returned 0x115148e [0067.554] GetTickCount () returned 0x115148e [0067.554] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.554] GetProcessHeap () returned 0x3a00000 [0067.554] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.554] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x2a5, lpOverlapped=0x0) returned 1 [0067.555] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd5b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.555] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x2a5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x2a5, lpOverlapped=0x0) returned 1 [0067.556] GetProcessHeap () returned 0x3a00000 [0067.556] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.556] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.556] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.556] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.556] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.556] CloseHandle (hObject=0x440) returned 1 [0067.556] GetProcessHeap () returned 0x3a00000 [0067.556] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.556] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0067.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.557] GetProcessHeap () returned 0x3a00000 [0067.557] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.557] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f7b887, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f7b887, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f7b887, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x2a5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0067.557] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0067.557] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0067.557] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.563] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.564] CloseHandle (hObject=0x43c) returned 1 [0067.564] GetProcessHeap () returned 0x3a00000 [0067.564] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.564] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x222, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0067.564] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0067.564] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0067.564] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0067.564] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0067.564] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0067.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml") returned 97 [0067.564] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0067.564] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.564] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0067.564] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.565] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0067.565] GetTickCount () returned 0x115148e [0067.565] GetTickCount () returned 0x115148e [0067.565] GetTickCount () returned 0x115148e [0067.565] GetTickCount () returned 0x115148e [0067.565] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0067.565] GetProcessHeap () returned 0x3a00000 [0067.565] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a70290 [0067.565] ReadFile (in: hFile=0x43c, lpBuffer=0x3a70290, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesRead=0x65af04c*=0x222, lpOverlapped=0x0) returned 1 [0067.566] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffdde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.567] WriteFile (in: hFile=0x43c, lpBuffer=0x3a70290*, nNumberOfBytesToWrite=0x222, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a70290*, lpNumberOfBytesWritten=0x65af04c*=0x222, lpOverlapped=0x0) returned 1 [0067.567] GetProcessHeap () returned 0x3a00000 [0067.567] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0067.567] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.567] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0067.568] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0067.568] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0067.568] CloseHandle (hObject=0x43c) returned 1 [0067.568] GetProcessHeap () returned 0x3a00000 [0067.568] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.568] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0067.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.569] GetProcessHeap () returned 0x3a00000 [0067.569] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0067.569] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53fa1af1, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x222, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0067.569] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0067.569] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0067.569] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.570] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0067.571] CloseHandle (hObject=0x438) returned 1 [0067.571] GetProcessHeap () returned 0x3a00000 [0067.571] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.571] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0067.571] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0067.571] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0067.571] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0067.574] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0067.575] CloseHandle (hObject=0x434) returned 1 [0067.575] GetProcessHeap () returned 0x3a00000 [0067.575] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0067.575] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{c8a326e4-f518-4f14-b543-97a57e1a975e}", cAlternateFileName="{C8A32~1")) returned 1 [0067.575] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Windows") returned -1 [0067.575] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="$Recycle.bin") returned 1 [0067.575] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="System Volume Information") returned -1 [0067.575] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Program Files") returned -1 [0067.575] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Program Files (x86)") returned -1 [0067.575] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}") returned 80 [0067.575] lstrcmpW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2=".") returned 1 [0067.575] lstrcmpW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="..") returned 1 [0067.575] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.575] GetProcessHeap () returned 0x3a00000 [0067.575] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0067.575] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\*") returned 82 [0067.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0067.578] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.578] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.578] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.578] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.578] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.578] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\.") returned 82 [0067.578] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.578] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.578] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.578] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.578] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.578] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.578] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.578] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\..") returned 83 [0067.578] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.578] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.578] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x930c721b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x930c721b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x930c721b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x9ba5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0067.578] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0067.578] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0067.578] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0067.578] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0067.579] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0067.579] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml") returned 99 [0067.579] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0067.579] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.579] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0067.579] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.579] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.579] GetTickCount () returned 0x115149e [0067.579] GetTickCount () returned 0x115149e [0067.579] GetTickCount () returned 0x115149e [0067.579] GetTickCount () returned 0x115149e [0067.579] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.579] GetProcessHeap () returned 0x3a00000 [0067.579] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.579] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0067.583] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.583] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0067.583] GetProcessHeap () returned 0x3a00000 [0067.583] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.583] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.583] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.585] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.585] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.585] CloseHandle (hObject=0x438) returned 1 [0067.585] GetProcessHeap () returned 0x3a00000 [0067.585] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.585] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0067.585] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.586] GetProcessHeap () returned 0x3a00000 [0067.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.586] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x919d3d65, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x919d3d65, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x919d3d65, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0067.586] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0067.586] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0067.586] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0067.586] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0067.586] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0067.586] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml") returned 100 [0067.586] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0067.586] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.586] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0067.586] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.586] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0067.587] GetTickCount () returned 0x11514ad [0067.587] GetTickCount () returned 0x11514ad [0067.587] GetTickCount () returned 0x11514ad [0067.587] GetTickCount () returned 0x11514ad [0067.587] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0067.587] GetProcessHeap () returned 0x3a00000 [0067.587] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a6f288 [0067.587] ReadFile (in: hFile=0x438, lpBuffer=0x3a6f288, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.588] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.588] WriteFile (in: hFile=0x438, lpBuffer=0x3a6f288*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a6f288*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0067.589] GetProcessHeap () returned 0x3a00000 [0067.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6f288 | out: hHeap=0x3a00000) returned 1 [0067.589] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.589] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0067.590] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0067.590] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0067.590] CloseHandle (hObject=0x438) returned 1 [0067.590] GetProcessHeap () returned 0x3a00000 [0067.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.590] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0067.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0067.591] GetProcessHeap () returned 0x3a00000 [0067.591] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0067.591] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0067.591] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0067.591] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0067.591] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0067.591] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0067.591] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0067.591] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov") returned 85 [0067.591] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0067.591] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0067.591] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.591] GetProcessHeap () returned 0x3a00000 [0067.591] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0067.591] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\*") returned 87 [0067.591] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0067.592] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.592] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.592] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\.") returned 87 [0067.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.592] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\..") returned 88 [0067.592] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.592] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.592] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2270dc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2270dc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0067.592] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0067.592] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0067.592] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0067.592] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0067.592] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0067.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime") returned 93 [0067.593] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0067.593] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0067.593] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0067.593] GetProcessHeap () returned 0x3a00000 [0067.593] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0067.593] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\*") returned 95 [0067.593] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2270dc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2270dc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0067.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0067.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0067.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0067.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0067.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0067.600] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\.") returned 95 [0067.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0067.600] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2270dc88, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2270dc88, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0067.603] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0067.603] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0067.603] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0067.603] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0067.603] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0067.603] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\..") returned 96 [0067.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0067.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0067.603] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a4472, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900a4472, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="0__CON~1.PRO")) returned 1 [0067.603] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.603] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.603] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.604] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.604] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.604] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml") returned 182 [0067.604] StrStrIW (lpFirst="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.604] lstrcmpW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.604] lstrcmpW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.604] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.604] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\0__connections_cellular_albanian mobile communications (albania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.604] GetTickCount () returned 0x11514bd [0067.604] GetTickCount () returned 0x11514bd [0067.604] GetTickCount () returned 0x11514bd [0067.604] GetTickCount () returned 0x11514bd [0067.604] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.605] GetProcessHeap () returned 0x3a00000 [0067.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.605] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0067.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0067.625] GetProcessHeap () returned 0x3a00000 [0067.625] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.625] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.625] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.625] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.625] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.625] CloseHandle (hObject=0x440) returned 1 [0067.626] GetProcessHeap () returned 0x3a00000 [0067.626] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.626] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 201 [0067.626] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\0__connections_cellular_albanian mobile communications (albania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\0__connections_cellular_albanian mobile communications (albania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.627] GetProcessHeap () returned 0x3a00000 [0067.627] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.627] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x292, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", cAlternateFileName="100__C~1.PRO")) returned 1 [0067.627] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.627] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.627] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.627] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.627] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.627] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml") returned 162 [0067.627] StrStrIW (lpFirst="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.627] lstrcmpW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.627] lstrcmpW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.627] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\100__connections_cellular_telia dk (denmark)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.627] GetTickCount () returned 0x11514cc [0067.627] GetTickCount () returned 0x11514cc [0067.627] GetTickCount () returned 0x11514cc [0067.628] GetTickCount () returned 0x11514cc [0067.628] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.628] GetProcessHeap () returned 0x3a00000 [0067.628] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a71298 [0067.628] ReadFile (in: hFile=0x440, lpBuffer=0x3a71298, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesRead=0x65aedc4*=0x292, lpOverlapped=0x0) returned 1 [0067.630] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.630] WriteFile (in: hFile=0x440, lpBuffer=0x3a71298*, nNumberOfBytesToWrite=0x292, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a71298*, lpNumberOfBytesWritten=0x65aedc4*=0x292, lpOverlapped=0x0) returned 1 [0067.630] GetProcessHeap () returned 0x3a00000 [0067.630] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a71298 | out: hHeap=0x3a00000) returned 1 [0067.630] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.630] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.630] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.631] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.631] CloseHandle (hObject=0x440) returned 1 [0067.631] GetProcessHeap () returned 0x3a00000 [0067.631] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.631] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0067.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\100__connections_cellular_telia dk (denmark)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\100__connections_cellular_telia dk (denmark)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.632] GetProcessHeap () returned 0x3a00000 [0067.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.632] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="101__C~1.PRO")) returned 1 [0067.632] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0067.632] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0067.632] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0067.632] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0067.632] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0067.632] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0067.632] StrStrIW (lpFirst="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0067.632] lstrcmpW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.632] lstrcmpW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0067.632] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.632] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\101__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.633] GetTickCount () returned 0x11514dc [0067.633] GetTickCount () returned 0x11514dc [0067.633] GetTickCount () returned 0x11514dc [0067.633] GetTickCount () returned 0x11514dc [0067.633] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.633] GetProcessHeap () returned 0x3a00000 [0067.633] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.633] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x1d2, lpOverlapped=0x0) returned 1 [0067.634] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.634] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x1d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x1d2, lpOverlapped=0x0) returned 1 [0067.634] GetProcessHeap () returned 0x3a00000 [0067.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.634] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.634] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.635] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.635] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.636] CloseHandle (hObject=0x440) returned 1 [0067.636] GetProcessHeap () returned 0x3a00000 [0067.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.636] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0067.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\101__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\101__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.636] GetProcessHeap () returned 0x3a00000 [0067.636] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.637] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="102__C~1.PRO")) returned 1 [0067.637] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.637] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.637] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.637] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.637] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml") returned 170 [0067.637] StrStrIW (lpFirst="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.637] lstrcmpW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.637] lstrcmpW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.637] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.637] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\102__connections_cellular_claro (dominican republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.637] GetTickCount () returned 0x11514dc [0067.637] GetTickCount () returned 0x11514dc [0067.637] GetTickCount () returned 0x11514dc [0067.637] GetTickCount () returned 0x11514dc [0067.637] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.638] GetProcessHeap () returned 0x3a00000 [0067.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.638] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0067.639] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.639] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0067.640] GetProcessHeap () returned 0x3a00000 [0067.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.640] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.640] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.640] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.640] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.640] CloseHandle (hObject=0x440) returned 1 [0067.640] GetProcessHeap () returned 0x3a00000 [0067.640] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.640] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0067.640] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\102__connections_cellular_claro (dominican republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\102__connections_cellular_claro (dominican republic)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.641] GetProcessHeap () returned 0x3a00000 [0067.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.641] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", cAlternateFileName="103__C~1.PRO")) returned 1 [0067.641] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.641] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.641] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.641] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.641] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.641] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml") returned 170 [0067.641] StrStrIW (lpFirst="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.641] lstrcmpW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.642] lstrcmpW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.642] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.642] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\103__connections_cellular_claro (dominican republic)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.642] GetTickCount () returned 0x11514dc [0067.642] GetTickCount () returned 0x11514dc [0067.642] GetTickCount () returned 0x11514dc [0067.642] GetTickCount () returned 0x11514dc [0067.642] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.642] GetProcessHeap () returned 0x3a00000 [0067.642] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.642] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x29e, lpOverlapped=0x0) returned 1 [0067.644] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.644] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x29e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x29e, lpOverlapped=0x0) returned 1 [0067.644] GetProcessHeap () returned 0x3a00000 [0067.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.644] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.645] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.645] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.645] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.645] CloseHandle (hObject=0x440) returned 1 [0067.645] GetProcessHeap () returned 0x3a00000 [0067.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.645] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0067.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\103__connections_cellular_claro (dominican republic)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\103__connections_cellular_claro (dominican republic)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.646] GetProcessHeap () returned 0x3a00000 [0067.646] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.646] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="104__C~1.PRO")) returned 1 [0067.646] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.646] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.646] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.646] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.646] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.646] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml") returned 163 [0067.646] StrStrIW (lpFirst="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.646] lstrcmpW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.646] lstrcmpW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.646] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.646] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\104__connections_cellular_porta gsm (ecuador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.646] GetTickCount () returned 0x11514ec [0067.646] GetTickCount () returned 0x11514ec [0067.646] GetTickCount () returned 0x11514ec [0067.646] GetTickCount () returned 0x11514ec [0067.646] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.647] GetProcessHeap () returned 0x3a00000 [0067.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.647] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0067.648] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.648] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0067.648] GetProcessHeap () returned 0x3a00000 [0067.648] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.648] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.648] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.648] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.648] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.649] CloseHandle (hObject=0x440) returned 1 [0067.649] GetProcessHeap () returned 0x3a00000 [0067.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.649] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0067.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\104__connections_cellular_porta gsm (ecuador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\104__connections_cellular_porta gsm (ecuador)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.649] GetProcessHeap () returned 0x3a00000 [0067.649] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.649] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="105__C~1.PRO")) returned 1 [0067.649] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.649] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.649] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.649] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.649] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.650] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml") returned 164 [0067.650] StrStrIW (lpFirst="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.650] lstrcmpW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.650] lstrcmpW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.650] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.650] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\105__connections_cellular_telefonica (ecuador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.650] GetTickCount () returned 0x11514ec [0067.650] GetTickCount () returned 0x11514ec [0067.650] GetTickCount () returned 0x11514ec [0067.650] GetTickCount () returned 0x11514ec [0067.650] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.651] GetProcessHeap () returned 0x3a00000 [0067.651] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.651] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0067.652] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.652] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0067.652] GetProcessHeap () returned 0x3a00000 [0067.652] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.652] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.652] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.652] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.652] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.652] CloseHandle (hObject=0x440) returned 1 [0067.653] GetProcessHeap () returned 0x3a00000 [0067.653] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.653] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0067.653] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\105__connections_cellular_telefonica (ecuador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\105__connections_cellular_telefonica (ecuador)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.653] GetProcessHeap () returned 0x3a00000 [0067.653] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.653] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9045e0ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", cAlternateFileName="106__C~1.PRO")) returned 1 [0067.653] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.653] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.653] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.653] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.653] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.653] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml") returned 159 [0067.653] StrStrIW (lpFirst="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.653] lstrcmpW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.654] lstrcmpW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.654] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.654] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\106__connections_cellular_mobinil (egypt)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.654] GetTickCount () returned 0x11514ec [0067.654] GetTickCount () returned 0x11514ec [0067.654] GetTickCount () returned 0x11514ec [0067.654] GetTickCount () returned 0x11514ec [0067.654] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.654] GetProcessHeap () returned 0x3a00000 [0067.654] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.654] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0067.655] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.655] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0067.656] GetProcessHeap () returned 0x3a00000 [0067.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.656] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.656] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.656] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.656] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.656] CloseHandle (hObject=0x440) returned 1 [0067.656] GetProcessHeap () returned 0x3a00000 [0067.656] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.656] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\106__connections_cellular_mobinil (egypt)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\106__connections_cellular_mobinil (egypt)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.657] GetProcessHeap () returned 0x3a00000 [0067.657] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.657] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", cAlternateFileName="107__C~1.PRO")) returned 1 [0067.657] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.657] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.657] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.657] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.657] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.657] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml") returned 166 [0067.657] StrStrIW (lpFirst="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.657] lstrcmpW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.657] lstrcmpW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.657] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.657] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\107__connections_cellular_vodafone egypt (egypt)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.657] GetTickCount () returned 0x11514ec [0067.657] GetTickCount () returned 0x11514ec [0067.657] GetTickCount () returned 0x11514ec [0067.657] GetTickCount () returned 0x11514ec [0067.657] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.658] GetProcessHeap () returned 0x3a00000 [0067.658] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.658] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x360, lpOverlapped=0x0) returned 1 [0067.659] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.659] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x360, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x360, lpOverlapped=0x0) returned 1 [0067.659] GetProcessHeap () returned 0x3a00000 [0067.659] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.659] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.659] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.659] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.659] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.659] CloseHandle (hObject=0x440) returned 1 [0067.660] GetProcessHeap () returned 0x3a00000 [0067.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.660] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0067.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\107__connections_cellular_vodafone egypt (egypt)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\107__connections_cellular_vodafone egypt (egypt)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.664] GetProcessHeap () returned 0x3a00000 [0067.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.665] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="108__C~1.PRO")) returned 1 [0067.665] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0067.665] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0067.665] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0067.665] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0067.665] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0067.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0067.665] StrStrIW (lpFirst="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0067.665] lstrcmpW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.665] lstrcmpW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0067.665] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.665] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\108__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.665] GetTickCount () returned 0x11514fb [0067.665] GetTickCount () returned 0x11514fb [0067.665] GetTickCount () returned 0x11514fb [0067.665] GetTickCount () returned 0x11514fb [0067.665] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.665] GetProcessHeap () returned 0x3a00000 [0067.665] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.665] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0067.666] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.666] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0067.666] GetProcessHeap () returned 0x3a00000 [0067.666] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.666] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.667] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.667] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.667] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.667] CloseHandle (hObject=0x440) returned 1 [0067.667] GetProcessHeap () returned 0x3a00000 [0067.668] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.668] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0067.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\108__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\108__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.668] GetProcessHeap () returned 0x3a00000 [0067.668] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.668] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", cAlternateFileName="109__C~1.PRO")) returned 1 [0067.668] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.668] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.668] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.668] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.668] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.668] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml") returned 165 [0067.668] StrStrIW (lpFirst="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.668] lstrcmpW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.668] lstrcmpW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.668] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.669] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\109__connections_cellular_etisalat misr (egypt)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.669] GetTickCount () returned 0x11514fb [0067.669] GetTickCount () returned 0x11514fb [0067.669] GetTickCount () returned 0x11514fb [0067.669] GetTickCount () returned 0x11514fb [0067.669] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.669] GetProcessHeap () returned 0x3a00000 [0067.669] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.669] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0067.670] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.670] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0067.670] GetProcessHeap () returned 0x3a00000 [0067.670] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.670] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.671] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.671] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.671] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.671] CloseHandle (hObject=0x440) returned 1 [0067.671] GetProcessHeap () returned 0x3a00000 [0067.671] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.671] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0067.671] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\109__connections_cellular_etisalat misr (egypt)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\109__connections_cellular_etisalat misr (egypt)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.672] GetProcessHeap () returned 0x3a00000 [0067.672] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.672] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90116bb1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90116bb1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90116bb1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="10__CO~1.PRO")) returned 1 [0067.672] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.672] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.672] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.672] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.672] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.672] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml") returned 160 [0067.672] StrStrIW (lpFirst="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.672] lstrcmpW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.672] lstrcmpW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.672] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.672] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\10__connections_cellular_optus (australia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.672] GetTickCount () returned 0x11514fb [0067.672] GetTickCount () returned 0x11514fb [0067.672] GetTickCount () returned 0x11514fb [0067.672] GetTickCount () returned 0x11514fb [0067.672] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.672] GetProcessHeap () returned 0x3a00000 [0067.672] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.672] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0067.674] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.674] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0067.674] GetProcessHeap () returned 0x3a00000 [0067.674] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.674] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.674] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.674] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.674] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.674] CloseHandle (hObject=0x440) returned 1 [0067.674] GetProcessHeap () returned 0x3a00000 [0067.674] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.674] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0067.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\10__connections_cellular_optus (australia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\10__connections_cellular_optus (australia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.675] GetProcessHeap () returned 0x3a00000 [0067.675] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.675] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="110__C~1.PRO")) returned 1 [0067.675] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.675] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.675] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.675] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.675] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.675] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml") returned 163 [0067.675] StrStrIW (lpFirst="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.675] lstrcmpW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.675] lstrcmpW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.675] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.675] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\110__connections_cellular_claro (el salvador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.676] GetTickCount () returned 0x11514fb [0067.676] GetTickCount () returned 0x11514fb [0067.676] GetTickCount () returned 0x11514fb [0067.676] GetTickCount () returned 0x11514fb [0067.676] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.676] GetProcessHeap () returned 0x3a00000 [0067.676] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.676] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0067.678] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.678] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0067.678] GetProcessHeap () returned 0x3a00000 [0067.678] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.678] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.678] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.678] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.678] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.678] CloseHandle (hObject=0x440) returned 1 [0067.678] GetProcessHeap () returned 0x3a00000 [0067.678] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.678] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0067.678] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\110__connections_cellular_claro (el salvador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\110__connections_cellular_claro (el salvador)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.679] GetProcessHeap () returned 0x3a00000 [0067.679] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.679] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9048435b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", cAlternateFileName="111__C~1.PRO")) returned 1 [0067.679] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.679] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.679] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.679] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.679] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml") returned 163 [0067.679] StrStrIW (lpFirst="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.679] lstrcmpW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.679] lstrcmpW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.679] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\111__connections_cellular_claro (el salvador)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.680] GetTickCount () returned 0x115150b [0067.680] GetTickCount () returned 0x115150b [0067.680] GetTickCount () returned 0x115150b [0067.680] GetTickCount () returned 0x115150b [0067.680] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.680] GetProcessHeap () returned 0x3a00000 [0067.680] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.680] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0067.681] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.681] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0067.681] GetProcessHeap () returned 0x3a00000 [0067.681] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.681] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.682] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.682] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.682] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.682] CloseHandle (hObject=0x440) returned 1 [0067.682] GetProcessHeap () returned 0x3a00000 [0067.682] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.682] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0067.682] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\111__connections_cellular_claro (el salvador)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\111__connections_cellular_claro (el salvador)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.683] GetProcessHeap () returned 0x3a00000 [0067.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.683] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="112__C~1.PRO")) returned 1 [0067.683] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.683] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.683] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.683] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.683] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.683] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml") returned 168 [0067.683] StrStrIW (lpFirst="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.683] lstrcmpW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.683] lstrcmpW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.683] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.683] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\112__connections_cellular_telefonica (el salvador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.684] GetTickCount () returned 0x115150b [0067.684] GetTickCount () returned 0x115150b [0067.684] GetTickCount () returned 0x115150b [0067.684] GetTickCount () returned 0x115150b [0067.684] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.684] GetProcessHeap () returned 0x3a00000 [0067.684] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.684] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0067.685] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.685] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0067.685] GetProcessHeap () returned 0x3a00000 [0067.685] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.685] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.685] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.686] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.686] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.686] CloseHandle (hObject=0x440) returned 1 [0067.686] GetProcessHeap () returned 0x3a00000 [0067.686] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.686] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0067.686] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\112__connections_cellular_telefonica (el salvador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\112__connections_cellular_telefonica (el salvador)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.686] GetProcessHeap () returned 0x3a00000 [0067.687] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.687] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", cAlternateFileName="113__C~1.PRO")) returned 1 [0067.687] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.687] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.687] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.687] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.687] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.687] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml") returned 162 [0067.687] StrStrIW (lpFirst="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.687] lstrcmpW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.687] lstrcmpW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.687] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.687] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\113__connections_cellular_tigo (el salvador)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.687] GetTickCount () returned 0x115150b [0067.687] GetTickCount () returned 0x115150b [0067.687] GetTickCount () returned 0x115150b [0067.687] GetTickCount () returned 0x115150b [0067.687] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.687] GetProcessHeap () returned 0x3a00000 [0067.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.687] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0067.690] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.690] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0067.691] GetProcessHeap () returned 0x3a00000 [0067.691] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.691] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.691] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.691] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.691] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.691] CloseHandle (hObject=0x440) returned 1 [0067.691] GetProcessHeap () returned 0x3a00000 [0067.691] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.691] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0067.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\113__connections_cellular_tigo (el salvador)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\113__connections_cellular_tigo (el salvador)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.693] GetProcessHeap () returned 0x3a00000 [0067.693] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.693] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", cAlternateFileName="114__C~1.PRO")) returned 1 [0067.693] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.693] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.693] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.693] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.693] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.693] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml") returned 162 [0067.693] StrStrIW (lpFirst="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.693] lstrcmpW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.693] lstrcmpW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.693] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.693] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\114__connections_cellular_tigo (el salvador)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.693] GetTickCount () returned 0x115151b [0067.693] GetTickCount () returned 0x115151b [0067.693] GetTickCount () returned 0x115151b [0067.693] GetTickCount () returned 0x115151b [0067.693] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.693] GetProcessHeap () returned 0x3a00000 [0067.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.693] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x28c, lpOverlapped=0x0) returned 1 [0067.695] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.695] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x28c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x28c, lpOverlapped=0x0) returned 1 [0067.695] GetProcessHeap () returned 0x3a00000 [0067.695] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.695] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.695] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.695] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.695] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.695] CloseHandle (hObject=0x440) returned 1 [0067.695] GetProcessHeap () returned 0x3a00000 [0067.695] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.695] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0067.695] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\114__connections_cellular_tigo (el salvador)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\114__connections_cellular_tigo (el salvador)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.696] GetProcessHeap () returned 0x3a00000 [0067.696] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.696] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904aa5c6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="115__C~1.PRO")) returned 1 [0067.698] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.698] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.698] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.698] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.698] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml") returned 167 [0067.698] StrStrIW (lpFirst="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.699] lstrcmpW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.699] lstrcmpW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.699] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\115__connections_cellular_elisa estonia (estonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.699] GetTickCount () returned 0x115151b [0067.699] GetTickCount () returned 0x115151b [0067.699] GetTickCount () returned 0x115151b [0067.699] GetTickCount () returned 0x115151b [0067.699] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.699] GetProcessHeap () returned 0x3a00000 [0067.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.699] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0067.700] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.700] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0067.701] GetProcessHeap () returned 0x3a00000 [0067.701] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.701] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.701] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.701] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.701] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.701] CloseHandle (hObject=0x440) returned 1 [0067.701] GetProcessHeap () returned 0x3a00000 [0067.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.701] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0067.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\115__connections_cellular_elisa estonia (estonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\115__connections_cellular_elisa estonia (estonia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.702] GetProcessHeap () returned 0x3a00000 [0067.702] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.702] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="116__C~1.PRO")) returned 1 [0067.702] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.702] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.702] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.702] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.702] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml") returned 157 [0067.702] StrStrIW (lpFirst="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.702] lstrcmpW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.702] lstrcmpW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.702] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\116__connections_cellular_emt (estonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.702] GetTickCount () returned 0x115151b [0067.702] GetTickCount () returned 0x115151b [0067.702] GetTickCount () returned 0x115151b [0067.702] GetTickCount () returned 0x115151b [0067.702] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.702] GetProcessHeap () returned 0x3a00000 [0067.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.703] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0067.710] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.711] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0067.714] GetProcessHeap () returned 0x3a00000 [0067.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.714] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.714] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.714] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.714] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.714] CloseHandle (hObject=0x440) returned 1 [0067.714] GetProcessHeap () returned 0x3a00000 [0067.714] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0067.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\116__connections_cellular_emt (estonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\116__connections_cellular_emt (estonia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.715] GetProcessHeap () returned 0x3a00000 [0067.715] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.715] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="117__C~1.PRO")) returned 1 [0067.715] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.715] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.715] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.715] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.715] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.715] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml") returned 157 [0067.715] StrStrIW (lpFirst="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.715] lstrcmpW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.716] lstrcmpW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.716] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.716] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\117__connections_cellular_emt (estonia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.716] GetTickCount () returned 0x115152a [0067.716] GetTickCount () returned 0x115152a [0067.716] GetTickCount () returned 0x115152a [0067.716] GetTickCount () returned 0x115152a [0067.716] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.716] GetProcessHeap () returned 0x3a00000 [0067.716] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.716] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0067.718] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.718] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0067.718] GetProcessHeap () returned 0x3a00000 [0067.718] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.718] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.718] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.718] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.718] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.718] CloseHandle (hObject=0x440) returned 1 [0067.718] GetProcessHeap () returned 0x3a00000 [0067.718] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.718] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0067.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\117__connections_cellular_emt (estonia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\117__connections_cellular_emt (estonia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.719] GetProcessHeap () returned 0x3a00000 [0067.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.719] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="118__C~1.PRO")) returned 1 [0067.719] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.719] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.719] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.719] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.719] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.719] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml") returned 159 [0067.719] StrStrIW (lpFirst="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.719] lstrcmpW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.719] lstrcmpW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.719] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.719] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\118__connections_cellular_tele2 (estonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.719] GetTickCount () returned 0x115152a [0067.719] GetTickCount () returned 0x115152a [0067.720] GetTickCount () returned 0x115152a [0067.720] GetTickCount () returned 0x115152a [0067.720] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.720] GetProcessHeap () returned 0x3a00000 [0067.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.720] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0067.721] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.721] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0067.721] GetProcessHeap () returned 0x3a00000 [0067.721] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.721] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.721] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.721] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.722] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.722] CloseHandle (hObject=0x440) returned 1 [0067.722] GetProcessHeap () returned 0x3a00000 [0067.722] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.722] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\118__connections_cellular_tele2 (estonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\118__connections_cellular_tele2 (estonia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.722] GetProcessHeap () returned 0x3a00000 [0067.722] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.722] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904d0836, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="119__C~1.PRO")) returned 1 [0067.722] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.722] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.722] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.722] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.722] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.723] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml") returned 159 [0067.723] StrStrIW (lpFirst="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.723] lstrcmpW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.723] lstrcmpW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.723] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.723] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\119__connections_cellular_tele2 (estonia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.723] GetTickCount () returned 0x115153a [0067.723] GetTickCount () returned 0x115153a [0067.723] GetTickCount () returned 0x115153a [0067.723] GetTickCount () returned 0x115153a [0067.723] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.723] GetProcessHeap () returned 0x3a00000 [0067.723] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.723] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0067.725] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.725] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0067.725] GetProcessHeap () returned 0x3a00000 [0067.725] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.725] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.725] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.725] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.725] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.725] CloseHandle (hObject=0x440) returned 1 [0067.725] GetProcessHeap () returned 0x3a00000 [0067.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.726] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.726] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\119__connections_cellular_tele2 (estonia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\119__connections_cellular_tele2 (estonia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.726] GetProcessHeap () returned 0x3a00000 [0067.726] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.726] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="11__CO~1.PRO")) returned 1 [0067.726] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.726] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.726] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.726] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.726] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.726] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml") returned 160 [0067.726] StrStrIW (lpFirst="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.726] lstrcmpW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.726] lstrcmpW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.726] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\11__connections_cellular_optus (australia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.727] GetTickCount () returned 0x115153a [0067.727] GetTickCount () returned 0x115153a [0067.727] GetTickCount () returned 0x115153a [0067.727] GetTickCount () returned 0x115153a [0067.727] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.727] GetProcessHeap () returned 0x3a00000 [0067.727] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.727] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0067.728] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.728] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0067.728] GetProcessHeap () returned 0x3a00000 [0067.728] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.728] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.729] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.729] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.729] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.729] CloseHandle (hObject=0x440) returned 1 [0067.729] GetProcessHeap () returned 0x3a00000 [0067.729] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0067.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\11__connections_cellular_optus (australia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\11__connections_cellular_optus (australia)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.730] GetProcessHeap () returned 0x3a00000 [0067.730] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.730] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="120__C~1.PRO")) returned 1 [0067.730] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.730] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.730] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.730] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.730] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml") returned 171 [0067.730] StrStrIW (lpFirst="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.730] lstrcmpW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.730] lstrcmpW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.730] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\120__connections_cellular_vodafone fo (faroe islands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.730] GetTickCount () returned 0x115153a [0067.730] GetTickCount () returned 0x115153a [0067.730] GetTickCount () returned 0x115153a [0067.730] GetTickCount () returned 0x115153a [0067.730] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.730] GetProcessHeap () returned 0x3a00000 [0067.730] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.730] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0067.732] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.732] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0067.732] GetProcessHeap () returned 0x3a00000 [0067.732] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.732] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.732] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.732] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.733] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.733] CloseHandle (hObject=0x440) returned 1 [0067.733] GetProcessHeap () returned 0x3a00000 [0067.733] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.733] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0067.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\120__connections_cellular_vodafone fo (faroe islands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\120__connections_cellular_vodafone fo (faroe islands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.733] GetProcessHeap () returned 0x3a00000 [0067.733] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.733] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", cAlternateFileName="121__C~1.PRO")) returned 1 [0067.733] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.733] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.733] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.733] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.733] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.734] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml") returned 158 [0067.734] StrStrIW (lpFirst="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.734] lstrcmpW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.734] lstrcmpW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.734] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\121__connections_cellular_kidanet (fiji)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.734] GetTickCount () returned 0x115153a [0067.734] GetTickCount () returned 0x115153a [0067.734] GetTickCount () returned 0x115153a [0067.734] GetTickCount () returned 0x115153a [0067.734] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.734] GetProcessHeap () returned 0x3a00000 [0067.734] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.734] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0067.735] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.736] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0067.736] GetProcessHeap () returned 0x3a00000 [0067.736] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.736] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.736] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.736] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.736] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.736] CloseHandle (hObject=0x440) returned 1 [0067.736] GetProcessHeap () returned 0x3a00000 [0067.736] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0067.736] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\121__connections_cellular_kidanet (fiji)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\121__connections_cellular_kidanet (fiji)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.737] GetProcessHeap () returned 0x3a00000 [0067.737] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.737] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", cAlternateFileName="122__C~1.PRO")) returned 1 [0067.737] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.737] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.737] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.737] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.737] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.737] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml") returned 164 [0067.737] StrStrIW (lpFirst="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.737] lstrcmpW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.737] lstrcmpW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.737] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.737] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\122__connections_cellular_vodafone fiji (fiji)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.737] GetTickCount () returned 0x115153a [0067.737] GetTickCount () returned 0x115153a [0067.737] GetTickCount () returned 0x115153a [0067.738] GetTickCount () returned 0x115153a [0067.738] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.738] GetProcessHeap () returned 0x3a00000 [0067.738] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.738] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0067.739] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.739] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0067.739] GetProcessHeap () returned 0x3a00000 [0067.739] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.739] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.740] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.740] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.740] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.740] CloseHandle (hObject=0x440) returned 1 [0067.740] GetProcessHeap () returned 0x3a00000 [0067.740] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0067.740] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\122__connections_cellular_vodafone fiji (fiji)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\122__connections_cellular_vodafone fiji (fiji)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.741] GetProcessHeap () returned 0x3a00000 [0067.741] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.741] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", cAlternateFileName="123__C~1.PRO")) returned 1 [0067.741] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.741] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.741] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.741] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.741] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.741] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml") returned 164 [0067.741] StrStrIW (lpFirst="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.741] lstrcmpW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.741] lstrcmpW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.741] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.741] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\123__connections_cellular_vodafone fiji (fiji)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.742] GetTickCount () returned 0x1151549 [0067.742] GetTickCount () returned 0x1151549 [0067.742] GetTickCount () returned 0x1151549 [0067.742] GetTickCount () returned 0x1151549 [0067.742] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.742] GetProcessHeap () returned 0x3a00000 [0067.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.742] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0067.743] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.743] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0067.743] GetProcessHeap () returned 0x3a00000 [0067.744] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.744] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.744] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.744] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.744] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.744] CloseHandle (hObject=0x440) returned 1 [0067.744] GetProcessHeap () returned 0x3a00000 [0067.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0067.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\123__connections_cellular_vodafone fiji (fiji)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\123__connections_cellular_vodafone fiji (fiji)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.745] GetProcessHeap () returned 0x3a00000 [0067.745] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.745] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x904f6aa1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="124__C~1.PRO")) returned 1 [0067.745] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0067.745] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0067.745] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0067.745] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0067.745] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0067.745] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0067.745] StrStrIW (lpFirst="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0067.745] lstrcmpW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.745] lstrcmpW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0067.745] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.745] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\124__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.745] GetTickCount () returned 0x1151549 [0067.745] GetTickCount () returned 0x1151549 [0067.745] GetTickCount () returned 0x1151549 [0067.745] GetTickCount () returned 0x1151549 [0067.745] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.746] GetProcessHeap () returned 0x3a00000 [0067.746] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.746] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0067.760] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.760] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0067.760] GetProcessHeap () returned 0x3a00000 [0067.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.760] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.760] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.761] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.761] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.761] CloseHandle (hObject=0x440) returned 1 [0067.761] GetProcessHeap () returned 0x3a00000 [0067.761] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0067.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\124__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\124__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.761] GetProcessHeap () returned 0x3a00000 [0067.761] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.762] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="125__C~1.PRO")) returned 1 [0067.762] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.762] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.762] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.762] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.762] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.762] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml") returned 176 [0067.762] StrStrIW (lpFirst="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.762] lstrcmpW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.762] lstrcmpW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.762] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.762] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\125__connections_cellular_alands mobiltelefon ab (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.762] GetTickCount () returned 0x1151559 [0067.762] GetTickCount () returned 0x1151559 [0067.762] GetTickCount () returned 0x1151559 [0067.762] GetTickCount () returned 0x1151559 [0067.762] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.762] GetProcessHeap () returned 0x3a00000 [0067.762] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.762] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0067.764] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.764] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0067.764] GetProcessHeap () returned 0x3a00000 [0067.764] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.764] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.764] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.764] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.764] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.764] CloseHandle (hObject=0x440) returned 1 [0067.764] GetProcessHeap () returned 0x3a00000 [0067.764] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.764] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0067.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\125__connections_cellular_alands mobiltelefon ab (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\125__connections_cellular_alands mobiltelefon ab (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.765] GetProcessHeap () returned 0x3a00000 [0067.765] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.765] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="126__C~1.PRO")) returned 1 [0067.765] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.765] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.765] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.765] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.765] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.765] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml") returned 176 [0067.765] StrStrIW (lpFirst="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.765] lstrcmpW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.765] lstrcmpW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.766] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\126__connections_cellular_alands mobiltelefon ab (finland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.766] GetTickCount () returned 0x1151559 [0067.766] GetTickCount () returned 0x1151559 [0067.766] GetTickCount () returned 0x1151559 [0067.766] GetTickCount () returned 0x1151559 [0067.766] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.766] GetProcessHeap () returned 0x3a00000 [0067.766] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.766] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x29c, lpOverlapped=0x0) returned 1 [0067.767] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd64, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.767] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x29c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x29c, lpOverlapped=0x0) returned 1 [0067.768] GetProcessHeap () returned 0x3a00000 [0067.768] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.768] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.768] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.768] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.768] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.768] CloseHandle (hObject=0x440) returned 1 [0067.768] GetProcessHeap () returned 0x3a00000 [0067.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.768] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0067.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\126__connections_cellular_alands mobiltelefon ab (finland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\126__connections_cellular_alands mobiltelefon ab (finland)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.769] GetProcessHeap () returned 0x3a00000 [0067.769] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.769] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="127__C~1.PRO")) returned 1 [0067.769] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.769] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.769] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.769] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.769] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.769] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml") returned 157 [0067.769] StrStrIW (lpFirst="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.769] lstrcmpW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.769] lstrcmpW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.769] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.769] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\127__connections_cellular_dna (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.769] GetTickCount () returned 0x1151559 [0067.769] GetTickCount () returned 0x1151559 [0067.769] GetTickCount () returned 0x1151559 [0067.769] GetTickCount () returned 0x1151559 [0067.769] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.770] GetProcessHeap () returned 0x3a00000 [0067.770] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.770] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x27f, lpOverlapped=0x0) returned 1 [0067.771] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.771] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x27f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x27f, lpOverlapped=0x0) returned 1 [0067.771] GetProcessHeap () returned 0x3a00000 [0067.771] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.771] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.771] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.771] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.771] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.772] CloseHandle (hObject=0x440) returned 1 [0067.772] GetProcessHeap () returned 0x3a00000 [0067.772] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.772] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0067.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\127__connections_cellular_dna (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\127__connections_cellular_dna (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.772] GetProcessHeap () returned 0x3a00000 [0067.772] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.772] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="128__C~1.PRO")) returned 1 [0067.772] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0067.772] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0067.772] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0067.772] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0067.773] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0067.773] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0067.773] StrStrIW (lpFirst="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0067.773] lstrcmpW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.773] lstrcmpW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0067.773] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.773] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\128__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.773] GetTickCount () returned 0x1151569 [0067.773] GetTickCount () returned 0x1151569 [0067.773] GetTickCount () returned 0x1151569 [0067.773] GetTickCount () returned 0x1151569 [0067.773] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.773] GetProcessHeap () returned 0x3a00000 [0067.773] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.773] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x1c4, lpOverlapped=0x0) returned 1 [0067.774] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.774] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x1c4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x1c4, lpOverlapped=0x0) returned 1 [0067.774] GetProcessHeap () returned 0x3a00000 [0067.774] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.774] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.774] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.775] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.775] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.775] CloseHandle (hObject=0x440) returned 1 [0067.775] GetProcessHeap () returned 0x3a00000 [0067.775] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.775] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0067.775] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\128__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\128__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.776] GetProcessHeap () returned 0x3a00000 [0067.776] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.776] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="129__C~1.PRO")) returned 1 [0067.776] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.776] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.776] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.776] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.776] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.776] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml") returned 159 [0067.776] StrStrIW (lpFirst="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.776] lstrcmpW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.776] lstrcmpW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.776] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.776] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\129__connections_cellular_elisa (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.777] GetTickCount () returned 0x1151569 [0067.777] GetTickCount () returned 0x1151569 [0067.777] GetTickCount () returned 0x1151569 [0067.777] GetTickCount () returned 0x1151569 [0067.777] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.777] GetProcessHeap () returned 0x3a00000 [0067.777] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.777] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0067.778] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.778] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0067.778] GetProcessHeap () returned 0x3a00000 [0067.778] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.778] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.779] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.779] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.779] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.779] CloseHandle (hObject=0x440) returned 1 [0067.779] GetProcessHeap () returned 0x3a00000 [0067.779] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.779] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.779] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\129__connections_cellular_elisa (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\129__connections_cellular_elisa (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.780] GetProcessHeap () returned 0x3a00000 [0067.780] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.780] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", cAlternateFileName="12__CO~1.PRO")) returned 1 [0067.780] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.780] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.780] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.780] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.780] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.780] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml") returned 160 [0067.780] StrStrIW (lpFirst="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.780] lstrcmpW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.780] lstrcmpW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.780] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.780] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\12__connections_cellular_optus (australia)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.780] GetTickCount () returned 0x1151569 [0067.780] GetTickCount () returned 0x1151569 [0067.780] GetTickCount () returned 0x1151569 [0067.780] GetTickCount () returned 0x1151569 [0067.780] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.780] GetProcessHeap () returned 0x3a00000 [0067.780] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.780] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0067.782] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.782] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0067.782] GetProcessHeap () returned 0x3a00000 [0067.782] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.782] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.782] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.782] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.782] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.782] CloseHandle (hObject=0x440) returned 1 [0067.782] GetProcessHeap () returned 0x3a00000 [0067.782] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.783] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0067.783] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\12__connections_cellular_optus (australia)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\12__connections_cellular_optus (australia)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.783] GetProcessHeap () returned 0x3a00000 [0067.783] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.783] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9051cd0d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="130__C~1.PRO")) returned 1 [0067.786] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0067.786] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0067.786] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0067.786] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0067.786] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0067.786] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0067.786] StrStrIW (lpFirst="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0067.786] lstrcmpW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.786] lstrcmpW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0067.786] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.786] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\130__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.786] GetTickCount () returned 0x1151578 [0067.786] GetTickCount () returned 0x1151578 [0067.786] GetTickCount () returned 0x1151578 [0067.786] GetTickCount () returned 0x1151578 [0067.786] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.787] GetProcessHeap () returned 0x3a00000 [0067.787] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.787] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0067.788] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.788] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0067.788] GetProcessHeap () returned 0x3a00000 [0067.788] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.788] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.788] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.788] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.789] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.789] CloseHandle (hObject=0x440) returned 1 [0067.789] GetProcessHeap () returned 0x3a00000 [0067.789] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.789] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0067.789] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\130__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\130__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.789] GetProcessHeap () returned 0x3a00000 [0067.789] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.789] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="131__C~1.PRO")) returned 1 [0067.789] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.790] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.790] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.790] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.790] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.790] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml") returned 175 [0067.790] StrStrIW (lpFirst="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.790] lstrcmpW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.790] lstrcmpW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.790] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.790] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\131__connections_cellular_go communication ltd. (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.790] GetTickCount () returned 0x1151578 [0067.790] GetTickCount () returned 0x1151578 [0067.790] GetTickCount () returned 0x1151578 [0067.790] GetTickCount () returned 0x1151578 [0067.790] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.790] GetProcessHeap () returned 0x3a00000 [0067.790] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.790] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x29d, lpOverlapped=0x0) returned 1 [0067.792] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd63, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.792] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x29d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x29d, lpOverlapped=0x0) returned 1 [0067.792] GetProcessHeap () returned 0x3a00000 [0067.792] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.792] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.792] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.792] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.793] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.793] CloseHandle (hObject=0x440) returned 1 [0067.793] GetProcessHeap () returned 0x3a00000 [0067.793] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.793] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0067.793] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\131__connections_cellular_go communication ltd. (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\131__connections_cellular_go communication ltd. (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.793] GetProcessHeap () returned 0x3a00000 [0067.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.793] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x299, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="132__C~1.PRO")) returned 1 [0067.793] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.793] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.793] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.794] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.794] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.794] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml") returned 175 [0067.794] StrStrIW (lpFirst="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.794] lstrcmpW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.794] lstrcmpW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.794] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.794] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\132__connections_cellular_go communication ltd. (finland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.794] GetTickCount () returned 0x1151578 [0067.794] GetTickCount () returned 0x1151578 [0067.794] GetTickCount () returned 0x1151578 [0067.794] GetTickCount () returned 0x1151578 [0067.794] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.794] GetProcessHeap () returned 0x3a00000 [0067.794] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.794] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x299, lpOverlapped=0x0) returned 1 [0067.851] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.851] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x299, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x299, lpOverlapped=0x0) returned 1 [0067.851] GetProcessHeap () returned 0x3a00000 [0067.851] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.851] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.851] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.851] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.851] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.852] CloseHandle (hObject=0x440) returned 1 [0067.852] GetProcessHeap () returned 0x3a00000 [0067.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.852] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0067.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\132__connections_cellular_go communication ltd. (finland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\132__connections_cellular_go communication ltd. (finland)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.852] GetProcessHeap () returned 0x3a00000 [0067.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.853] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="133__C~1.PRO")) returned 1 [0067.853] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.853] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.853] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.853] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.853] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.853] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml") returned 170 [0067.853] StrStrIW (lpFirst="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.853] lstrcmpW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.853] lstrcmpW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.853] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.853] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\133__connections_cellular_tdc song finland (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.853] GetTickCount () returned 0x11515b7 [0067.853] GetTickCount () returned 0x11515b7 [0067.853] GetTickCount () returned 0x11515b7 [0067.853] GetTickCount () returned 0x11515b7 [0067.853] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.854] GetProcessHeap () returned 0x3a00000 [0067.854] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.854] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0067.855] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.855] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0067.855] GetProcessHeap () returned 0x3a00000 [0067.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.855] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.855] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.855] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.855] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.855] CloseHandle (hObject=0x440) returned 1 [0067.856] GetProcessHeap () returned 0x3a00000 [0067.856] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.856] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0067.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\133__connections_cellular_tdc song finland (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\133__connections_cellular_tdc song finland (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.856] GetProcessHeap () returned 0x3a00000 [0067.856] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.857] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90542f74, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="134__C~1.PRO")) returned 1 [0067.857] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.857] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.857] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.857] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.857] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.857] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml") returned 160 [0067.857] StrStrIW (lpFirst="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.857] lstrcmpW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.857] lstrcmpW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.857] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\134__connections_cellular_sonera (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.858] GetTickCount () returned 0x11515b7 [0067.858] GetTickCount () returned 0x11515b7 [0067.858] GetTickCount () returned 0x11515b7 [0067.858] GetTickCount () returned 0x11515b7 [0067.858] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.858] GetProcessHeap () returned 0x3a00000 [0067.858] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.858] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x282, lpOverlapped=0x0) returned 1 [0067.859] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.859] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x282, lpOverlapped=0x0) returned 1 [0067.859] GetProcessHeap () returned 0x3a00000 [0067.859] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.859] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.859] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.860] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.860] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.860] CloseHandle (hObject=0x440) returned 1 [0067.860] GetProcessHeap () returned 0x3a00000 [0067.860] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.860] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0067.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\134__connections_cellular_sonera (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\134__connections_cellular_sonera (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.860] GetProcessHeap () returned 0x3a00000 [0067.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.860] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="135__C~1.PRO")) returned 1 [0067.860] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.861] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.861] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.861] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.861] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.861] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml") returned 161 [0067.861] StrStrIW (lpFirst="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.861] lstrcmpW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.861] lstrcmpW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.861] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.861] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\135__connections_cellular_bouygues (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.861] GetTickCount () returned 0x11515b7 [0067.861] GetTickCount () returned 0x11515b7 [0067.861] GetTickCount () returned 0x11515b7 [0067.861] GetTickCount () returned 0x11515b7 [0067.861] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.861] GetProcessHeap () returned 0x3a00000 [0067.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.861] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0067.863] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.863] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0067.863] GetProcessHeap () returned 0x3a00000 [0067.863] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.863] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.863] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.863] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.863] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.863] CloseHandle (hObject=0x440) returned 1 [0067.864] GetProcessHeap () returned 0x3a00000 [0067.864] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.864] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0067.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\135__connections_cellular_bouygues (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\135__connections_cellular_bouygues (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.864] GetProcessHeap () returned 0x3a00000 [0067.864] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.864] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="136__C~1.PRO")) returned 1 [0067.864] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.864] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.864] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.864] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.864] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.864] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml") returned 161 [0067.864] StrStrIW (lpFirst="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.864] lstrcmpW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.865] lstrcmpW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.865] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\136__connections_cellular_bouygues (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.865] GetTickCount () returned 0x11515c6 [0067.865] GetTickCount () returned 0x11515c6 [0067.865] GetTickCount () returned 0x11515c6 [0067.865] GetTickCount () returned 0x11515c6 [0067.865] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.865] GetProcessHeap () returned 0x3a00000 [0067.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a722a0 [0067.865] ReadFile (in: hFile=0x440, lpBuffer=0x3a722a0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0067.866] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.866] WriteFile (in: hFile=0x440, lpBuffer=0x3a722a0*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a722a0*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0067.866] GetProcessHeap () returned 0x3a00000 [0067.867] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a722a0 | out: hHeap=0x3a00000) returned 1 [0067.867] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.867] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.867] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.867] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.867] CloseHandle (hObject=0x440) returned 1 [0067.867] GetProcessHeap () returned 0x3a00000 [0067.867] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.867] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0067.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\136__connections_cellular_bouygues (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\136__connections_cellular_bouygues (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.868] GetProcessHeap () returned 0x3a00000 [0067.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.868] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="137__C~1.PRO")) returned 1 [0067.868] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0067.868] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0067.868] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0067.868] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0067.868] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0067.868] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0067.868] StrStrIW (lpFirst="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0067.868] lstrcmpW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.868] lstrcmpW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0067.868] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.868] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\137__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.868] GetTickCount () returned 0x11515c6 [0067.868] GetTickCount () returned 0x11515c6 [0067.868] GetTickCount () returned 0x11515c6 [0067.868] GetTickCount () returned 0x11515c6 [0067.868] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.869] GetProcessHeap () returned 0x3a00000 [0067.869] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.869] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d7, lpOverlapped=0x0) returned 1 [0067.869] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.870] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d7, lpOverlapped=0x0) returned 1 [0067.870] GetProcessHeap () returned 0x3a00000 [0067.870] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.870] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.870] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.870] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.871] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.871] CloseHandle (hObject=0x440) returned 1 [0067.871] GetProcessHeap () returned 0x3a00000 [0067.871] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.871] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0067.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\137__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\137__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.871] GetProcessHeap () returned 0x3a00000 [0067.871] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.871] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905691e4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="138__C~1.PRO")) returned 1 [0067.871] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.871] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.871] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.871] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.872] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.872] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml") returned 164 [0067.872] StrStrIW (lpFirst="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.872] lstrcmpW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.872] lstrcmpW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.872] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.872] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\138__connections_cellular_free mobile (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.872] GetTickCount () returned 0x11515c6 [0067.872] GetTickCount () returned 0x11515c6 [0067.872] GetTickCount () returned 0x11515c6 [0067.872] GetTickCount () returned 0x11515c6 [0067.872] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.872] GetProcessHeap () returned 0x3a00000 [0067.872] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.872] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0067.873] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.873] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0067.874] GetProcessHeap () returned 0x3a00000 [0067.874] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.874] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.874] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.874] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.874] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.874] CloseHandle (hObject=0x440) returned 1 [0067.874] GetProcessHeap () returned 0x3a00000 [0067.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.874] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0067.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\138__connections_cellular_free mobile (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\138__connections_cellular_free mobile (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.875] GetProcessHeap () returned 0x3a00000 [0067.875] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.875] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="139__C~1.PRO")) returned 1 [0067.875] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.875] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.875] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.875] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.875] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.875] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml") returned 159 [0067.875] StrStrIW (lpFirst="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.875] lstrcmpW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.875] lstrcmpW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.875] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.875] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\139__connections_cellular_orange (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.875] GetTickCount () returned 0x11515c6 [0067.875] GetTickCount () returned 0x11515c6 [0067.875] GetTickCount () returned 0x11515c6 [0067.875] GetTickCount () returned 0x11515c6 [0067.875] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.876] GetProcessHeap () returned 0x3a00000 [0067.876] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.876] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0067.877] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.877] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0067.877] GetProcessHeap () returned 0x3a00000 [0067.877] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.877] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.877] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.878] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.878] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.878] CloseHandle (hObject=0x440) returned 1 [0067.878] GetProcessHeap () returned 0x3a00000 [0067.878] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.878] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.878] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\139__connections_cellular_orange (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\139__connections_cellular_orange (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.878] GetProcessHeap () returned 0x3a00000 [0067.878] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.878] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", cAlternateFileName="13__CO~1.PRO")) returned 1 [0067.878] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.879] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.879] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.879] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.879] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.879] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml") returned 160 [0067.879] StrStrIW (lpFirst="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.879] lstrcmpW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.879] lstrcmpW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.879] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.879] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\13__connections_cellular_optus (australia)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.881] GetTickCount () returned 0x11515d6 [0067.881] GetTickCount () returned 0x11515d6 [0067.881] GetTickCount () returned 0x11515d6 [0067.881] GetTickCount () returned 0x11515d6 [0067.881] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.881] GetProcessHeap () returned 0x3a00000 [0067.881] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.881] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0067.882] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.882] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0067.882] GetProcessHeap () returned 0x3a00000 [0067.882] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.882] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.883] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.883] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.883] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.883] CloseHandle (hObject=0x440) returned 1 [0067.883] GetProcessHeap () returned 0x3a00000 [0067.883] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.883] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0067.883] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\13__connections_cellular_optus (australia)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\13__connections_cellular_optus (australia)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.884] GetProcessHeap () returned 0x3a00000 [0067.884] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.884] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="140__C~1.PRO")) returned 1 [0067.884] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.884] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.884] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.884] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.884] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.884] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml") returned 159 [0067.884] StrStrIW (lpFirst="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.884] lstrcmpW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.884] lstrcmpW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.884] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.884] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\140__connections_cellular_orange (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.884] GetTickCount () returned 0x11515d6 [0067.884] GetTickCount () returned 0x11515d6 [0067.884] GetTickCount () returned 0x11515d6 [0067.884] GetTickCount () returned 0x11515d6 [0067.884] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.885] GetProcessHeap () returned 0x3a00000 [0067.885] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.885] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0067.943] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.943] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0067.943] GetProcessHeap () returned 0x3a00000 [0067.943] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.943] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.943] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.944] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.944] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.944] CloseHandle (hObject=0x440) returned 1 [0067.944] GetProcessHeap () returned 0x3a00000 [0067.944] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.944] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.944] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\140__connections_cellular_orange (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\140__connections_cellular_orange (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.945] GetProcessHeap () returned 0x3a00000 [0067.945] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.945] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="141__C~1.PRO")) returned 1 [0067.945] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.945] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.945] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.945] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.945] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.945] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml") returned 159 [0067.945] StrStrIW (lpFirst="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.945] lstrcmpW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.945] lstrcmpW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.945] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.945] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\141__connections_cellular_orange (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.946] GetTickCount () returned 0x1151615 [0067.946] GetTickCount () returned 0x1151615 [0067.946] GetTickCount () returned 0x1151615 [0067.946] GetTickCount () returned 0x1151615 [0067.946] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.946] GetProcessHeap () returned 0x3a00000 [0067.946] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.946] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0067.947] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.947] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0067.948] GetProcessHeap () returned 0x3a00000 [0067.948] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.948] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.948] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.948] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.948] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.948] CloseHandle (hObject=0x440) returned 1 [0067.948] GetProcessHeap () returned 0x3a00000 [0067.948] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.948] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.948] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\141__connections_cellular_orange (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\141__connections_cellular_orange (france)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.949] GetProcessHeap () returned 0x3a00000 [0067.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.949] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="142__C~1.PRO")) returned 1 [0067.949] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.949] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.949] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.949] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.949] lstrcmpiW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.949] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml") returned 159 [0067.949] StrStrIW (lpFirst="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.949] lstrcmpW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.949] lstrcmpW (lpString1="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.949] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.949] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\142__connections_cellular_orange (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.949] GetTickCount () returned 0x1151615 [0067.949] GetTickCount () returned 0x1151615 [0067.949] GetTickCount () returned 0x1151615 [0067.949] GetTickCount () returned 0x1151615 [0067.950] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.950] GetProcessHeap () returned 0x3a00000 [0067.950] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.950] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34a, lpOverlapped=0x0) returned 1 [0067.953] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.953] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34a, lpOverlapped=0x0) returned 1 [0067.953] GetProcessHeap () returned 0x3a00000 [0067.953] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0067.953] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.953] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0067.954] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0067.954] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0067.954] CloseHandle (hObject=0x440) returned 1 [0067.954] GetProcessHeap () returned 0x3a00000 [0067.954] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0067.954] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0067.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\142__connections_cellular_orange (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\142__connections_cellular_orange (france)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0067.955] GetProcessHeap () returned 0x3a00000 [0067.955] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0067.955] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9058f44f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x346, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", cAlternateFileName="143__C~1.PRO")) returned 1 [0067.955] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0067.955] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0067.955] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0067.955] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0067.955] lstrcmpiW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0067.955] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml") returned 159 [0067.955] StrStrIW (lpFirst="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0067.955] lstrcmpW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0067.955] lstrcmpW (lpString1="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0067.955] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0067.955] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\143__connections_cellular_orange (france)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0067.955] GetTickCount () returned 0x1151615 [0067.955] GetTickCount () returned 0x1151615 [0067.955] GetTickCount () returned 0x1151615 [0067.955] GetTickCount () returned 0x1151615 [0067.955] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0067.955] GetProcessHeap () returned 0x3a00000 [0067.955] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0067.956] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x346, lpOverlapped=0x0) returned 1 [0067.957] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0067.957] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x346, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x346, lpOverlapped=0x0) returned 1 [0068.038] GetProcessHeap () returned 0x3a00000 [0068.038] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.038] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.038] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.039] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.039] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.039] CloseHandle (hObject=0x440) returned 1 [0068.039] GetProcessHeap () returned 0x3a00000 [0068.039] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.039] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0068.039] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\143__connections_cellular_orange (france)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\143__connections_cellular_orange (france)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.042] GetProcessHeap () returned 0x3a00000 [0068.042] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.042] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", cAlternateFileName="144__C~1.PRO")) returned 1 [0068.042] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.042] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.042] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.042] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.043] lstrcmpiW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.043] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml") returned 159 [0068.043] StrStrIW (lpFirst="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.043] lstrcmpW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.043] lstrcmpW (lpString1="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.043] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.043] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\144__connections_cellular_orange (france)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.043] GetTickCount () returned 0x1151672 [0068.043] GetTickCount () returned 0x1151672 [0068.043] GetTickCount () returned 0x1151672 [0068.043] GetTickCount () returned 0x1151672 [0068.043] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.043] GetProcessHeap () returned 0x3a00000 [0068.043] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.043] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0068.045] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.045] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0068.045] GetProcessHeap () returned 0x3a00000 [0068.045] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.045] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.045] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.045] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.045] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.046] CloseHandle (hObject=0x440) returned 1 [0068.046] GetProcessHeap () returned 0x3a00000 [0068.046] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.046] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0068.046] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\144__connections_cellular_orange (france)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\144__connections_cellular_orange (france)_i5$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.046] GetProcessHeap () returned 0x3a00000 [0068.046] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.046] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", cAlternateFileName="145__C~1.PRO")) returned 1 [0068.046] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.046] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.046] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.046] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.047] lstrcmpiW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.047] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml") returned 159 [0068.047] StrStrIW (lpFirst="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.047] lstrcmpW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.047] lstrcmpW (lpString1="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.047] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.047] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\145__connections_cellular_orange (france)_i6$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.047] GetTickCount () returned 0x1151672 [0068.047] GetTickCount () returned 0x1151672 [0068.047] GetTickCount () returned 0x1151672 [0068.047] GetTickCount () returned 0x1151672 [0068.047] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.047] GetProcessHeap () returned 0x3a00000 [0068.047] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.047] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34a, lpOverlapped=0x0) returned 1 [0068.049] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.049] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34a, lpOverlapped=0x0) returned 1 [0068.049] GetProcessHeap () returned 0x3a00000 [0068.049] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.049] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.049] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.049] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.049] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.049] CloseHandle (hObject=0x440) returned 1 [0068.050] GetProcessHeap () returned 0x3a00000 [0068.050] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.050] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0068.050] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\145__connections_cellular_orange (france)_i6$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\145__connections_cellular_orange (france)_i6$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.050] GetProcessHeap () returned 0x3a00000 [0068.050] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.050] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="146__C~1.PRO")) returned 1 [0068.052] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.052] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.052] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.052] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.052] lstrcmpiW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.052] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml") returned 156 [0068.052] StrStrIW (lpFirst="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.052] lstrcmpW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.052] lstrcmpW (lpString1="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.052] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.052] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\146__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.053] GetTickCount () returned 0x1151682 [0068.053] GetTickCount () returned 0x1151682 [0068.053] GetTickCount () returned 0x1151682 [0068.053] GetTickCount () returned 0x1151682 [0068.053] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.053] GetProcessHeap () returned 0x3a00000 [0068.053] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.053] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0068.054] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.054] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0068.054] GetProcessHeap () returned 0x3a00000 [0068.054] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.054] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.054] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.055] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.055] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.055] CloseHandle (hObject=0x440) returned 1 [0068.055] GetProcessHeap () returned 0x3a00000 [0068.055] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.055] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0068.055] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\146__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\146__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.055] GetProcessHeap () returned 0x3a00000 [0068.055] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.056] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905b56bb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="147__C~1.PRO")) returned 1 [0068.056] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.056] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.056] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.056] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.056] lstrcmpiW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.056] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml") returned 156 [0068.056] StrStrIW (lpFirst="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.056] lstrcmpW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.056] lstrcmpW (lpString1="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.056] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.056] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\147__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.056] GetTickCount () returned 0x1151682 [0068.056] GetTickCount () returned 0x1151682 [0068.056] GetTickCount () returned 0x1151682 [0068.056] GetTickCount () returned 0x1151682 [0068.056] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.056] GetProcessHeap () returned 0x3a00000 [0068.056] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.056] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0068.060] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.060] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0068.060] GetProcessHeap () returned 0x3a00000 [0068.060] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.060] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.060] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.060] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.061] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.061] CloseHandle (hObject=0x440) returned 1 [0068.061] GetProcessHeap () returned 0x3a00000 [0068.061] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.061] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0068.061] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\147__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\147__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.061] GetProcessHeap () returned 0x3a00000 [0068.061] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.061] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="148__C~1.PRO")) returned 1 [0068.061] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.061] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.062] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.062] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.062] lstrcmpiW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.062] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml") returned 156 [0068.062] StrStrIW (lpFirst="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.062] lstrcmpW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.062] lstrcmpW (lpString1="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.062] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.062] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\148__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.062] GetTickCount () returned 0x1151682 [0068.062] GetTickCount () returned 0x1151682 [0068.062] GetTickCount () returned 0x1151682 [0068.062] GetTickCount () returned 0x1151682 [0068.062] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.062] GetProcessHeap () returned 0x3a00000 [0068.062] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.062] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0068.117] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.117] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0068.118] GetProcessHeap () returned 0x3a00000 [0068.118] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.118] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.118] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.118] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.118] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.118] CloseHandle (hObject=0x440) returned 1 [0068.118] GetProcessHeap () returned 0x3a00000 [0068.118] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.118] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0068.118] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\148__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\148__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.119] GetProcessHeap () returned 0x3a00000 [0068.119] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.119] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="149__C~1.PRO")) returned 1 [0068.119] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.119] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.119] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.119] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.119] lstrcmpiW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.119] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml") returned 156 [0068.119] StrStrIW (lpFirst="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.119] lstrcmpW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.119] lstrcmpW (lpString1="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.119] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.120] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\149__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.120] GetTickCount () returned 0x11516c0 [0068.120] GetTickCount () returned 0x11516c0 [0068.120] GetTickCount () returned 0x11516c0 [0068.120] GetTickCount () returned 0x11516c0 [0068.120] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.120] GetProcessHeap () returned 0x3a00000 [0068.120] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.120] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0068.122] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.122] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0068.122] GetProcessHeap () returned 0x3a00000 [0068.122] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.122] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.122] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.122] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.122] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.122] CloseHandle (hObject=0x440) returned 1 [0068.122] GetProcessHeap () returned 0x3a00000 [0068.122] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.122] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0068.122] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\149__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\149__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.123] GetProcessHeap () returned 0x3a00000 [0068.123] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.123] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", cAlternateFileName="14__CO~1.PRO")) returned 1 [0068.123] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.123] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.123] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.123] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.123] lstrcmpiW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.123] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml") returned 160 [0068.123] StrStrIW (lpFirst="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.123] lstrcmpW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.123] lstrcmpW (lpString1="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.124] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.124] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\14__connections_cellular_optus (australia)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.124] GetTickCount () returned 0x11516c0 [0068.124] GetTickCount () returned 0x11516c0 [0068.124] GetTickCount () returned 0x11516c0 [0068.124] GetTickCount () returned 0x11516c0 [0068.124] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.124] GetProcessHeap () returned 0x3a00000 [0068.124] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.124] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0068.136] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.136] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0068.136] GetProcessHeap () returned 0x3a00000 [0068.136] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.136] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.136] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.136] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.136] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.136] CloseHandle (hObject=0x440) returned 1 [0068.137] GetProcessHeap () returned 0x3a00000 [0068.137] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.137] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0068.137] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\14__connections_cellular_optus (australia)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\14__connections_cellular_optus (australia)_i5$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.138] GetProcessHeap () returned 0x3a00000 [0068.138] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.138] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="150__C~1.PRO")) returned 1 [0068.138] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.138] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.138] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.138] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.138] lstrcmpiW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.138] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml") returned 160 [0068.138] StrStrIW (lpFirst="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.138] lstrcmpW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.138] lstrcmpW (lpString1="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.138] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.138] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\150__connections_cellular_e-plus (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.138] GetTickCount () returned 0x11516d0 [0068.138] GetTickCount () returned 0x11516d0 [0068.138] GetTickCount () returned 0x11516d0 [0068.138] GetTickCount () returned 0x11516d0 [0068.139] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.139] GetProcessHeap () returned 0x3a00000 [0068.139] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.139] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0068.140] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.140] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0068.140] GetProcessHeap () returned 0x3a00000 [0068.140] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.140] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.140] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.140] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.141] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.141] CloseHandle (hObject=0x440) returned 1 [0068.141] GetProcessHeap () returned 0x3a00000 [0068.141] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.141] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0068.141] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\150__connections_cellular_e-plus (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\150__connections_cellular_e-plus (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.141] GetProcessHeap () returned 0x3a00000 [0068.142] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.142] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x905db923, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="151__C~1.PRO")) returned 1 [0068.142] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.142] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.142] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.142] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.142] lstrcmpiW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.142] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml") returned 170 [0068.142] StrStrIW (lpFirst="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.142] lstrcmpW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.142] lstrcmpW (lpString1="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.142] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.142] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\151__connections_cellular_deutsche telekom (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.142] GetTickCount () returned 0x11516d0 [0068.142] GetTickCount () returned 0x11516d0 [0068.142] GetTickCount () returned 0x11516d0 [0068.142] GetTickCount () returned 0x11516d0 [0068.142] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.142] GetProcessHeap () returned 0x3a00000 [0068.142] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.142] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35f, lpOverlapped=0x0) returned 1 [0068.144] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.144] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35f, lpOverlapped=0x0) returned 1 [0068.144] GetProcessHeap () returned 0x3a00000 [0068.144] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.144] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.144] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.144] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.144] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.145] CloseHandle (hObject=0x440) returned 1 [0068.145] GetProcessHeap () returned 0x3a00000 [0068.145] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.145] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0068.145] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\151__connections_cellular_deutsche telekom (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\151__connections_cellular_deutsche telekom (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.145] GetProcessHeap () returned 0x3a00000 [0068.145] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.145] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="152__C~1.PRO")) returned 1 [0068.145] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.146] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.146] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.146] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.146] lstrcmpiW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.146] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml") returned 165 [0068.146] StrStrIW (lpFirst="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.146] lstrcmpW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.146] lstrcmpW (lpString1="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.146] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.146] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\152__connections_cellular_vodafone.de (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.148] GetTickCount () returned 0x11516e0 [0068.148] GetTickCount () returned 0x11516e0 [0068.148] GetTickCount () returned 0x11516e0 [0068.148] GetTickCount () returned 0x11516e0 [0068.148] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.148] GetProcessHeap () returned 0x3a00000 [0068.149] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.149] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0068.150] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.150] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0068.150] GetProcessHeap () returned 0x3a00000 [0068.150] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.150] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.150] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.150] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.151] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.151] CloseHandle (hObject=0x440) returned 1 [0068.151] GetProcessHeap () returned 0x3a00000 [0068.151] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.151] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0068.151] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\152__connections_cellular_vodafone.de (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\152__connections_cellular_vodafone.de (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.151] GetProcessHeap () returned 0x3a00000 [0068.151] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.151] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", cAlternateFileName="153__C~1.PRO")) returned 1 [0068.151] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.151] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.151] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.151] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.152] lstrcmpiW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.152] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml") returned 165 [0068.152] StrStrIW (lpFirst="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.152] lstrcmpW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.152] lstrcmpW (lpString1="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.152] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.152] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\153__connections_cellular_vodafone.de (germany)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.152] GetTickCount () returned 0x11516e0 [0068.152] GetTickCount () returned 0x11516e0 [0068.152] GetTickCount () returned 0x11516e0 [0068.152] GetTickCount () returned 0x11516e0 [0068.152] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.152] GetProcessHeap () returned 0x3a00000 [0068.152] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.152] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0068.241] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.241] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0068.241] GetProcessHeap () returned 0x3a00000 [0068.241] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.241] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.241] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.242] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.242] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.242] CloseHandle (hObject=0x440) returned 1 [0068.242] GetProcessHeap () returned 0x3a00000 [0068.242] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.242] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0068.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\153__connections_cellular_vodafone.de (germany)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\153__connections_cellular_vodafone.de (germany)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.243] GetProcessHeap () returned 0x3a00000 [0068.243] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.243] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="154__C~1.PRO")) returned 1 [0068.243] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0068.243] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0068.243] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0068.243] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0068.243] lstrcmpiW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0068.243] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0068.243] StrStrIW (lpFirst="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0068.243] lstrcmpW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.243] lstrcmpW (lpString1="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0068.243] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\154__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.243] GetTickCount () returned 0x115173d [0068.243] GetTickCount () returned 0x115173d [0068.243] GetTickCount () returned 0x115173d [0068.243] GetTickCount () returned 0x115173d [0068.243] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.244] GetProcessHeap () returned 0x3a00000 [0068.244] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.244] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0068.245] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0068.245] GetProcessHeap () returned 0x3a00000 [0068.245] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.245] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.273] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.273] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.274] CloseHandle (hObject=0x440) returned 1 [0068.274] GetProcessHeap () returned 0x3a00000 [0068.274] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.274] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0068.274] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\154__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\154__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.275] GetProcessHeap () returned 0x3a00000 [0068.275] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.275] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", cAlternateFileName="155__C~1.PRO")) returned 1 [0068.275] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.275] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.275] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.275] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.275] lstrcmpiW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.275] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml") returned 166 [0068.275] StrStrIW (lpFirst="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.275] lstrcmpW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.275] lstrcmpW (lpString1="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.275] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.275] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\155__connections_cellular_vodafone ghana (ghana)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.275] GetTickCount () returned 0x115175d [0068.275] GetTickCount () returned 0x115175d [0068.275] GetTickCount () returned 0x115175d [0068.275] GetTickCount () returned 0x115175d [0068.276] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.276] GetProcessHeap () returned 0x3a00000 [0068.276] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.276] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0068.278] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.279] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0068.279] GetProcessHeap () returned 0x3a00000 [0068.279] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.279] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.279] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.279] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.279] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.279] CloseHandle (hObject=0x440) returned 1 [0068.279] GetProcessHeap () returned 0x3a00000 [0068.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.279] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0068.279] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\155__connections_cellular_vodafone ghana (ghana)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\155__connections_cellular_vodafone ghana (ghana)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.280] GetProcessHeap () returned 0x3a00000 [0068.280] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.280] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="156__C~1.PRO")) returned 1 [0068.280] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0068.280] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0068.280] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0068.280] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0068.280] lstrcmpiW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0068.280] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0068.280] StrStrIW (lpFirst="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0068.280] lstrcmpW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.280] lstrcmpW (lpString1="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0068.280] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.280] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\156__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.281] GetTickCount () returned 0x115175d [0068.281] GetTickCount () returned 0x115175d [0068.281] GetTickCount () returned 0x115175d [0068.281] GetTickCount () returned 0x115175d [0068.281] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.281] GetProcessHeap () returned 0x3a00000 [0068.281] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.281] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0068.282] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.282] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0068.282] GetProcessHeap () returned 0x3a00000 [0068.282] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.282] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.282] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.283] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.283] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.283] CloseHandle (hObject=0x440) returned 1 [0068.283] GetProcessHeap () returned 0x3a00000 [0068.283] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.283] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0068.283] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\156__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\156__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.284] GetProcessHeap () returned 0x3a00000 [0068.284] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.284] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90601b92, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="157__C~1.PRO")) returned 1 [0068.284] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.284] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.284] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.284] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.284] lstrcmpiW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.284] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml") returned 167 [0068.284] StrStrIW (lpFirst="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.284] lstrcmpW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.284] lstrcmpW (lpString1="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.284] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.284] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\157__connections_cellular_cosmote greece (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.285] GetTickCount () returned 0x115175d [0068.285] GetTickCount () returned 0x115175d [0068.285] GetTickCount () returned 0x115175d [0068.285] GetTickCount () returned 0x115175d [0068.285] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.285] GetProcessHeap () returned 0x3a00000 [0068.285] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.285] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0068.286] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.286] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0068.286] GetProcessHeap () returned 0x3a00000 [0068.286] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.287] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.287] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.287] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.287] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.287] CloseHandle (hObject=0x440) returned 1 [0068.287] GetProcessHeap () returned 0x3a00000 [0068.287] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.287] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0068.287] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\157__connections_cellular_cosmote greece (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\157__connections_cellular_cosmote greece (greece)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.288] GetProcessHeap () returned 0x3a00000 [0068.288] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.288] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="158__C~1.PRO")) returned 1 [0068.288] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.288] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.288] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.288] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.288] lstrcmpiW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.288] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml") returned 162 [0068.288] StrStrIW (lpFirst="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.288] lstrcmpW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.288] lstrcmpW (lpString1="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.288] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.288] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\158__connections_cellular_q-telecom (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.288] GetTickCount () returned 0x115176c [0068.288] GetTickCount () returned 0x115176c [0068.288] GetTickCount () returned 0x115176c [0068.288] GetTickCount () returned 0x115176c [0068.289] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.289] GetProcessHeap () returned 0x3a00000 [0068.289] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.289] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x284, lpOverlapped=0x0) returned 1 [0068.290] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.290] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x284, lpOverlapped=0x0) returned 1 [0068.290] GetProcessHeap () returned 0x3a00000 [0068.290] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.290] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.290] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.290] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.290] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.291] CloseHandle (hObject=0x440) returned 1 [0068.291] GetProcessHeap () returned 0x3a00000 [0068.291] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.291] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0068.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\158__connections_cellular_q-telecom (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\158__connections_cellular_q-telecom (greece)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.291] GetProcessHeap () returned 0x3a00000 [0068.291] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.291] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="159__C~1.PRO")) returned 1 [0068.291] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.291] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.291] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.291] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.292] lstrcmpiW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.292] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml") returned 168 [0068.292] StrStrIW (lpFirst="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.292] lstrcmpW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.292] lstrcmpW (lpString1="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.292] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.292] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\159__connections_cellular_telestet (stet) (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.292] GetTickCount () returned 0x115176c [0068.292] GetTickCount () returned 0x115176c [0068.292] GetTickCount () returned 0x115176c [0068.292] GetTickCount () returned 0x115176c [0068.292] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.292] GetProcessHeap () returned 0x3a00000 [0068.292] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.292] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0068.294] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.294] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0068.294] GetProcessHeap () returned 0x3a00000 [0068.294] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.294] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.294] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.294] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.294] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.294] CloseHandle (hObject=0x440) returned 1 [0068.295] GetProcessHeap () returned 0x3a00000 [0068.295] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.295] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0068.295] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\159__connections_cellular_telestet (stet) (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\159__connections_cellular_telestet (stet) (greece)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.295] GetProcessHeap () returned 0x3a00000 [0068.295] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.295] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", cAlternateFileName="15__CO~1.PRO")) returned 1 [0068.295] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.295] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.295] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.295] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.295] lstrcmpiW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.296] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml") returned 160 [0068.296] StrStrIW (lpFirst="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.296] lstrcmpW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.296] lstrcmpW (lpString1="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.296] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.296] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\15__connections_cellular_optus (australia)_i6$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.296] GetTickCount () returned 0x115176c [0068.296] GetTickCount () returned 0x115176c [0068.296] GetTickCount () returned 0x115176c [0068.297] GetTickCount () returned 0x115176c [0068.297] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.297] GetProcessHeap () returned 0x3a00000 [0068.297] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.297] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0068.298] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.298] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0068.298] GetProcessHeap () returned 0x3a00000 [0068.298] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.298] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.298] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.298] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.298] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.299] CloseHandle (hObject=0x440) returned 1 [0068.299] GetProcessHeap () returned 0x3a00000 [0068.299] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.299] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0068.299] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\15__connections_cellular_optus (australia)_i6$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\15__connections_cellular_optus (australia)_i6$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.299] GetProcessHeap () returned 0x3a00000 [0068.299] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.299] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", cAlternateFileName="160__C~1.PRO")) returned 1 [0068.299] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.299] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.299] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.299] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.299] lstrcmpiW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.299] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml") returned 168 [0068.300] StrStrIW (lpFirst="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.300] lstrcmpW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.300] lstrcmpW (lpString1="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.300] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.300] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\160__connections_cellular_telestet (stet) (greece)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.300] GetTickCount () returned 0x115176c [0068.300] GetTickCount () returned 0x115176c [0068.300] GetTickCount () returned 0x115176c [0068.300] GetTickCount () returned 0x115176c [0068.300] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.300] GetProcessHeap () returned 0x3a00000 [0068.300] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.300] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0068.416] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.416] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0068.416] GetProcessHeap () returned 0x3a00000 [0068.416] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.416] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.416] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.416] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.416] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.416] CloseHandle (hObject=0x440) returned 1 [0068.417] GetProcessHeap () returned 0x3a00000 [0068.417] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.417] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0068.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\160__connections_cellular_telestet (stet) (greece)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\160__connections_cellular_telestet (stet) (greece)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.417] GetProcessHeap () returned 0x3a00000 [0068.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.417] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90627dfd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", cAlternateFileName="161__C~1.PRO")) returned 1 [0068.420] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.420] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.420] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.420] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.420] lstrcmpiW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.420] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml") returned 168 [0068.420] StrStrIW (lpFirst="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.420] lstrcmpW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.420] lstrcmpW (lpString1="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.420] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\161__connections_cellular_vodafone greece (greece)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.421] GetTickCount () returned 0x11517e9 [0068.421] GetTickCount () returned 0x11517e9 [0068.421] GetTickCount () returned 0x11517e9 [0068.421] GetTickCount () returned 0x11517e9 [0068.421] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.421] GetProcessHeap () returned 0x3a00000 [0068.421] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.421] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0068.422] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.422] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0068.422] GetProcessHeap () returned 0x3a00000 [0068.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.422] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.423] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.423] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.423] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.423] CloseHandle (hObject=0x440) returned 1 [0068.423] GetProcessHeap () returned 0x3a00000 [0068.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.423] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0068.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\161__connections_cellular_vodafone greece (greece)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\161__connections_cellular_vodafone greece (greece)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.424] GetProcessHeap () returned 0x3a00000 [0068.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.424] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2df, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", cAlternateFileName="162__C~1.PRO")) returned 1 [0068.424] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0068.424] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0068.424] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0068.424] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0068.424] lstrcmpiW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0068.424] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml") returned 168 [0068.424] StrStrIW (lpFirst="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0068.424] lstrcmpW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.424] lstrcmpW (lpString1="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0068.424] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.424] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\162__connections_cellular_vodafone greece (greece)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.424] GetTickCount () returned 0x11517e9 [0068.424] GetTickCount () returned 0x11517e9 [0068.424] GetTickCount () returned 0x11517e9 [0068.424] GetTickCount () returned 0x11517e9 [0068.424] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.424] GetProcessHeap () returned 0x3a00000 [0068.425] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.425] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2df, lpOverlapped=0x0) returned 1 [0068.446] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.446] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2df, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2df, lpOverlapped=0x0) returned 1 [0068.446] GetProcessHeap () returned 0x3a00000 [0068.446] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.446] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.446] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0068.446] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0068.446] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0068.446] CloseHandle (hObject=0x440) returned 1 [0068.447] GetProcessHeap () returned 0x3a00000 [0068.447] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0068.447] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0068.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\162__connections_cellular_vodafone greece (greece)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\162__connections_cellular_vodafone greece (greece)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0068.447] GetProcessHeap () returned 0x3a00000 [0068.447] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0068.447] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="163__C~1.PRO")) returned 1 [0068.447] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0068.447] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0068.447] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0068.447] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0068.447] lstrcmpiW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0068.447] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0068.448] StrStrIW (lpFirst="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0068.448] lstrcmpW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0068.448] lstrcmpW (lpString1="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0068.448] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0068.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\163__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0068.448] GetTickCount () returned 0x1151809 [0068.449] GetTickCount () returned 0x1151809 [0068.449] GetTickCount () returned 0x1151809 [0068.449] GetTickCount () returned 0x1151809 [0068.449] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0068.449] GetProcessHeap () returned 0x3a00000 [0068.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0068.449] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0068.450] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0068.450] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0068.450] GetProcessHeap () returned 0x3a00000 [0068.450] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0068.450] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.450] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.330] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.330] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.330] CloseHandle (hObject=0x440) returned 1 [0069.330] GetProcessHeap () returned 0x3a00000 [0069.330] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.330] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0069.330] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\163__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\163__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.331] GetProcessHeap () returned 0x3a00000 [0069.331] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.331] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="164__C~1.PRO")) returned 1 [0069.331] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.331] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.331] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.332] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.332] lstrcmpiW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.332] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml") returned 167 [0069.332] StrStrIW (lpFirst="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.332] lstrcmpW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.332] lstrcmpW (lpString1="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.332] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.332] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\164__connections_cellular_orange caraïbe (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.332] GetTickCount () returned 0x1151b83 [0069.332] GetTickCount () returned 0x1151b83 [0069.332] GetTickCount () returned 0x1151b83 [0069.332] GetTickCount () returned 0x1151b83 [0069.332] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.332] GetProcessHeap () returned 0x3a00000 [0069.332] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.332] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0069.334] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.334] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0069.334] GetProcessHeap () returned 0x3a00000 [0069.334] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.334] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.334] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.334] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.334] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.334] CloseHandle (hObject=0x440) returned 1 [0069.334] GetProcessHeap () returned 0x3a00000 [0069.334] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.334] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0069.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\164__connections_cellular_orange caraïbe (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\164__connections_cellular_orange caraïbe (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.335] GetProcessHeap () returned 0x3a00000 [0069.335] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.335] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", cAlternateFileName="165__C~1.PRO")) returned 1 [0069.335] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.335] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.335] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.335] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.335] lstrcmpiW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.335] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml") returned 161 [0069.335] StrStrIW (lpFirst="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.336] lstrcmpW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.336] lstrcmpW (lpString1="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.336] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.336] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\165__connections_cellular_claro (guatemala)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.336] GetTickCount () returned 0x1151b83 [0069.336] GetTickCount () returned 0x1151b83 [0069.336] GetTickCount () returned 0x1151b83 [0069.336] GetTickCount () returned 0x1151b83 [0069.336] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.336] GetProcessHeap () returned 0x3a00000 [0069.336] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.336] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0069.337] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.337] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0069.338] GetProcessHeap () returned 0x3a00000 [0069.338] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.338] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.338] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.338] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.338] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.338] CloseHandle (hObject=0x440) returned 1 [0069.338] GetProcessHeap () returned 0x3a00000 [0069.338] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.338] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.338] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\165__connections_cellular_claro (guatemala)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\165__connections_cellular_claro (guatemala)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.339] GetProcessHeap () returned 0x3a00000 [0069.339] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.339] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9064e061, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", cAlternateFileName="166__C~1.PRO")) returned 1 [0069.339] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.339] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.339] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.339] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.339] lstrcmpiW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.339] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml") returned 161 [0069.339] StrStrIW (lpFirst="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.339] lstrcmpW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.339] lstrcmpW (lpString1="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.339] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.339] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\166__connections_cellular_claro (guatemala)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.339] GetTickCount () returned 0x1151b83 [0069.339] GetTickCount () returned 0x1151b83 [0069.339] GetTickCount () returned 0x1151b83 [0069.339] GetTickCount () returned 0x1151b83 [0069.339] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.340] GetProcessHeap () returned 0x3a00000 [0069.340] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.340] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0069.341] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.341] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0069.341] GetProcessHeap () returned 0x3a00000 [0069.341] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.341] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.342] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.342] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.342] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.342] CloseHandle (hObject=0x440) returned 1 [0069.342] GetProcessHeap () returned 0x3a00000 [0069.342] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.342] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.342] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\166__connections_cellular_claro (guatemala)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\166__connections_cellular_claro (guatemala)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.343] GetProcessHeap () returned 0x3a00000 [0069.343] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.343] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", cAlternateFileName="167__C~1.PRO")) returned 1 [0069.343] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.343] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.343] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.343] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.343] lstrcmpiW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.343] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml") returned 166 [0069.343] StrStrIW (lpFirst="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.343] lstrcmpW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.343] lstrcmpW (lpString1="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.343] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.343] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\167__connections_cellular_telefonica (guatemala)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.343] GetTickCount () returned 0x1151b83 [0069.343] GetTickCount () returned 0x1151b83 [0069.343] GetTickCount () returned 0x1151b83 [0069.343] GetTickCount () returned 0x1151b83 [0069.343] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.344] GetProcessHeap () returned 0x3a00000 [0069.344] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.344] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0069.345] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.345] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0069.345] GetProcessHeap () returned 0x3a00000 [0069.345] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.345] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.345] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.346] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.346] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.346] CloseHandle (hObject=0x440) returned 1 [0069.346] GetProcessHeap () returned 0x3a00000 [0069.346] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.346] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0069.346] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\167__connections_cellular_telefonica (guatemala)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\167__connections_cellular_telefonica (guatemala)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.346] GetProcessHeap () returned 0x3a00000 [0069.347] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.347] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", cAlternateFileName="168__C~1.PRO")) returned 1 [0069.347] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.347] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.347] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.347] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.347] lstrcmpiW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.347] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml") returned 160 [0069.347] StrStrIW (lpFirst="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.347] lstrcmpW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.347] lstrcmpW (lpString1="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.347] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.347] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\168__connections_cellular_tigo (guatemala)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.347] GetTickCount () returned 0x1151b93 [0069.347] GetTickCount () returned 0x1151b93 [0069.347] GetTickCount () returned 0x1151b93 [0069.347] GetTickCount () returned 0x1151b93 [0069.347] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.347] GetProcessHeap () returned 0x3a00000 [0069.347] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.347] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0069.349] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.349] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0069.349] GetProcessHeap () returned 0x3a00000 [0069.349] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.349] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.349] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.349] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.349] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.349] CloseHandle (hObject=0x440) returned 1 [0069.349] GetProcessHeap () returned 0x3a00000 [0069.349] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.349] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0069.350] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\168__connections_cellular_tigo (guatemala)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\168__connections_cellular_tigo (guatemala)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.350] GetProcessHeap () returned 0x3a00000 [0069.350] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.350] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", cAlternateFileName="169__C~1.PRO")) returned 1 [0069.350] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.350] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.350] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.350] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.350] lstrcmpiW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.350] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml") returned 160 [0069.350] StrStrIW (lpFirst="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.350] lstrcmpW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.350] lstrcmpW (lpString1="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.350] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.350] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\169__connections_cellular_tigo (guatemala)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.351] GetTickCount () returned 0x1151b93 [0069.351] GetTickCount () returned 0x1151b93 [0069.351] GetTickCount () returned 0x1151b93 [0069.351] GetTickCount () returned 0x1151b93 [0069.351] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.351] GetProcessHeap () returned 0x3a00000 [0069.351] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.351] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0069.352] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.352] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0069.352] GetProcessHeap () returned 0x3a00000 [0069.352] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.352] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.352] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.352] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.353] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.353] CloseHandle (hObject=0x440) returned 1 [0069.353] GetProcessHeap () returned 0x3a00000 [0069.353] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.353] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0069.353] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\169__connections_cellular_tigo (guatemala)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\169__connections_cellular_tigo (guatemala)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.353] GetProcessHeap () returned 0x3a00000 [0069.353] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.353] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9013ce1d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", cAlternateFileName="16__CO~1.PRO")) returned 1 [0069.353] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.353] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.353] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.354] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.354] lstrcmpiW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.354] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml") returned 160 [0069.354] StrStrIW (lpFirst="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.354] lstrcmpW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.354] lstrcmpW (lpString1="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.354] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.354] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\16__connections_cellular_optus (australia)_i7$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.354] GetTickCount () returned 0x1151b93 [0069.354] GetTickCount () returned 0x1151b93 [0069.354] GetTickCount () returned 0x1151b93 [0069.354] GetTickCount () returned 0x1151b93 [0069.354] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.354] GetProcessHeap () returned 0x3a00000 [0069.354] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.354] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0069.355] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.356] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0069.358] GetProcessHeap () returned 0x3a00000 [0069.358] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.358] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.358] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.358] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.358] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.359] CloseHandle (hObject=0x440) returned 1 [0069.359] GetProcessHeap () returned 0x3a00000 [0069.359] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.359] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0069.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\16__connections_cellular_optus (australia)_i7$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\16__connections_cellular_optus (australia)_i7$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.359] GetProcessHeap () returned 0x3a00000 [0069.359] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.359] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906742d4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", cAlternateFileName="170__C~1.PRO")) returned 1 [0069.359] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.360] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.360] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.360] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.360] lstrcmpiW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.360] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml") returned 160 [0069.360] StrStrIW (lpFirst="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.360] lstrcmpW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.360] lstrcmpW (lpString1="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.360] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\170__connections_cellular_claro (honduras)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.360] GetTickCount () returned 0x1151b93 [0069.360] GetTickCount () returned 0x1151b93 [0069.361] GetTickCount () returned 0x1151ba2 [0069.361] GetTickCount () returned 0x1151ba2 [0069.361] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.361] GetProcessHeap () returned 0x3a00000 [0069.361] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.361] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0069.363] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.363] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0069.363] GetProcessHeap () returned 0x3a00000 [0069.363] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.363] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.363] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.363] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.363] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.363] CloseHandle (hObject=0x440) returned 1 [0069.363] GetProcessHeap () returned 0x3a00000 [0069.363] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.363] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0069.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\170__connections_cellular_claro (honduras)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\170__connections_cellular_claro (honduras)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.364] GetProcessHeap () returned 0x3a00000 [0069.364] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.364] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", cAlternateFileName="171__C~1.PRO")) returned 1 [0069.364] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.364] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.364] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.364] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.364] lstrcmpiW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.364] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml") returned 160 [0069.364] StrStrIW (lpFirst="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.364] lstrcmpW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.364] lstrcmpW (lpString1="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.364] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.364] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\171__connections_cellular_claro (honduras)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.364] GetTickCount () returned 0x1151ba2 [0069.365] GetTickCount () returned 0x1151ba2 [0069.365] GetTickCount () returned 0x1151ba2 [0069.365] GetTickCount () returned 0x1151ba2 [0069.365] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.365] GetProcessHeap () returned 0x3a00000 [0069.365] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.365] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0069.408] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.409] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0069.409] GetProcessHeap () returned 0x3a00000 [0069.409] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.409] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.409] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.409] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.409] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.409] CloseHandle (hObject=0x440) returned 1 [0069.409] GetProcessHeap () returned 0x3a00000 [0069.409] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.409] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0069.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\171__connections_cellular_claro (honduras)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\171__connections_cellular_claro (honduras)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.410] GetProcessHeap () returned 0x3a00000 [0069.410] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.410] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", cAlternateFileName="172__C~1.PRO")) returned 1 [0069.410] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.410] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.410] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.410] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.410] lstrcmpiW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.410] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml") returned 159 [0069.410] StrStrIW (lpFirst="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.411] lstrcmpW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.411] lstrcmpW (lpString1="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.411] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.411] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\172__connections_cellular_tigo (honduras)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.411] GetTickCount () returned 0x1151bd1 [0069.411] GetTickCount () returned 0x1151bd1 [0069.411] GetTickCount () returned 0x1151bd1 [0069.411] GetTickCount () returned 0x1151bd1 [0069.411] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.411] GetProcessHeap () returned 0x3a00000 [0069.411] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.411] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0069.413] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.413] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0069.413] GetProcessHeap () returned 0x3a00000 [0069.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.413] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.413] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.413] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.414] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.414] CloseHandle (hObject=0x440) returned 1 [0069.414] GetProcessHeap () returned 0x3a00000 [0069.414] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.414] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0069.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\172__connections_cellular_tigo (honduras)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\172__connections_cellular_tigo (honduras)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.414] GetProcessHeap () returned 0x3a00000 [0069.414] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.414] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x289, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", cAlternateFileName="173__C~1.PRO")) returned 1 [0069.414] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.414] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.415] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.415] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.415] lstrcmpiW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.415] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml") returned 159 [0069.415] StrStrIW (lpFirst="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.415] lstrcmpW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.415] lstrcmpW (lpString1="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.415] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.415] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\173__connections_cellular_tigo (honduras)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.415] GetTickCount () returned 0x1151bd1 [0069.415] GetTickCount () returned 0x1151bd1 [0069.415] GetTickCount () returned 0x1151bd1 [0069.415] GetTickCount () returned 0x1151bd1 [0069.415] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.415] GetProcessHeap () returned 0x3a00000 [0069.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.415] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x289, lpOverlapped=0x0) returned 1 [0069.417] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.417] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x289, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x289, lpOverlapped=0x0) returned 1 [0069.417] GetProcessHeap () returned 0x3a00000 [0069.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.417] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.417] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.417] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.417] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.418] CloseHandle (hObject=0x440) returned 1 [0069.418] GetProcessHeap () returned 0x3a00000 [0069.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.418] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0069.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\173__connections_cellular_tigo (honduras)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\173__connections_cellular_tigo (honduras)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.418] GetProcessHeap () returned 0x3a00000 [0069.418] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.418] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9069a53c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="174__C~1.PRO")) returned 1 [0069.418] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.418] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.418] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.418] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.418] lstrcmpiW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.418] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 163 [0069.418] StrStrIW (lpFirst="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.419] lstrcmpW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.419] lstrcmpW (lpString1="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.419] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.419] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\174__connections_cellular_csl (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.419] GetTickCount () returned 0x1151bd1 [0069.419] GetTickCount () returned 0x1151bd1 [0069.419] GetTickCount () returned 0x1151bd1 [0069.419] GetTickCount () returned 0x1151bd1 [0069.419] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.419] GetProcessHeap () returned 0x3a00000 [0069.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.419] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x282, lpOverlapped=0x0) returned 1 [0069.420] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.420] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x282, lpOverlapped=0x0) returned 1 [0069.421] GetProcessHeap () returned 0x3a00000 [0069.421] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.421] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.421] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.421] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.421] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.421] CloseHandle (hObject=0x440) returned 1 [0069.421] GetProcessHeap () returned 0x3a00000 [0069.421] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.421] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0069.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\174__connections_cellular_csl (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\174__connections_cellular_csl (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.422] GetProcessHeap () returned 0x3a00000 [0069.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.422] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="175__C~1.PRO")) returned 1 [0069.422] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.422] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.422] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.422] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.422] lstrcmpiW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.422] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 161 [0069.422] StrStrIW (lpFirst="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.422] lstrcmpW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.422] lstrcmpW (lpString1="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.422] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\175__connections_cellular_3 (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.422] GetTickCount () returned 0x1151bd1 [0069.423] GetTickCount () returned 0x1151bd1 [0069.423] GetTickCount () returned 0x1151bd1 [0069.423] GetTickCount () returned 0x1151bd1 [0069.423] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.423] GetProcessHeap () returned 0x3a00000 [0069.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.423] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0069.425] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.425] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0069.425] GetProcessHeap () returned 0x3a00000 [0069.425] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.425] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.425] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.425] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.426] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.426] CloseHandle (hObject=0x440) returned 1 [0069.426] GetProcessHeap () returned 0x3a00000 [0069.426] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.426] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\175__connections_cellular_3 (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\175__connections_cellular_3 (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.426] GetProcessHeap () returned 0x3a00000 [0069.426] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.426] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", cAlternateFileName="176__C~1.PRO")) returned 1 [0069.426] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.427] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.427] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.427] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.427] lstrcmpiW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.427] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml") returned 161 [0069.427] StrStrIW (lpFirst="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.427] lstrcmpW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.427] lstrcmpW (lpString1="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.427] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.427] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\176__connections_cellular_3 (hong kong sar)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.427] GetTickCount () returned 0x1151be1 [0069.427] GetTickCount () returned 0x1151be1 [0069.427] GetTickCount () returned 0x1151be1 [0069.427] GetTickCount () returned 0x1151be1 [0069.427] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.427] GetProcessHeap () returned 0x3a00000 [0069.427] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.427] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0069.429] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.429] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0069.429] GetProcessHeap () returned 0x3a00000 [0069.429] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.429] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.429] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.429] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.429] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.429] CloseHandle (hObject=0x440) returned 1 [0069.429] GetProcessHeap () returned 0x3a00000 [0069.429] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.429] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.430] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\176__connections_cellular_3 (hong kong sar)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\176__connections_cellular_3 (hong kong sar)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.430] GetProcessHeap () returned 0x3a00000 [0069.430] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.430] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", cAlternateFileName="177__C~1.PRO")) returned 1 [0069.432] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.432] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.433] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.433] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.433] lstrcmpiW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.433] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml") returned 161 [0069.433] StrStrIW (lpFirst="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.433] lstrcmpW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.433] lstrcmpW (lpString1="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.433] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.433] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\177__connections_cellular_3 (hong kong sar)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.433] GetTickCount () returned 0x1151be1 [0069.433] GetTickCount () returned 0x1151be1 [0069.433] GetTickCount () returned 0x1151be1 [0069.433] GetTickCount () returned 0x1151be1 [0069.433] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.433] GetProcessHeap () returned 0x3a00000 [0069.433] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.433] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0069.434] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.435] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0069.435] GetProcessHeap () returned 0x3a00000 [0069.435] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.435] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.435] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.435] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.435] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.435] CloseHandle (hObject=0x440) returned 1 [0069.435] GetProcessHeap () returned 0x3a00000 [0069.435] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.435] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\177__connections_cellular_3 (hong kong sar)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\177__connections_cellular_3 (hong kong sar)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.436] GetProcessHeap () returned 0x3a00000 [0069.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.436] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", cAlternateFileName="178__C~1.PRO")) returned 1 [0069.436] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.436] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.436] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.436] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.436] lstrcmpiW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.436] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml") returned 161 [0069.436] StrStrIW (lpFirst="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.436] lstrcmpW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.436] lstrcmpW (lpString1="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.436] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\178__connections_cellular_3 (hong kong sar)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.436] GetTickCount () returned 0x1151be1 [0069.436] GetTickCount () returned 0x1151be1 [0069.436] GetTickCount () returned 0x1151be1 [0069.436] GetTickCount () returned 0x1151be1 [0069.437] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.437] GetProcessHeap () returned 0x3a00000 [0069.437] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.437] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0069.438] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.438] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0069.438] GetProcessHeap () returned 0x3a00000 [0069.438] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.438] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.438] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.438] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.438] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.439] CloseHandle (hObject=0x440) returned 1 [0069.439] GetProcessHeap () returned 0x3a00000 [0069.439] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.439] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\178__connections_cellular_3 (hong kong sar)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\178__connections_cellular_3 (hong kong sar)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.439] GetProcessHeap () returned 0x3a00000 [0069.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.439] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", cAlternateFileName="179__C~1.PRO")) returned 1 [0069.440] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.440] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.440] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.440] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.440] lstrcmpiW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.440] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml") returned 161 [0069.440] StrStrIW (lpFirst="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.440] lstrcmpW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.440] lstrcmpW (lpString1="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.440] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\179__connections_cellular_3 (hong kong sar)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.440] GetTickCount () returned 0x1151bf1 [0069.440] GetTickCount () returned 0x1151bf1 [0069.440] GetTickCount () returned 0x1151bf1 [0069.440] GetTickCount () returned 0x1151bf1 [0069.440] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.440] GetProcessHeap () returned 0x3a00000 [0069.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.440] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0069.442] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.442] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0069.442] GetProcessHeap () returned 0x3a00000 [0069.442] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.442] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.442] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.442] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.442] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.442] CloseHandle (hObject=0x440) returned 1 [0069.442] GetProcessHeap () returned 0x3a00000 [0069.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.442] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\179__connections_cellular_3 (hong kong sar)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\179__connections_cellular_3 (hong kong sar)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.443] GetProcessHeap () returned 0x3a00000 [0069.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.443] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", cAlternateFileName="17__CO~1.PRO")) returned 1 [0069.443] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.443] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.443] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.443] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.443] lstrcmpiW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.443] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml") returned 160 [0069.443] StrStrIW (lpFirst="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.443] lstrcmpW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.443] lstrcmpW (lpString1="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.443] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.443] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\17__connections_cellular_optus (australia)_i8$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.444] GetTickCount () returned 0x1151bf1 [0069.444] GetTickCount () returned 0x1151bf1 [0069.444] GetTickCount () returned 0x1151bf1 [0069.444] GetTickCount () returned 0x1151bf1 [0069.444] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.444] GetProcessHeap () returned 0x3a00000 [0069.444] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.444] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0069.571] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.571] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0069.572] GetProcessHeap () returned 0x3a00000 [0069.572] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.572] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.572] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.572] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.572] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.572] CloseHandle (hObject=0x440) returned 1 [0069.572] GetProcessHeap () returned 0x3a00000 [0069.572] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.572] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0069.572] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\17__connections_cellular_optus (australia)_i8$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\17__connections_cellular_optus (australia)_i8$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.573] GetProcessHeap () returned 0x3a00000 [0069.573] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.573] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906c07a8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", cAlternateFileName="180__C~1.PRO")) returned 1 [0069.573] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.573] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.573] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.573] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.573] lstrcmpiW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.573] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml") returned 161 [0069.573] StrStrIW (lpFirst="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.573] lstrcmpW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.574] lstrcmpW (lpString1="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.574] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.574] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\180__connections_cellular_3 (hong kong sar)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.574] GetTickCount () returned 0x1151c6e [0069.574] GetTickCount () returned 0x1151c6e [0069.574] GetTickCount () returned 0x1151c6e [0069.574] GetTickCount () returned 0x1151c6e [0069.574] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.574] GetProcessHeap () returned 0x3a00000 [0069.574] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.574] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0069.576] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.576] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0069.576] GetProcessHeap () returned 0x3a00000 [0069.576] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.576] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.576] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.576] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.576] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.576] CloseHandle (hObject=0x440) returned 1 [0069.576] GetProcessHeap () returned 0x3a00000 [0069.576] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.576] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.576] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\180__connections_cellular_3 (hong kong sar)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\180__connections_cellular_3 (hong kong sar)_i5$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.577] GetProcessHeap () returned 0x3a00000 [0069.577] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.577] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="181__C~1.PRO")) returned 1 [0069.577] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.577] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.577] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.577] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.577] lstrcmpiW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.577] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0069.577] StrStrIW (lpFirst="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.577] lstrcmpW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.577] lstrcmpW (lpString1="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.577] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\181__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.578] GetTickCount () returned 0x1151c6e [0069.578] GetTickCount () returned 0x1151c6e [0069.578] GetTickCount () returned 0x1151c6e [0069.578] GetTickCount () returned 0x1151c6e [0069.578] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.578] GetProcessHeap () returned 0x3a00000 [0069.578] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.578] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0069.580] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.580] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0069.580] GetProcessHeap () returned 0x3a00000 [0069.580] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.580] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.580] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.580] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.580] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.580] CloseHandle (hObject=0x440) returned 1 [0069.580] GetProcessHeap () returned 0x3a00000 [0069.580] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.580] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0069.580] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\181__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\181__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.581] GetProcessHeap () returned 0x3a00000 [0069.581] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.581] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="182__C~1.PRO")) returned 1 [0069.581] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.581] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.581] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.581] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.581] lstrcmpiW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.581] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0069.581] StrStrIW (lpFirst="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.581] lstrcmpW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.581] lstrcmpW (lpString1="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.581] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\182__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.582] GetTickCount () returned 0x1151c6e [0069.582] GetTickCount () returned 0x1151c6e [0069.582] GetTickCount () returned 0x1151c6e [0069.582] GetTickCount () returned 0x1151c6e [0069.582] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.582] GetProcessHeap () returned 0x3a00000 [0069.582] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.582] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.583] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.583] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.583] GetProcessHeap () returned 0x3a00000 [0069.583] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.583] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.584] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.584] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.584] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.584] CloseHandle (hObject=0x440) returned 1 [0069.584] GetProcessHeap () returned 0x3a00000 [0069.584] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.584] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0069.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\182__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\182__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.585] GetProcessHeap () returned 0x3a00000 [0069.585] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.585] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x282, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="183__C~1.PRO")) returned 1 [0069.585] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.585] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.585] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.585] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.585] lstrcmpiW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.585] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0069.585] StrStrIW (lpFirst="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.585] lstrcmpW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.585] lstrcmpW (lpString1="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.585] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.585] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\183__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.585] GetTickCount () returned 0x1151c6e [0069.585] GetTickCount () returned 0x1151c6e [0069.585] GetTickCount () returned 0x1151c6e [0069.585] GetTickCount () returned 0x1151c6e [0069.585] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.585] GetProcessHeap () returned 0x3a00000 [0069.585] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.585] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x282, lpOverlapped=0x0) returned 1 [0069.587] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.587] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x282, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x282, lpOverlapped=0x0) returned 1 [0069.587] GetProcessHeap () returned 0x3a00000 [0069.587] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.587] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.587] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.587] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.587] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.587] CloseHandle (hObject=0x440) returned 1 [0069.588] GetProcessHeap () returned 0x3a00000 [0069.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.588] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0069.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\183__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\183__connections_cellular_pccw (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.588] GetProcessHeap () returned 0x3a00000 [0069.588] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.588] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x906e6a13, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="184__C~1.PRO")) returned 1 [0069.588] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.588] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.588] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.588] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.588] lstrcmpiW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.588] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 177 [0069.588] StrStrIW (lpFirst="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.589] lstrcmpW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.589] lstrcmpW (lpString1="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.589] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\184__connections_cellular_smartone-vodafone (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.589] GetTickCount () returned 0x1151c7d [0069.589] GetTickCount () returned 0x1151c7d [0069.589] GetTickCount () returned 0x1151c7d [0069.589] GetTickCount () returned 0x1151c7d [0069.589] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.589] GetProcessHeap () returned 0x3a00000 [0069.589] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.589] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0069.590] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.590] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0069.591] GetProcessHeap () returned 0x3a00000 [0069.591] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.591] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.591] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.591] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.591] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.591] CloseHandle (hObject=0x440) returned 1 [0069.591] GetProcessHeap () returned 0x3a00000 [0069.591] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.591] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 196 [0069.591] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\184__connections_cellular_smartone-vodafone (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\184__connections_cellular_smartone-vodafone (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.599] GetProcessHeap () returned 0x3a00000 [0069.600] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.600] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", cAlternateFileName="185__C~1.PRO")) returned 1 [0069.600] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.600] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.600] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.600] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.600] lstrcmpiW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.600] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml") returned 169 [0069.600] StrStrIW (lpFirst="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.600] lstrcmpW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.600] lstrcmpW (lpString1="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.600] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\185__connections_cellular_telenor hungary (hungary)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.600] GetTickCount () returned 0x1151c7d [0069.600] GetTickCount () returned 0x1151c7d [0069.600] GetTickCount () returned 0x1151c7d [0069.600] GetTickCount () returned 0x1151c7d [0069.600] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.600] GetProcessHeap () returned 0x3a00000 [0069.600] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.600] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.602] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.602] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.603] GetProcessHeap () returned 0x3a00000 [0069.603] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.603] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.603] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.603] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.603] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.603] CloseHandle (hObject=0x440) returned 1 [0069.603] GetProcessHeap () returned 0x3a00000 [0069.603] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.603] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0069.603] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\185__connections_cellular_telenor hungary (hungary)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\185__connections_cellular_telenor hungary (hungary)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.604] GetProcessHeap () returned 0x3a00000 [0069.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.604] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", cAlternateFileName="186__C~1.PRO")) returned 1 [0069.604] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.604] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.604] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.604] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.604] lstrcmpiW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.604] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml") returned 168 [0069.604] StrStrIW (lpFirst="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.604] lstrcmpW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.604] lstrcmpW (lpString1="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.604] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.604] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\186__connections_cellular_magyar telekom (hungary)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.605] GetTickCount () returned 0x1151c8d [0069.605] GetTickCount () returned 0x1151c8d [0069.605] GetTickCount () returned 0x1151c8d [0069.605] GetTickCount () returned 0x1151c8d [0069.605] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.605] GetProcessHeap () returned 0x3a00000 [0069.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.605] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0069.606] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.606] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0069.606] GetProcessHeap () returned 0x3a00000 [0069.607] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.607] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.607] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.607] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.607] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.607] CloseHandle (hObject=0x440) returned 1 [0069.607] GetProcessHeap () returned 0x3a00000 [0069.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.607] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0069.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\186__connections_cellular_magyar telekom (hungary)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\186__connections_cellular_magyar telekom (hungary)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.608] GetProcessHeap () returned 0x3a00000 [0069.608] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.608] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", cAlternateFileName="187__C~1.PRO")) returned 1 [0069.608] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.608] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.608] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.608] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.608] lstrcmpiW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.609] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml") returned 165 [0069.609] StrStrIW (lpFirst="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.609] lstrcmpW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.609] lstrcmpW (lpString1="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.609] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.609] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\187__connections_cellular_vodafone hu (hungary)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.609] GetTickCount () returned 0x1151c8d [0069.609] GetTickCount () returned 0x1151c8d [0069.609] GetTickCount () returned 0x1151c8d [0069.609] GetTickCount () returned 0x1151c8d [0069.609] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.609] GetProcessHeap () returned 0x3a00000 [0069.609] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.609] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0069.683] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.683] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0069.683] GetProcessHeap () returned 0x3a00000 [0069.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.683] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.684] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.684] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.684] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.684] CloseHandle (hObject=0x440) returned 1 [0069.684] GetProcessHeap () returned 0x3a00000 [0069.684] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.684] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0069.684] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\187__connections_cellular_vodafone hu (hungary)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\187__connections_cellular_vodafone hu (hungary)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.685] GetProcessHeap () returned 0x3a00000 [0069.685] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.685] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", cAlternateFileName="188__C~1.PRO")) returned 1 [0069.685] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.686] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.686] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.686] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.686] lstrcmpiW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.686] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml") returned 165 [0069.686] StrStrIW (lpFirst="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.686] lstrcmpW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.686] lstrcmpW (lpString1="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.686] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.686] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\188__connections_cellular_vodafone hu (hungary)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.686] GetTickCount () returned 0x1151cdb [0069.686] GetTickCount () returned 0x1151cdb [0069.686] GetTickCount () returned 0x1151cdb [0069.686] GetTickCount () returned 0x1151cdb [0069.686] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.687] GetProcessHeap () returned 0x3a00000 [0069.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.687] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e3, lpOverlapped=0x0) returned 1 [0069.688] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.688] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e3, lpOverlapped=0x0) returned 1 [0069.688] GetProcessHeap () returned 0x3a00000 [0069.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.688] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.689] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.689] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.689] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.689] CloseHandle (hObject=0x440) returned 1 [0069.689] GetProcessHeap () returned 0x3a00000 [0069.689] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.689] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0069.689] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\188__connections_cellular_vodafone hu (hungary)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\188__connections_cellular_vodafone hu (hungary)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.690] GetProcessHeap () returned 0x3a00000 [0069.690] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.690] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9070cc83, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="189__C~1.PRO")) returned 1 [0069.690] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0069.690] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0069.690] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0069.690] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0069.690] lstrcmpiW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0069.690] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0069.690] StrStrIW (lpFirst="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0069.690] lstrcmpW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.690] lstrcmpW (lpString1="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0069.690] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.690] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\189__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.691] GetTickCount () returned 0x1151ceb [0069.691] GetTickCount () returned 0x1151ceb [0069.691] GetTickCount () returned 0x1151ceb [0069.691] GetTickCount () returned 0x1151ceb [0069.691] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.691] GetProcessHeap () returned 0x3a00000 [0069.691] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.691] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0069.692] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.692] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0069.692] GetProcessHeap () returned 0x3a00000 [0069.692] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.692] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.693] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.693] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.693] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.693] CloseHandle (hObject=0x440) returned 1 [0069.693] GetProcessHeap () returned 0x3a00000 [0069.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.693] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0069.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\189__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\189__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.694] GetProcessHeap () returned 0x3a00000 [0069.694] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.694] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="18__CE~1.PRO")) returned 1 [0069.694] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0069.694] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0069.694] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0069.694] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0069.694] lstrcmpiW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0069.694] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0069.694] StrStrIW (lpFirst="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0069.694] lstrcmpW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.694] lstrcmpW (lpString1="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0069.695] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.695] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\18__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.695] GetTickCount () returned 0x1151ceb [0069.695] GetTickCount () returned 0x1151ceb [0069.695] GetTickCount () returned 0x1151ceb [0069.695] GetTickCount () returned 0x1151ceb [0069.695] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.695] GetProcessHeap () returned 0x3a00000 [0069.695] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.695] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d0, lpOverlapped=0x0) returned 1 [0069.696] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.696] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d0, lpOverlapped=0x0) returned 1 [0069.696] GetProcessHeap () returned 0x3a00000 [0069.696] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.696] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.696] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.697] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.697] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.697] CloseHandle (hObject=0x440) returned 1 [0069.697] GetProcessHeap () returned 0x3a00000 [0069.697] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.697] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 180 [0069.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\18__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\18__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.698] GetProcessHeap () returned 0x3a00000 [0069.698] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.698] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="190__C~1.PRO")) returned 1 [0069.698] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.698] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.698] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.698] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.698] lstrcmpiW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml") returned 163 [0069.698] StrStrIW (lpFirst="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.698] lstrcmpW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.698] lstrcmpW (lpString1="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.699] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\190__connections_cellular_siminn hf (iceland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.699] GetTickCount () returned 0x1151ceb [0069.699] GetTickCount () returned 0x1151ceb [0069.699] GetTickCount () returned 0x1151ceb [0069.699] GetTickCount () returned 0x1151ceb [0069.699] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.699] GetProcessHeap () returned 0x3a00000 [0069.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.699] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0069.700] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.701] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0069.701] GetProcessHeap () returned 0x3a00000 [0069.701] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.701] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.702] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.702] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.702] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.702] CloseHandle (hObject=0x440) returned 1 [0069.702] GetProcessHeap () returned 0x3a00000 [0069.702] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.702] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0069.702] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\190__connections_cellular_siminn hf (iceland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\190__connections_cellular_siminn hf (iceland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.703] GetProcessHeap () returned 0x3a00000 [0069.703] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.703] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="191__C~1.PRO")) returned 1 [0069.703] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.703] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.703] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.703] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.703] lstrcmpiW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.703] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml") returned 170 [0069.703] StrStrIW (lpFirst="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.703] lstrcmpW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.703] lstrcmpW (lpString1="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.703] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.703] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\191__connections_cellular_vodafone iceland (iceland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.703] GetTickCount () returned 0x1151ceb [0069.703] GetTickCount () returned 0x1151ceb [0069.703] GetTickCount () returned 0x1151ceb [0069.703] GetTickCount () returned 0x1151ceb [0069.703] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.703] GetProcessHeap () returned 0x3a00000 [0069.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.703] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0069.705] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.705] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0069.705] GetProcessHeap () returned 0x3a00000 [0069.705] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.705] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.705] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.705] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.705] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.705] CloseHandle (hObject=0x440) returned 1 [0069.705] GetProcessHeap () returned 0x3a00000 [0069.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.705] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0069.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\191__connections_cellular_vodafone iceland (iceland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\191__connections_cellular_vodafone iceland (iceland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.706] GetProcessHeap () returned 0x3a00000 [0069.706] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.706] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="192__C~1.PRO")) returned 1 [0069.708] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0069.708] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0069.708] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0069.708] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0069.708] lstrcmpiW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0069.708] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0069.708] StrStrIW (lpFirst="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0069.708] lstrcmpW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.708] lstrcmpW (lpString1="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0069.708] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.708] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\192__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.709] GetTickCount () returned 0x1151ceb [0069.709] GetTickCount () returned 0x1151ceb [0069.709] GetTickCount () returned 0x1151ceb [0069.709] GetTickCount () returned 0x1151ceb [0069.709] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.709] GetProcessHeap () returned 0x3a00000 [0069.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.709] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0069.710] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.710] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0069.710] GetProcessHeap () returned 0x3a00000 [0069.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.710] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.710] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.711] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.711] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.711] CloseHandle (hObject=0x440) returned 1 [0069.711] GetProcessHeap () returned 0x3a00000 [0069.711] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.711] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0069.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\192__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\192__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.712] GetProcessHeap () returned 0x3a00000 [0069.712] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.712] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90732eea, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="193__C~1.PRO")) returned 1 [0069.712] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.712] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.712] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.712] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.712] lstrcmpiW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.712] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml") returned 158 [0069.712] StrStrIW (lpFirst="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.712] lstrcmpW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.712] lstrcmpW (lpString1="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.712] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.712] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\193__connections_cellular_aircel (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.712] GetTickCount () returned 0x1151ceb [0069.712] GetTickCount () returned 0x1151ceb [0069.712] GetTickCount () returned 0x1151ceb [0069.712] GetTickCount () returned 0x1151ceb [0069.712] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.713] GetProcessHeap () returned 0x3a00000 [0069.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.713] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0069.714] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.714] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0069.714] GetProcessHeap () returned 0x3a00000 [0069.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.714] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.714] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.714] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.714] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.714] CloseHandle (hObject=0x440) returned 1 [0069.715] GetProcessHeap () returned 0x3a00000 [0069.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0069.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\193__connections_cellular_aircel (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\193__connections_cellular_aircel (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.715] GetProcessHeap () returned 0x3a00000 [0069.715] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.715] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="194__C~1.PRO")) returned 1 [0069.715] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.715] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.715] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.715] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.715] lstrcmpiW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.715] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml") returned 158 [0069.715] StrStrIW (lpFirst="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.715] lstrcmpW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.715] lstrcmpW (lpString1="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.716] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.716] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\194__connections_cellular_airtel (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.716] GetTickCount () returned 0x1151ceb [0069.716] GetTickCount () returned 0x1151ceb [0069.716] GetTickCount () returned 0x1151ceb [0069.716] GetTickCount () returned 0x1151ceb [0069.716] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.716] GetProcessHeap () returned 0x3a00000 [0069.716] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.716] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0069.717] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.718] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0069.718] GetProcessHeap () returned 0x3a00000 [0069.718] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.718] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.718] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.718] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.718] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.718] CloseHandle (hObject=0x440) returned 1 [0069.718] GetProcessHeap () returned 0x3a00000 [0069.718] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.718] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0069.718] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\194__connections_cellular_airtel (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\194__connections_cellular_airtel (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.719] GetProcessHeap () returned 0x3a00000 [0069.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.719] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="195__C~1.PRO")) returned 1 [0069.719] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.719] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.719] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.719] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.719] lstrcmpiW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.719] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml") returned 163 [0069.719] StrStrIW (lpFirst="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.719] lstrcmpW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.719] lstrcmpW (lpString1="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.719] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.719] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\195__connections_cellular_indosat (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.719] GetTickCount () returned 0x1151cfa [0069.719] GetTickCount () returned 0x1151cfa [0069.719] GetTickCount () returned 0x1151cfa [0069.719] GetTickCount () returned 0x1151cfa [0069.719] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.720] GetProcessHeap () returned 0x3a00000 [0069.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.720] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.721] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.721] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.721] GetProcessHeap () returned 0x3a00000 [0069.721] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.721] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.721] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.721] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.722] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.722] CloseHandle (hObject=0x440) returned 1 [0069.722] GetProcessHeap () returned 0x3a00000 [0069.722] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.722] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0069.722] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\195__connections_cellular_indosat (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\195__connections_cellular_indosat (indonesia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.722] GetProcessHeap () returned 0x3a00000 [0069.722] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.722] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="196__C~1.PRO")) returned 1 [0069.722] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.722] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.722] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.722] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.723] lstrcmpiW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.723] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml") returned 163 [0069.723] StrStrIW (lpFirst="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.723] lstrcmpW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.723] lstrcmpW (lpString1="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.723] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.723] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\196__connections_cellular_indosat (indonesia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.723] GetTickCount () returned 0x1151cfa [0069.723] GetTickCount () returned 0x1151cfa [0069.723] GetTickCount () returned 0x1151cfa [0069.723] GetTickCount () returned 0x1151cfa [0069.723] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.723] GetProcessHeap () returned 0x3a00000 [0069.723] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.723] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.831] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.831] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0069.831] GetProcessHeap () returned 0x3a00000 [0069.831] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.831] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.831] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.831] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.832] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.832] CloseHandle (hObject=0x440) returned 1 [0069.832] GetProcessHeap () returned 0x3a00000 [0069.832] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.832] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0069.832] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\196__connections_cellular_indosat (indonesia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\196__connections_cellular_indosat (indonesia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.833] GetProcessHeap () returned 0x3a00000 [0069.833] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.833] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="197__C~1.PRO")) returned 1 [0069.833] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.833] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.833] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.833] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.833] lstrcmpiW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.833] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml") returned 165 [0069.833] StrStrIW (lpFirst="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.833] lstrcmpW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.833] lstrcmpW (lpString1="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.833] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.833] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\197__connections_cellular_telkomsel (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.834] GetTickCount () returned 0x1151d68 [0069.834] GetTickCount () returned 0x1151d68 [0069.834] GetTickCount () returned 0x1151d68 [0069.834] GetTickCount () returned 0x1151d68 [0069.834] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.834] GetProcessHeap () returned 0x3a00000 [0069.834] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.834] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0069.836] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.836] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0069.836] GetProcessHeap () returned 0x3a00000 [0069.836] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.836] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.836] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.836] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.836] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.836] CloseHandle (hObject=0x440) returned 1 [0069.836] GetProcessHeap () returned 0x3a00000 [0069.837] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.837] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0069.837] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\197__connections_cellular_telkomsel (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\197__connections_cellular_telkomsel (indonesia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.840] GetProcessHeap () returned 0x3a00000 [0069.840] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.840] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90759156, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="198__C~1.PRO")) returned 1 [0069.840] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.840] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.840] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.840] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.840] lstrcmpiW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.840] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml") returned 165 [0069.840] StrStrIW (lpFirst="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.840] lstrcmpW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.840] lstrcmpW (lpString1="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.840] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.840] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\198__connections_cellular_telkomsel (indonesia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.840] GetTickCount () returned 0x1151d68 [0069.840] GetTickCount () returned 0x1151d68 [0069.840] GetTickCount () returned 0x1151d68 [0069.840] GetTickCount () returned 0x1151d68 [0069.840] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.841] GetProcessHeap () returned 0x3a00000 [0069.841] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.841] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0069.843] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.843] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0069.843] GetProcessHeap () returned 0x3a00000 [0069.843] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.843] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.843] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.843] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.843] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.843] CloseHandle (hObject=0x440) returned 1 [0069.843] GetProcessHeap () returned 0x3a00000 [0069.844] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.844] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0069.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\198__connections_cellular_telkomsel (indonesia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\198__connections_cellular_telkomsel (indonesia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.844] GetProcessHeap () returned 0x3a00000 [0069.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.844] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="199__C~1.PRO")) returned 1 [0069.844] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.844] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.844] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.844] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.844] lstrcmpiW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.844] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml") returned 164 [0069.844] StrStrIW (lpFirst="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.844] lstrcmpW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.844] lstrcmpW (lpString1="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.844] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.844] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\199__connections_cellular_vodafone (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.845] GetTickCount () returned 0x1151d77 [0069.845] GetTickCount () returned 0x1151d77 [0069.845] GetTickCount () returned 0x1151d77 [0069.845] GetTickCount () returned 0x1151d77 [0069.845] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.845] GetProcessHeap () returned 0x3a00000 [0069.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.845] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0069.847] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.847] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0069.847] GetProcessHeap () returned 0x3a00000 [0069.847] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.847] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.847] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.847] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.847] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.847] CloseHandle (hObject=0x440) returned 1 [0069.847] GetProcessHeap () returned 0x3a00000 [0069.847] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.848] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0069.848] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\199__connections_cellular_vodafone (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\199__connections_cellular_vodafone (indonesia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.848] GetProcessHeap () returned 0x3a00000 [0069.848] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.848] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="19__CE~1.PRO")) returned 1 [0069.848] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0069.848] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0069.848] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0069.848] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0069.848] lstrcmpiW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0069.848] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0069.848] StrStrIW (lpFirst="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0069.848] lstrcmpW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.848] lstrcmpW (lpString1="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0069.848] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.848] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\19__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.851] GetTickCount () returned 0x1151d77 [0069.851] GetTickCount () returned 0x1151d77 [0069.851] GetTickCount () returned 0x1151d77 [0069.852] GetTickCount () returned 0x1151d77 [0069.852] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.852] GetProcessHeap () returned 0x3a00000 [0069.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.852] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e2, lpOverlapped=0x0) returned 1 [0069.853] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.853] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e2, lpOverlapped=0x0) returned 1 [0069.853] GetProcessHeap () returned 0x3a00000 [0069.853] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.853] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.853] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.854] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.854] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.854] CloseHandle (hObject=0x440) returned 1 [0069.854] GetProcessHeap () returned 0x3a00000 [0069.854] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.854] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0069.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\19__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\19__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.855] GetProcessHeap () returned 0x3a00000 [0069.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.855] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="1__CON~1.PRO")) returned 1 [0069.855] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.855] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.855] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.855] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.855] lstrcmpiW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.855] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml") returned 168 [0069.855] StrStrIW (lpFirst="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.855] lstrcmpW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.855] lstrcmpW (lpString1="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.855] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.855] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\1__connections_cellular_vodafone albania (albania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.855] GetTickCount () returned 0x1151d77 [0069.855] GetTickCount () returned 0x1151d77 [0069.856] GetTickCount () returned 0x1151d77 [0069.856] GetTickCount () returned 0x1151d77 [0069.856] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.856] GetProcessHeap () returned 0x3a00000 [0069.856] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.856] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0069.857] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.857] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0069.857] GetProcessHeap () returned 0x3a00000 [0069.857] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.857] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.859] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.859] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.859] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.859] CloseHandle (hObject=0x440) returned 1 [0069.860] GetProcessHeap () returned 0x3a00000 [0069.860] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.860] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0069.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\1__connections_cellular_vodafone albania (albania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\1__connections_cellular_vodafone albania (albania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.860] GetProcessHeap () returned 0x3a00000 [0069.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.860] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", cAlternateFileName="200__C~1.PRO")) returned 1 [0069.860] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.860] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.860] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.860] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.860] lstrcmpiW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.860] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml") returned 159 [0069.860] StrStrIW (lpFirst="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.860] lstrcmpW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.861] lstrcmpW (lpString1="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.861] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.861] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\200__connections_cellular_asiacell (iraq)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.861] GetTickCount () returned 0x1151d87 [0069.861] GetTickCount () returned 0x1151d87 [0069.861] GetTickCount () returned 0x1151d87 [0069.861] GetTickCount () returned 0x1151d87 [0069.861] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.861] GetProcessHeap () returned 0x3a00000 [0069.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.861] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e1, lpOverlapped=0x0) returned 1 [0069.862] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.862] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e1, lpOverlapped=0x0) returned 1 [0069.862] GetProcessHeap () returned 0x3a00000 [0069.862] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.862] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.862] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.867] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.868] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.915] CloseHandle (hObject=0x440) returned 1 [0069.918] GetProcessHeap () returned 0x3a00000 [0069.918] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.918] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0069.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\200__connections_cellular_asiacell (iraq)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\200__connections_cellular_asiacell (iraq)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.919] GetProcessHeap () returned 0x3a00000 [0069.919] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.919] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x308, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", cAlternateFileName="201__C~1.PRO")) returned 1 [0069.919] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.919] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.919] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.919] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.919] lstrcmpiW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.919] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml") returned 163 [0069.919] StrStrIW (lpFirst="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.919] lstrcmpW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.919] lstrcmpW (lpString1="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.919] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.919] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\201__connections_cellular_korektelecom (iraq)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.919] GetTickCount () returned 0x1151db6 [0069.919] GetTickCount () returned 0x1151db6 [0069.919] GetTickCount () returned 0x1151db6 [0069.919] GetTickCount () returned 0x1151db6 [0069.919] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.920] GetProcessHeap () returned 0x3a00000 [0069.920] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.920] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x308, lpOverlapped=0x0) returned 1 [0069.923] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0069.923] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x308, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x308, lpOverlapped=0x0) returned 1 [0069.923] GetProcessHeap () returned 0x3a00000 [0069.923] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0069.923] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.923] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0069.923] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0069.923] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0069.923] CloseHandle (hObject=0x440) returned 1 [0069.923] GetProcessHeap () returned 0x3a00000 [0069.924] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0069.924] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0069.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\201__connections_cellular_korektelecom (iraq)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\201__connections_cellular_korektelecom (iraq)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0069.924] GetProcessHeap () returned 0x3a00000 [0069.924] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0069.924] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9077f3c5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", cAlternateFileName="202__C~1.PRO")) returned 1 [0069.924] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0069.924] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0069.924] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0069.924] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0069.924] lstrcmpiW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0069.924] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml") returned 155 [0069.925] StrStrIW (lpFirst="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0069.925] lstrcmpW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0069.925] lstrcmpW (lpString1="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0069.925] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0069.925] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\202__connections_cellular_zain (iraq)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0069.925] GetTickCount () returned 0x1151dc5 [0069.925] GetTickCount () returned 0x1151dc5 [0069.925] GetTickCount () returned 0x1151dc5 [0069.925] GetTickCount () returned 0x1151dc5 [0069.925] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0069.925] GetProcessHeap () returned 0x3a00000 [0069.925] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0069.925] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1dd, lpOverlapped=0x0) returned 1 [0070.192] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.192] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1dd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1dd, lpOverlapped=0x0) returned 1 [0070.192] GetProcessHeap () returned 0x3a00000 [0070.192] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.192] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.193] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.193] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.193] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.193] CloseHandle (hObject=0x440) returned 1 [0070.194] GetProcessHeap () returned 0x3a00000 [0070.194] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.194] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0070.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\202__connections_cellular_zain (iraq)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\202__connections_cellular_zain (iraq)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.195] GetProcessHeap () returned 0x3a00000 [0070.195] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.195] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="203__C~1.PRO")) returned 1 [0070.195] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.195] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.195] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.195] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.195] lstrcmpiW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.195] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml") returned 155 [0070.195] StrStrIW (lpFirst="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.195] lstrcmpW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.195] lstrcmpW (lpString1="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.195] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.195] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\203__connections_cellular_3 (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.195] GetTickCount () returned 0x1151ecf [0070.195] GetTickCount () returned 0x1151ecf [0070.195] GetTickCount () returned 0x1151ecf [0070.195] GetTickCount () returned 0x1151ecf [0070.195] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.196] GetProcessHeap () returned 0x3a00000 [0070.196] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.196] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0070.198] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.198] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0070.199] GetProcessHeap () returned 0x3a00000 [0070.199] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.199] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.199] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.199] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.199] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.199] CloseHandle (hObject=0x440) returned 1 [0070.199] GetProcessHeap () returned 0x3a00000 [0070.199] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.199] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0070.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\203__connections_cellular_3 (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\203__connections_cellular_3 (ireland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.200] GetProcessHeap () returned 0x3a00000 [0070.200] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.200] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="204__C~1.PRO")) returned 1 [0070.200] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0070.200] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0070.200] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0070.200] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0070.200] lstrcmpiW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0070.200] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0070.200] StrStrIW (lpFirst="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0070.200] lstrcmpW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.200] lstrcmpW (lpString1="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0070.200] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.201] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\204__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.201] GetTickCount () returned 0x1151ecf [0070.201] GetTickCount () returned 0x1151ecf [0070.201] GetTickCount () returned 0x1151ecf [0070.201] GetTickCount () returned 0x1151ecf [0070.201] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.201] GetProcessHeap () returned 0x3a00000 [0070.201] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.201] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cc, lpOverlapped=0x0) returned 1 [0070.202] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.202] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cc, lpOverlapped=0x0) returned 1 [0070.202] GetProcessHeap () returned 0x3a00000 [0070.202] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.203] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.203] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.204] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.204] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.204] CloseHandle (hObject=0x440) returned 1 [0070.204] GetProcessHeap () returned 0x3a00000 [0070.204] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.204] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0070.204] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\204__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\204__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.205] GetProcessHeap () returned 0x3a00000 [0070.205] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.205] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="205__C~1.PRO")) returned 1 [0070.205] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.205] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.205] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.205] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.205] lstrcmpiW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.205] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml") returned 156 [0070.205] StrStrIW (lpFirst="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.205] lstrcmpW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.205] lstrcmpW (lpString1="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.205] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\205__connections_cellular_o2 (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.205] GetTickCount () returned 0x1151edf [0070.205] GetTickCount () returned 0x1151edf [0070.205] GetTickCount () returned 0x1151edf [0070.205] GetTickCount () returned 0x1151edf [0070.205] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.205] GetProcessHeap () returned 0x3a00000 [0070.205] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.205] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0070.208] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.212] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0070.213] GetProcessHeap () returned 0x3a00000 [0070.213] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.213] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.213] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.213] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.213] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.213] CloseHandle (hObject=0x440) returned 1 [0070.213] GetProcessHeap () returned 0x3a00000 [0070.213] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.213] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0070.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\205__connections_cellular_o2 (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\205__connections_cellular_o2 (ireland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.214] GetProcessHeap () returned 0x3a00000 [0070.214] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.214] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="206__C~1.PRO")) returned 1 [0070.214] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.214] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.214] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.214] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.214] lstrcmpiW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.214] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml") returned 170 [0070.214] StrStrIW (lpFirst="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.214] lstrcmpW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.214] lstrcmpW (lpString1="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.214] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\206__connections_cellular_vodafone ireland (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.216] GetTickCount () returned 0x1151edf [0070.216] GetTickCount () returned 0x1151edf [0070.216] GetTickCount () returned 0x1151edf [0070.216] GetTickCount () returned 0x1151edf [0070.216] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.216] GetProcessHeap () returned 0x3a00000 [0070.216] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.216] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35f, lpOverlapped=0x0) returned 1 [0070.218] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.218] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35f, lpOverlapped=0x0) returned 1 [0070.218] GetProcessHeap () returned 0x3a00000 [0070.218] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.218] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.218] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.218] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.219] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.219] CloseHandle (hObject=0x440) returned 1 [0070.219] GetProcessHeap () returned 0x3a00000 [0070.219] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.219] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0070.219] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\206__connections_cellular_vodafone ireland (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\206__connections_cellular_vodafone ireland (ireland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.220] GetProcessHeap () returned 0x3a00000 [0070.220] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.220] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907a5631, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="207__C~1.PRO")) returned 1 [0070.220] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0070.220] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0070.220] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0070.220] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0070.220] lstrcmpiW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0070.220] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0070.220] StrStrIW (lpFirst="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0070.220] lstrcmpW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.220] lstrcmpW (lpString1="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0070.220] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.220] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\207__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.220] GetTickCount () returned 0x1151eee [0070.220] GetTickCount () returned 0x1151eee [0070.220] GetTickCount () returned 0x1151eee [0070.220] GetTickCount () returned 0x1151eee [0070.220] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.220] GetProcessHeap () returned 0x3a00000 [0070.220] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.221] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0070.221] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.221] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0070.222] GetProcessHeap () returned 0x3a00000 [0070.222] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.222] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.222] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.224] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.225] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.225] CloseHandle (hObject=0x440) returned 1 [0070.225] GetProcessHeap () returned 0x3a00000 [0070.225] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.225] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0070.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\207__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\207__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.225] GetProcessHeap () returned 0x3a00000 [0070.225] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.226] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", cAlternateFileName="208__C~1.PRO")) returned 1 [0070.228] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.228] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.228] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.228] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.228] lstrcmpiW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.228] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml") returned 160 [0070.228] StrStrIW (lpFirst="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.228] lstrcmpW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.228] lstrcmpW (lpString1="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.228] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\208__connections_cellular_cellcom (israel)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.229] GetTickCount () returned 0x1151eee [0070.229] GetTickCount () returned 0x1151eee [0070.229] GetTickCount () returned 0x1151eee [0070.229] GetTickCount () returned 0x1151eee [0070.229] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.229] GetProcessHeap () returned 0x3a00000 [0070.229] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.229] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0070.230] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.230] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0070.230] GetProcessHeap () returned 0x3a00000 [0070.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.230] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.230] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.230] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.231] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.231] CloseHandle (hObject=0x440) returned 1 [0070.231] GetProcessHeap () returned 0x3a00000 [0070.231] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.231] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0070.231] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\208__connections_cellular_cellcom (israel)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\208__connections_cellular_cellcom (israel)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.231] GetProcessHeap () returned 0x3a00000 [0070.231] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.231] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", cAlternateFileName="209__C~1.PRO")) returned 1 [0070.232] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.232] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.232] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.232] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.232] lstrcmpiW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.232] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml") returned 159 [0070.232] StrStrIW (lpFirst="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.232] lstrcmpW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.232] lstrcmpW (lpString1="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.232] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.232] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\209__connections_cellular_orange (israel)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.232] GetTickCount () returned 0x1151eee [0070.232] GetTickCount () returned 0x1151eee [0070.232] GetTickCount () returned 0x1151eee [0070.232] GetTickCount () returned 0x1151eee [0070.232] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.232] GetProcessHeap () returned 0x3a00000 [0070.232] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.232] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0070.235] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0070.251] GetProcessHeap () returned 0x3a00000 [0070.251] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.251] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.251] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.251] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.251] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.252] CloseHandle (hObject=0x440) returned 1 [0070.253] GetProcessHeap () returned 0x3a00000 [0070.253] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.253] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0070.253] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\209__connections_cellular_orange (israel)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\209__connections_cellular_orange (israel)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.254] GetProcessHeap () returned 0x3a00000 [0070.254] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.254] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="20__CO~1.PRO")) returned 1 [0070.254] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.254] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.254] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.254] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.254] lstrcmpiW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.254] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml") returned 162 [0070.254] StrStrIW (lpFirst="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.254] lstrcmpW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.254] lstrcmpW (lpString1="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.254] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\20__connections_cellular_telstra (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.255] GetTickCount () returned 0x1151f0d [0070.255] GetTickCount () returned 0x1151f0d [0070.255] GetTickCount () returned 0x1151f0d [0070.255] GetTickCount () returned 0x1151f0d [0070.255] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.255] GetProcessHeap () returned 0x3a00000 [0070.255] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.255] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e5, lpOverlapped=0x0) returned 1 [0070.256] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.256] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e5, lpOverlapped=0x0) returned 1 [0070.257] GetProcessHeap () returned 0x3a00000 [0070.257] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.257] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.257] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.257] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.257] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.257] CloseHandle (hObject=0x440) returned 1 [0070.257] GetProcessHeap () returned 0x3a00000 [0070.257] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.257] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0070.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\20__connections_cellular_telstra (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\20__connections_cellular_telstra (australia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.258] GetProcessHeap () returned 0x3a00000 [0070.258] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.258] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", cAlternateFileName="210__C~1.PRO")) returned 1 [0070.258] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.258] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.258] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.258] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.258] lstrcmpiW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.258] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml") returned 162 [0070.258] StrStrIW (lpFirst="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.258] lstrcmpW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.258] lstrcmpW (lpString1="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.258] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\210__connections_cellular_pelephone (israel)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.258] GetTickCount () returned 0x1151f0d [0070.258] GetTickCount () returned 0x1151f0d [0070.258] GetTickCount () returned 0x1151f0d [0070.258] GetTickCount () returned 0x1151f0d [0070.259] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.259] GetProcessHeap () returned 0x3a00000 [0070.259] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.259] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0070.260] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.260] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0070.260] GetProcessHeap () returned 0x3a00000 [0070.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.260] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.260] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.260] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.261] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.261] CloseHandle (hObject=0x440) returned 1 [0070.261] GetProcessHeap () returned 0x3a00000 [0070.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.261] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0070.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\210__connections_cellular_pelephone (israel)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\210__connections_cellular_pelephone (israel)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.261] GetProcessHeap () returned 0x3a00000 [0070.261] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.261] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="211__C~1.PRO")) returned 1 [0070.261] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0070.261] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0070.261] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0070.262] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0070.262] lstrcmpiW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0070.262] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0070.262] StrStrIW (lpFirst="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0070.262] lstrcmpW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.262] lstrcmpW (lpString1="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0070.262] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\211__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.262] GetTickCount () returned 0x1151f0d [0070.262] GetTickCount () returned 0x1151f0d [0070.262] GetTickCount () returned 0x1151f0d [0070.262] GetTickCount () returned 0x1151f0d [0070.262] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.262] GetProcessHeap () returned 0x3a00000 [0070.262] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.262] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1ce, lpOverlapped=0x0) returned 1 [0070.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1ce, lpOverlapped=0x0) returned 1 [0070.263] GetProcessHeap () returned 0x3a00000 [0070.263] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.273] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.273] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.273] CloseHandle (hObject=0x440) returned 1 [0070.273] GetProcessHeap () returned 0x3a00000 [0070.273] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.273] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0070.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\211__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\211__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.274] GetProcessHeap () returned 0x3a00000 [0070.274] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.274] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907cb89c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="212__C~1.PRO")) returned 1 [0070.274] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.274] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.274] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.274] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.274] lstrcmpiW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.274] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml") returned 155 [0070.274] StrStrIW (lpFirst="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.274] lstrcmpW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.274] lstrcmpW (lpString1="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.274] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.274] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\212__connections_cellular_tim (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.274] GetTickCount () returned 0x1151f1d [0070.274] GetTickCount () returned 0x1151f1d [0070.274] GetTickCount () returned 0x1151f1d [0070.274] GetTickCount () returned 0x1151f1d [0070.274] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.275] GetProcessHeap () returned 0x3a00000 [0070.275] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.275] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0070.276] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.276] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0070.276] GetProcessHeap () returned 0x3a00000 [0070.276] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.276] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.276] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.277] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.277] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.277] CloseHandle (hObject=0x440) returned 1 [0070.277] GetProcessHeap () returned 0x3a00000 [0070.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.277] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0070.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\212__connections_cellular_tim (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\212__connections_cellular_tim (italy)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.278] GetProcessHeap () returned 0x3a00000 [0070.278] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.278] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="213__C~1.PRO")) returned 1 [0070.278] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0070.278] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0070.278] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0070.278] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0070.278] lstrcmpiW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0070.278] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0070.278] StrStrIW (lpFirst="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0070.278] lstrcmpW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.278] lstrcmpW (lpString1="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0070.278] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\213__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.278] GetTickCount () returned 0x1151f1d [0070.278] GetTickCount () returned 0x1151f1d [0070.278] GetTickCount () returned 0x1151f1d [0070.278] GetTickCount () returned 0x1151f1d [0070.278] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.278] GetProcessHeap () returned 0x3a00000 [0070.278] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.279] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cc, lpOverlapped=0x0) returned 1 [0070.414] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.414] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cc, lpOverlapped=0x0) returned 1 [0070.415] GetProcessHeap () returned 0x3a00000 [0070.415] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.415] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.415] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.415] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.416] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.416] CloseHandle (hObject=0x440) returned 1 [0070.416] GetProcessHeap () returned 0x3a00000 [0070.416] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.416] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0070.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\213__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\213__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.417] GetProcessHeap () returned 0x3a00000 [0070.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.417] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="214__C~1.PRO")) returned 1 [0070.417] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.417] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.417] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.417] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.417] lstrcmpiW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.417] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml") returned 163 [0070.417] StrStrIW (lpFirst="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.417] lstrcmpW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.417] lstrcmpW (lpString1="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.417] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.417] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\214__connections_cellular_vodafone it (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.417] GetTickCount () returned 0x1151faa [0070.417] GetTickCount () returned 0x1151faa [0070.417] GetTickCount () returned 0x1151faa [0070.417] GetTickCount () returned 0x1151faa [0070.417] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.418] GetProcessHeap () returned 0x3a00000 [0070.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.418] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0070.419] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.419] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0070.419] GetProcessHeap () returned 0x3a00000 [0070.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.419] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.419] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.419] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.419] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.420] CloseHandle (hObject=0x440) returned 1 [0070.420] GetProcessHeap () returned 0x3a00000 [0070.420] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.420] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0070.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\214__connections_cellular_vodafone it (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\214__connections_cellular_vodafone it (italy)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.420] GetProcessHeap () returned 0x3a00000 [0070.420] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.420] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="215__C~1.PRO")) returned 1 [0070.421] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0070.421] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0070.421] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0070.421] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0070.421] lstrcmpiW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0070.421] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0070.421] StrStrIW (lpFirst="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0070.421] lstrcmpW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.421] lstrcmpW (lpString1="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0070.421] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\215__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.421] GetTickCount () returned 0x1151fb9 [0070.421] GetTickCount () returned 0x1151fb9 [0070.421] GetTickCount () returned 0x1151fb9 [0070.421] GetTickCount () returned 0x1151fb9 [0070.421] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.421] GetProcessHeap () returned 0x3a00000 [0070.421] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.421] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0070.422] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.422] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0070.422] GetProcessHeap () returned 0x3a00000 [0070.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.422] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.423] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.423] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.423] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.423] CloseHandle (hObject=0x440) returned 1 [0070.423] GetProcessHeap () returned 0x3a00000 [0070.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.423] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0070.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\215__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\215__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.424] GetProcessHeap () returned 0x3a00000 [0070.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.424] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="216__C~1.PRO")) returned 1 [0070.424] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.424] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.424] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.424] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.424] lstrcmpiW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.424] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml") returned 156 [0070.424] StrStrIW (lpFirst="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.424] lstrcmpW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.425] lstrcmpW (lpString1="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.425] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.425] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\216__connections_cellular_wind (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.425] GetTickCount () returned 0x1151fb9 [0070.425] GetTickCount () returned 0x1151fb9 [0070.425] GetTickCount () returned 0x1151fb9 [0070.425] GetTickCount () returned 0x1151fb9 [0070.425] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.425] GetProcessHeap () returned 0x3a00000 [0070.425] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.425] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0070.426] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.426] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0070.427] GetProcessHeap () returned 0x3a00000 [0070.427] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.427] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.427] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.427] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.427] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.427] CloseHandle (hObject=0x440) returned 1 [0070.427] GetProcessHeap () returned 0x3a00000 [0070.427] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.427] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0070.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\216__connections_cellular_wind (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\216__connections_cellular_wind (italy)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.428] GetProcessHeap () returned 0x3a00000 [0070.428] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.428] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x907f1b04, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", cAlternateFileName="217__C~1.PRO")) returned 1 [0070.428] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.428] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.428] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.428] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.428] lstrcmpiW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.428] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml") returned 156 [0070.428] StrStrIW (lpFirst="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.428] lstrcmpW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.428] lstrcmpW (lpString1="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.428] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.428] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\217__connections_cellular_wind (italy)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.428] GetTickCount () returned 0x1151fb9 [0070.428] GetTickCount () returned 0x1151fb9 [0070.428] GetTickCount () returned 0x1151fb9 [0070.428] GetTickCount () returned 0x1151fb9 [0070.428] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.429] GetProcessHeap () returned 0x3a00000 [0070.429] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.429] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0070.430] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.430] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0070.430] GetProcessHeap () returned 0x3a00000 [0070.430] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.430] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.430] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.430] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.430] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.430] CloseHandle (hObject=0x440) returned 1 [0070.430] GetProcessHeap () returned 0x3a00000 [0070.430] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.430] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0070.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\217__connections_cellular_wind (italy)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\217__connections_cellular_wind (italy)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.635] GetProcessHeap () returned 0x3a00000 [0070.635] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.635] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x313, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="218__C~1.PRO")) returned 1 [0070.635] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.635] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.635] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.635] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.635] lstrcmpiW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.635] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml") returned 159 [0070.635] StrStrIW (lpFirst="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.635] lstrcmpW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.635] lstrcmpW (lpString1="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.635] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.635] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\218__connections_cellular_claro (jamaica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.636] GetTickCount () returned 0x1152084 [0070.636] GetTickCount () returned 0x1152084 [0070.636] GetTickCount () returned 0x1152084 [0070.636] GetTickCount () returned 0x1152084 [0070.636] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.636] GetProcessHeap () returned 0x3a00000 [0070.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.636] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x313, lpOverlapped=0x0) returned 1 [0070.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffced, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x313, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x313, lpOverlapped=0x0) returned 1 [0070.638] GetProcessHeap () returned 0x3a00000 [0070.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.638] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.638] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.638] CloseHandle (hObject=0x440) returned 1 [0070.638] GetProcessHeap () returned 0x3a00000 [0070.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.638] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0070.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\218__connections_cellular_claro (jamaica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\218__connections_cellular_claro (jamaica)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.640] GetProcessHeap () returned 0x3a00000 [0070.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.640] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", cAlternateFileName="219__C~1.PRO")) returned 1 [0070.640] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.640] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.640] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.640] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.640] lstrcmpiW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.640] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml") returned 159 [0070.640] StrStrIW (lpFirst="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.640] lstrcmpW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.640] lstrcmpW (lpString1="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.641] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.641] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\219__connections_cellular_claro (jamaica)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.641] GetTickCount () returned 0x1152094 [0070.641] GetTickCount () returned 0x1152094 [0070.641] GetTickCount () returned 0x1152094 [0070.641] GetTickCount () returned 0x1152094 [0070.641] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.641] GetProcessHeap () returned 0x3a00000 [0070.641] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.641] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2fb, lpOverlapped=0x0) returned 1 [0070.646] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.646] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2fb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2fb, lpOverlapped=0x0) returned 1 [0070.646] GetProcessHeap () returned 0x3a00000 [0070.646] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.646] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.646] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.646] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.646] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.646] CloseHandle (hObject=0x440) returned 1 [0070.647] GetProcessHeap () returned 0x3a00000 [0070.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.647] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0070.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\219__connections_cellular_claro (jamaica)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\219__connections_cellular_claro (jamaica)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.647] GetProcessHeap () returned 0x3a00000 [0070.647] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.647] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="21__CO~1.PRO")) returned 1 [0070.647] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.647] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.647] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.647] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.647] lstrcmpiW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.647] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml") returned 162 [0070.647] StrStrIW (lpFirst="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.647] lstrcmpW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.647] lstrcmpW (lpString1="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.647] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\21__connections_cellular_telstra (australia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.648] GetTickCount () returned 0x1152094 [0070.648] GetTickCount () returned 0x1152094 [0070.648] GetTickCount () returned 0x1152094 [0070.648] GetTickCount () returned 0x1152094 [0070.648] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.648] GetProcessHeap () returned 0x3a00000 [0070.648] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.648] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e4, lpOverlapped=0x0) returned 1 [0070.649] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.649] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e4, lpOverlapped=0x0) returned 1 [0070.650] GetProcessHeap () returned 0x3a00000 [0070.650] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.650] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.650] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.650] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.650] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.650] CloseHandle (hObject=0x440) returned 1 [0070.650] GetProcessHeap () returned 0x3a00000 [0070.650] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.650] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0070.650] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\21__connections_cellular_telstra (australia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\21__connections_cellular_telstra (australia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.651] GetProcessHeap () returned 0x3a00000 [0070.651] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.651] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="220__C~1.PRO")) returned 1 [0070.651] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.651] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.651] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.651] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.651] lstrcmpiW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.651] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml") returned 172 [0070.651] StrStrIW (lpFirst="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.651] lstrcmpW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.651] lstrcmpW (lpString1="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.651] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.651] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\220__connections_cellular_cable and wireless (jamaica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.652] GetTickCount () returned 0x1152094 [0070.652] GetTickCount () returned 0x1152094 [0070.652] GetTickCount () returned 0x1152094 [0070.652] GetTickCount () returned 0x1152094 [0070.652] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.652] GetProcessHeap () returned 0x3a00000 [0070.652] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.652] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1ee, lpOverlapped=0x0) returned 1 [0070.656] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.656] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1ee, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1ee, lpOverlapped=0x0) returned 1 [0070.656] GetProcessHeap () returned 0x3a00000 [0070.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.656] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.656] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.656] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.656] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.656] CloseHandle (hObject=0x440) returned 1 [0070.657] GetProcessHeap () returned 0x3a00000 [0070.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.657] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0070.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\220__connections_cellular_cable and wireless (jamaica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\220__connections_cellular_cable and wireless (jamaica)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.657] GetProcessHeap () returned 0x3a00000 [0070.657] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.657] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90817d73, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x312, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="221__C~1.PRO")) returned 1 [0070.657] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.657] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.657] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.657] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.657] lstrcmpiW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.657] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml") returned 161 [0070.657] StrStrIW (lpFirst="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.658] lstrcmpW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.658] lstrcmpW (lpString1="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.658] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.658] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\221__connections_cellular_digicel (jamaica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.658] GetTickCount () returned 0x11520a4 [0070.658] GetTickCount () returned 0x11520a4 [0070.658] GetTickCount () returned 0x11520a4 [0070.658] GetTickCount () returned 0x11520a4 [0070.658] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.658] GetProcessHeap () returned 0x3a00000 [0070.658] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.658] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x312, lpOverlapped=0x0) returned 1 [0070.659] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcee, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.660] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x312, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x312, lpOverlapped=0x0) returned 1 [0070.660] GetProcessHeap () returned 0x3a00000 [0070.660] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.660] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.660] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.660] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.660] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.660] CloseHandle (hObject=0x440) returned 1 [0070.660] GetProcessHeap () returned 0x3a00000 [0070.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.660] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0070.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\221__connections_cellular_digicel (jamaica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\221__connections_cellular_digicel (jamaica)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.661] GetProcessHeap () returned 0x3a00000 [0070.661] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.661] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="222__C~1.PRO")) returned 1 [0070.661] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.661] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.661] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.661] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.661] lstrcmpiW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.661] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml") returned 158 [0070.661] StrStrIW (lpFirst="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.661] lstrcmpW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.661] lstrcmpW (lpString1="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.661] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.661] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\222__connections_cellular_docomo (japan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.662] GetTickCount () returned 0x11520a4 [0070.662] GetTickCount () returned 0x11520a4 [0070.662] GetTickCount () returned 0x11520a4 [0070.662] GetTickCount () returned 0x11520a4 [0070.662] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.662] GetProcessHeap () returned 0x3a00000 [0070.662] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.662] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0070.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.663] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0070.663] GetProcessHeap () returned 0x3a00000 [0070.663] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.663] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.664] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.664] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.664] CloseHandle (hObject=0x440) returned 1 [0070.664] GetProcessHeap () returned 0x3a00000 [0070.664] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.664] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0070.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\222__connections_cellular_docomo (japan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\222__connections_cellular_docomo (japan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.664] GetProcessHeap () returned 0x3a00000 [0070.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.665] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="223__C~1.PRO")) returned 1 [0070.665] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.665] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.665] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.665] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.665] lstrcmpiW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml") returned 158 [0070.665] StrStrIW (lpFirst="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.665] lstrcmpW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.665] lstrcmpW (lpString1="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.665] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.665] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\223__connections_cellular_docomo (japan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.665] GetTickCount () returned 0x11520a4 [0070.665] GetTickCount () returned 0x11520a4 [0070.665] GetTickCount () returned 0x11520a4 [0070.665] GetTickCount () returned 0x11520a4 [0070.665] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.665] GetProcessHeap () returned 0x3a00000 [0070.665] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.665] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0070.667] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.667] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0070.667] GetProcessHeap () returned 0x3a00000 [0070.667] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.667] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.667] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.667] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.667] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.667] CloseHandle (hObject=0x440) returned 1 [0070.667] GetProcessHeap () returned 0x3a00000 [0070.667] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.667] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0070.667] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\223__connections_cellular_docomo (japan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\223__connections_cellular_docomo (japan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.668] GetProcessHeap () returned 0x3a00000 [0070.668] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.668] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", cAlternateFileName="224__C~1.PRO")) returned 1 [0070.671] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.671] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.671] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.671] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.671] lstrcmpiW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.671] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml") returned 158 [0070.671] StrStrIW (lpFirst="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.671] lstrcmpW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.671] lstrcmpW (lpString1="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.671] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.671] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\224__connections_cellular_docomo (japan)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.671] GetTickCount () returned 0x11520b3 [0070.671] GetTickCount () returned 0x11520b3 [0070.671] GetTickCount () returned 0x11520b3 [0070.671] GetTickCount () returned 0x11520b3 [0070.671] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.672] GetProcessHeap () returned 0x3a00000 [0070.672] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.672] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0070.673] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.673] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0070.673] GetProcessHeap () returned 0x3a00000 [0070.673] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.673] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.673] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.673] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.673] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.673] CloseHandle (hObject=0x440) returned 1 [0070.673] GetProcessHeap () returned 0x3a00000 [0070.673] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.674] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0070.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\224__connections_cellular_docomo (japan)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\224__connections_cellular_docomo (japan)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.674] GetProcessHeap () returned 0x3a00000 [0070.674] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.674] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", cAlternateFileName="225__C~1.PRO")) returned 1 [0070.674] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.674] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.674] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.674] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.674] lstrcmpiW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.674] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml") returned 158 [0070.674] StrStrIW (lpFirst="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.674] lstrcmpW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.674] lstrcmpW (lpString1="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.674] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.675] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\225__connections_cellular_docomo (japan)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.675] GetTickCount () returned 0x11520b3 [0070.675] GetTickCount () returned 0x11520b3 [0070.675] GetTickCount () returned 0x11520b3 [0070.675] GetTickCount () returned 0x11520b3 [0070.675] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.675] GetProcessHeap () returned 0x3a00000 [0070.675] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.675] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0070.676] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.676] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0070.676] GetProcessHeap () returned 0x3a00000 [0070.676] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.676] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.677] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.677] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.677] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.677] CloseHandle (hObject=0x440) returned 1 [0070.677] GetProcessHeap () returned 0x3a00000 [0070.677] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.677] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0070.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\225__connections_cellular_docomo (japan)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\225__connections_cellular_docomo (japan)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.677] GetProcessHeap () returned 0x3a00000 [0070.678] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.678] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9083dfdf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x343, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="226__C~1.PRO")) returned 1 [0070.678] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.678] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.678] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.678] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.678] lstrcmpiW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml") returned 159 [0070.678] StrStrIW (lpFirst="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.678] lstrcmpW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.678] lstrcmpW (lpString1="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.678] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\226__connections_cellular_orange (jordan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.678] GetTickCount () returned 0x11520b3 [0070.678] GetTickCount () returned 0x11520b3 [0070.678] GetTickCount () returned 0x11520b3 [0070.678] GetTickCount () returned 0x11520b3 [0070.678] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.678] GetProcessHeap () returned 0x3a00000 [0070.678] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.678] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x343, lpOverlapped=0x0) returned 1 [0070.837] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcbd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.837] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x343, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x343, lpOverlapped=0x0) returned 1 [0070.837] GetProcessHeap () returned 0x3a00000 [0070.837] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.837] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.837] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.838] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.838] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.838] CloseHandle (hObject=0x440) returned 1 [0070.838] GetProcessHeap () returned 0x3a00000 [0070.838] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.838] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0070.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\226__connections_cellular_orange (jordan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\226__connections_cellular_orange (jordan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.839] GetProcessHeap () returned 0x3a00000 [0070.839] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.839] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="227__C~1.PRO")) returned 1 [0070.839] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.839] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.839] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.839] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.839] lstrcmpiW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.839] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml") returned 159 [0070.839] StrStrIW (lpFirst="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.839] lstrcmpW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.839] lstrcmpW (lpString1="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.839] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.839] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\227__connections_cellular_umniah (jordan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.840] GetTickCount () returned 0x1152150 [0070.840] GetTickCount () returned 0x1152150 [0070.840] GetTickCount () returned 0x1152150 [0070.840] GetTickCount () returned 0x1152150 [0070.840] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.840] GetProcessHeap () returned 0x3a00000 [0070.840] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.840] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x27c, lpOverlapped=0x0) returned 1 [0070.841] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.841] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x27c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x27c, lpOverlapped=0x0) returned 1 [0070.841] GetProcessHeap () returned 0x3a00000 [0070.841] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.841] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.842] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.842] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.842] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.842] CloseHandle (hObject=0x440) returned 1 [0070.842] GetProcessHeap () returned 0x3a00000 [0070.842] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.842] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0070.842] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\227__connections_cellular_umniah (jordan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\227__connections_cellular_umniah (jordan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.843] GetProcessHeap () returned 0x3a00000 [0070.843] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.843] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="228__C~1.PRO")) returned 1 [0070.843] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.843] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.843] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.843] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.843] lstrcmpiW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.843] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml") returned 157 [0070.843] StrStrIW (lpFirst="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.843] lstrcmpW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.843] lstrcmpW (lpString1="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.843] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.843] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\228__connections_cellular_zain (jordan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.844] GetTickCount () returned 0x115215f [0070.844] GetTickCount () returned 0x115215f [0070.844] GetTickCount () returned 0x115215f [0070.844] GetTickCount () returned 0x115215f [0070.844] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.844] GetProcessHeap () returned 0x3a00000 [0070.844] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.844] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0070.846] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.846] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0070.846] GetProcessHeap () returned 0x3a00000 [0070.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.846] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.846] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.846] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.846] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.846] CloseHandle (hObject=0x440) returned 1 [0070.846] GetProcessHeap () returned 0x3a00000 [0070.846] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.846] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0070.846] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\228__connections_cellular_zain (jordan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\228__connections_cellular_zain (jordan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.847] GetProcessHeap () returned 0x3a00000 [0070.847] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="229__C~1.PRO")) returned 1 [0070.847] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.847] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.847] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.847] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.847] lstrcmpiW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.847] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml") returned 157 [0070.847] StrStrIW (lpFirst="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.847] lstrcmpW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.847] lstrcmpW (lpString1="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.847] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.847] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\229__connections_cellular_zain (jordan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.848] GetTickCount () returned 0x115215f [0070.848] GetTickCount () returned 0x115215f [0070.848] GetTickCount () returned 0x115215f [0070.848] GetTickCount () returned 0x115215f [0070.848] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.848] GetProcessHeap () returned 0x3a00000 [0070.848] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.848] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.849] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.849] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.849] GetProcessHeap () returned 0x3a00000 [0070.849] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.849] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.849] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.850] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.850] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.850] CloseHandle (hObject=0x440) returned 1 [0070.850] GetProcessHeap () returned 0x3a00000 [0070.850] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.850] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0070.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\229__connections_cellular_zain (jordan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\229__connections_cellular_zain (jordan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.851] GetProcessHeap () returned 0x3a00000 [0070.851] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.851] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90163088, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x376, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="22__CO~1.PRO")) returned 1 [0070.851] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.851] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.851] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.851] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.851] lstrcmpiW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.851] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml") returned 162 [0070.851] StrStrIW (lpFirst="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.851] lstrcmpW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.851] lstrcmpW (lpString1="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.851] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.851] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\22__connections_cellular_telstra (australia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.851] GetTickCount () returned 0x115215f [0070.851] GetTickCount () returned 0x115215f [0070.851] GetTickCount () returned 0x115215f [0070.851] GetTickCount () returned 0x115215f [0070.851] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.851] GetProcessHeap () returned 0x3a00000 [0070.851] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.851] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x376, lpOverlapped=0x0) returned 1 [0070.853] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc8a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.853] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x376, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x376, lpOverlapped=0x0) returned 1 [0070.853] GetProcessHeap () returned 0x3a00000 [0070.853] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.853] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.853] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.853] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.853] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.853] CloseHandle (hObject=0x440) returned 1 [0070.853] GetProcessHeap () returned 0x3a00000 [0070.853] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.854] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0070.854] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\22__connections_cellular_telstra (australia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\22__connections_cellular_telstra (australia)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.854] GetProcessHeap () returned 0x3a00000 [0070.854] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.854] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9086424b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x341, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", cAlternateFileName="230__C~1.PRO")) returned 1 [0070.854] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.854] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.854] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.854] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.854] lstrcmpiW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.854] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml") returned 161 [0070.854] StrStrIW (lpFirst="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.854] lstrcmpW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.854] lstrcmpW (lpString1="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.854] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.855] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\230__connections_cellular_safaricom (kenya)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.855] GetTickCount () returned 0x115215f [0070.855] GetTickCount () returned 0x115215f [0070.855] GetTickCount () returned 0x115215f [0070.855] GetTickCount () returned 0x115215f [0070.855] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.855] GetProcessHeap () returned 0x3a00000 [0070.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.855] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x341, lpOverlapped=0x0) returned 1 [0070.856] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcbf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.856] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x341, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x341, lpOverlapped=0x0) returned 1 [0070.857] GetProcessHeap () returned 0x3a00000 [0070.857] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.857] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.857] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.857] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.857] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.857] CloseHandle (hObject=0x440) returned 1 [0070.857] GetProcessHeap () returned 0x3a00000 [0070.857] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.857] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0070.857] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\230__connections_cellular_safaricom (kenya)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\230__connections_cellular_safaricom (kenya)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.858] GetProcessHeap () returned 0x3a00000 [0070.858] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.858] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="231__C~1.PRO")) returned 1 [0070.858] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.858] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.858] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.858] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.858] lstrcmpiW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.858] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml") returned 170 [0070.858] StrStrIW (lpFirst="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.858] lstrcmpW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.858] lstrcmpW (lpString1="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.858] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.858] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\231__connections_cellular_ktf hsdpa internet (korea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.859] GetTickCount () returned 0x115216f [0070.859] GetTickCount () returned 0x115216f [0070.859] GetTickCount () returned 0x115216f [0070.859] GetTickCount () returned 0x115216f [0070.859] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.859] GetProcessHeap () returned 0x3a00000 [0070.859] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.859] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x29e, lpOverlapped=0x0) returned 1 [0070.860] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.860] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x29e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x29e, lpOverlapped=0x0) returned 1 [0070.860] GetProcessHeap () returned 0x3a00000 [0070.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.860] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.860] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.861] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.861] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.861] CloseHandle (hObject=0x440) returned 1 [0070.861] GetProcessHeap () returned 0x3a00000 [0070.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.861] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0070.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\231__connections_cellular_ktf hsdpa internet (korea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\231__connections_cellular_ktf hsdpa internet (korea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.862] GetProcessHeap () returned 0x3a00000 [0070.862] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.862] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", cAlternateFileName="232__C~1.PRO")) returned 1 [0070.862] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.862] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.862] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.862] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.862] lstrcmpiW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.862] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml") returned 161 [0070.862] StrStrIW (lpFirst="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.862] lstrcmpW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.862] lstrcmpW (lpString1="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.862] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\232__connections_cellular_wataniya (kuwait)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.863] GetTickCount () returned 0x115216f [0070.863] GetTickCount () returned 0x115216f [0070.863] GetTickCount () returned 0x115216f [0070.863] GetTickCount () returned 0x115216f [0070.863] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.863] GetProcessHeap () returned 0x3a00000 [0070.863] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.863] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0070.864] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.864] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0070.865] GetProcessHeap () returned 0x3a00000 [0070.865] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.865] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.865] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.865] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.865] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.865] CloseHandle (hObject=0x440) returned 1 [0070.865] GetProcessHeap () returned 0x3a00000 [0070.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.865] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0070.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\232__connections_cellular_wataniya (kuwait)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\232__connections_cellular_wataniya (kuwait)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.866] GetProcessHeap () returned 0x3a00000 [0070.866] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.866] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", cAlternateFileName="233__C~1.PRO")) returned 1 [0070.866] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.866] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.866] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.866] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.866] lstrcmpiW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.866] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml") returned 157 [0070.866] StrStrIW (lpFirst="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.866] lstrcmpW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.866] lstrcmpW (lpString1="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.866] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.866] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\233__connections_cellular_zain (kuwait)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.866] GetTickCount () returned 0x115216f [0070.866] GetTickCount () returned 0x115216f [0070.866] GetTickCount () returned 0x115216f [0070.866] GetTickCount () returned 0x115216f [0070.866] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.866] GetProcessHeap () returned 0x3a00000 [0070.866] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.867] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0070.868] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.868] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0070.868] GetProcessHeap () returned 0x3a00000 [0070.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.868] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.868] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.868] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.868] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.868] CloseHandle (hObject=0x440) returned 1 [0070.869] GetProcessHeap () returned 0x3a00000 [0070.869] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.869] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0070.869] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\233__connections_cellular_zain (kuwait)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\233__connections_cellular_zain (kuwait)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.869] GetProcessHeap () returned 0x3a00000 [0070.869] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.869] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9088a4b2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="234__C~1.PRO")) returned 1 [0070.869] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.869] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.869] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.869] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0070.869] lstrcmpiW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0070.869] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml") returned 165 [0070.869] StrStrIW (lpFirst="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0070.869] lstrcmpW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0070.869] lstrcmpW (lpString1="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0070.870] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0070.870] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\234__connections_cellular_bite latvija (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0070.870] GetTickCount () returned 0x115216f [0070.870] GetTickCount () returned 0x115216f [0070.870] GetTickCount () returned 0x115216f [0070.870] GetTickCount () returned 0x115216f [0070.870] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0070.870] GetProcessHeap () returned 0x3a00000 [0070.870] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0070.870] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0070.872] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0070.872] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0070.872] GetProcessHeap () returned 0x3a00000 [0070.872] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0070.872] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.872] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0070.872] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0070.872] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0070.872] CloseHandle (hObject=0x440) returned 1 [0070.872] GetProcessHeap () returned 0x3a00000 [0070.872] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0070.872] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0070.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\234__connections_cellular_bite latvija (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\234__connections_cellular_bite latvija (latvia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0070.873] GetProcessHeap () returned 0x3a00000 [0070.873] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0070.873] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908b0722, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="235__C~1.PRO")) returned 1 [0070.873] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0070.873] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0070.873] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0070.873] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.211] lstrcmpiW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.211] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml") returned 156 [0071.211] StrStrIW (lpFirst="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.211] lstrcmpW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.211] lstrcmpW (lpString1="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.211] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.211] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\235__connections_cellular_lmt (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.212] GetTickCount () returned 0x11522c7 [0071.212] GetTickCount () returned 0x11522c7 [0071.212] GetTickCount () returned 0x11522c7 [0071.212] GetTickCount () returned 0x11522c7 [0071.212] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.212] GetProcessHeap () returned 0x3a00000 [0071.212] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.212] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x383, lpOverlapped=0x0) returned 1 [0071.214] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.214] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x383, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x383, lpOverlapped=0x0) returned 1 [0071.214] GetProcessHeap () returned 0x3a00000 [0071.214] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.214] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.214] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.214] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.214] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.214] CloseHandle (hObject=0x440) returned 1 [0071.214] GetProcessHeap () returned 0x3a00000 [0071.215] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.215] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0071.215] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\235__connections_cellular_lmt (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\235__connections_cellular_lmt (latvia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.215] GetProcessHeap () returned 0x3a00000 [0071.215] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.215] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908b0722, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x310, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="236__C~1.PRO")) returned 1 [0071.215] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.215] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.215] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.215] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.215] lstrcmpiW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.215] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml") returned 158 [0071.216] StrStrIW (lpFirst="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.216] lstrcmpW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.216] lstrcmpW (lpString1="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.216] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.216] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\236__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.216] GetTickCount () returned 0x11522c7 [0071.216] GetTickCount () returned 0x11522c7 [0071.216] GetTickCount () returned 0x11522c7 [0071.216] GetTickCount () returned 0x11522c7 [0071.216] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.216] GetProcessHeap () returned 0x3a00000 [0071.216] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.216] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x310, lpOverlapped=0x0) returned 1 [0071.218] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.218] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x310, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x310, lpOverlapped=0x0) returned 1 [0071.218] GetProcessHeap () returned 0x3a00000 [0071.218] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.218] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.218] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.218] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.218] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.218] CloseHandle (hObject=0x440) returned 1 [0071.218] GetProcessHeap () returned 0x3a00000 [0071.218] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.218] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0071.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\236__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\236__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.219] GetProcessHeap () returned 0x3a00000 [0071.219] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.219] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908b0722, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="237__C~1.PRO")) returned 1 [0071.219] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.219] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.219] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.219] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.219] lstrcmpiW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.219] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml") returned 158 [0071.219] StrStrIW (lpFirst="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.219] lstrcmpW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.219] lstrcmpW (lpString1="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.219] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\237__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.220] GetTickCount () returned 0x11522d6 [0071.220] GetTickCount () returned 0x11522d6 [0071.220] GetTickCount () returned 0x11522d6 [0071.220] GetTickCount () returned 0x11522d6 [0071.220] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.220] GetProcessHeap () returned 0x3a00000 [0071.220] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.220] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x309, lpOverlapped=0x0) returned 1 [0071.221] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.221] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x309, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x309, lpOverlapped=0x0) returned 1 [0071.221] GetProcessHeap () returned 0x3a00000 [0071.221] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.221] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.221] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.222] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.222] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.222] CloseHandle (hObject=0x440) returned 1 [0071.222] GetProcessHeap () returned 0x3a00000 [0071.222] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.222] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0071.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\237__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\237__connections_cellular_tele2 (latvia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.222] GetProcessHeap () returned 0x3a00000 [0071.222] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.222] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908d698d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908d698d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908d698d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="238__C~1.PRO")) returned 1 [0071.223] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.223] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.223] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.223] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.223] lstrcmpiW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.223] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml") returned 158 [0071.223] StrStrIW (lpFirst="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.223] lstrcmpW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.223] lstrcmpW (lpString1="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.223] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.223] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\238__connections_cellular_alfa (lebanon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.223] GetTickCount () returned 0x11522d6 [0071.223] GetTickCount () returned 0x11522d6 [0071.223] GetTickCount () returned 0x11522d6 [0071.223] GetTickCount () returned 0x11522d6 [0071.223] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.223] GetProcessHeap () returned 0x3a00000 [0071.223] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.223] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0071.225] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.225] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0071.225] GetProcessHeap () returned 0x3a00000 [0071.225] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.225] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.225] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.225] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.225] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.225] CloseHandle (hObject=0x440) returned 1 [0071.225] GetProcessHeap () returned 0x3a00000 [0071.225] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.225] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0071.225] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\238__connections_cellular_alfa (lebanon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\238__connections_cellular_alfa (lebanon)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.226] GetProcessHeap () returned 0x3a00000 [0071.226] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.226] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908d698d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908d698d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908d698d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="239__C~1.PRO")) returned 1 [0071.226] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.226] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.226] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.226] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.226] lstrcmpiW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.226] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml") returned 163 [0071.226] StrStrIW (lpFirst="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.226] lstrcmpW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.226] lstrcmpW (lpString1="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.226] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.226] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\239__connections_cellular_mtc touch (lebanon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.227] GetTickCount () returned 0x11522d6 [0071.227] GetTickCount () returned 0x11522d6 [0071.227] GetTickCount () returned 0x11522d6 [0071.227] GetTickCount () returned 0x11522d6 [0071.227] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.227] GetProcessHeap () returned 0x3a00000 [0071.227] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.227] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x30e, lpOverlapped=0x0) returned 1 [0071.228] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.229] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x30e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x30e, lpOverlapped=0x0) returned 1 [0071.229] GetProcessHeap () returned 0x3a00000 [0071.229] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.229] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.229] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.229] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.229] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.229] CloseHandle (hObject=0x440) returned 1 [0071.229] GetProcessHeap () returned 0x3a00000 [0071.229] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.229] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0071.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\239__connections_cellular_mtc touch (lebanon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\239__connections_cellular_mtc touch (lebanon)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.230] GetProcessHeap () returned 0x3a00000 [0071.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.230] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="23__CO~1.PRO")) returned 1 [0071.233] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.233] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.233] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.233] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.233] lstrcmpiW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.233] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml") returned 166 [0071.233] StrStrIW (lpFirst="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.233] lstrcmpW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.233] lstrcmpW (lpString1="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.233] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.233] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\23__connections_cellular_vodafone au (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.233] GetTickCount () returned 0x11522e6 [0071.233] GetTickCount () returned 0x11522e6 [0071.233] GetTickCount () returned 0x11522e6 [0071.233] GetTickCount () returned 0x11522e6 [0071.233] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.234] GetProcessHeap () returned 0x3a00000 [0071.234] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.234] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0071.235] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.235] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0071.235] GetProcessHeap () returned 0x3a00000 [0071.235] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.235] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.235] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.235] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.235] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.235] CloseHandle (hObject=0x440) returned 1 [0071.236] GetProcessHeap () returned 0x3a00000 [0071.236] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.236] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0071.236] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\23__connections_cellular_vodafone au (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\23__connections_cellular_vodafone au (australia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.236] GetProcessHeap () returned 0x3a00000 [0071.236] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.236] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908fcbf9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908fcbf9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908fcbf9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", cAlternateFileName="240__C~1.PRO")) returned 1 [0071.236] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.236] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.236] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.236] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.237] lstrcmpiW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.237] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml") returned 169 [0071.237] StrStrIW (lpFirst="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.237] lstrcmpW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.237] lstrcmpW (lpString1="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.237] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.237] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\240__connections_cellular_vodacom lesotho (lesotho)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.237] GetTickCount () returned 0x11522e6 [0071.237] GetTickCount () returned 0x11522e6 [0071.237] GetTickCount () returned 0x11522e6 [0071.237] GetTickCount () returned 0x11522e6 [0071.237] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.237] GetProcessHeap () returned 0x3a00000 [0071.237] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.237] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0071.238] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.238] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0071.239] GetProcessHeap () returned 0x3a00000 [0071.239] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.239] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.239] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.239] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.239] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.239] CloseHandle (hObject=0x440) returned 1 [0071.239] GetProcessHeap () returned 0x3a00000 [0071.239] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.239] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0071.239] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\240__connections_cellular_vodacom lesotho (lesotho)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\240__connections_cellular_vodacom lesotho (lesotho)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.240] GetProcessHeap () returned 0x3a00000 [0071.240] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.240] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908fcbf9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908fcbf9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x908fcbf9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", cAlternateFileName="241__C~1.PRO")) returned 1 [0071.240] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.240] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.240] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.240] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.240] lstrcmpiW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.240] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml") returned 159 [0071.240] StrStrIW (lpFirst="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.240] lstrcmpW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.240] lstrcmpW (lpString1="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.240] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.240] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\241__connections_cellular_libyana (libya)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.240] GetTickCount () returned 0x11522e6 [0071.240] GetTickCount () returned 0x11522e6 [0071.240] GetTickCount () returned 0x11522e6 [0071.240] GetTickCount () returned 0x11522e6 [0071.241] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.241] GetProcessHeap () returned 0x3a00000 [0071.241] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.241] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0071.242] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.242] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0071.242] GetProcessHeap () returned 0x3a00000 [0071.242] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.242] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.242] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.243] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.243] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.243] CloseHandle (hObject=0x440) returned 1 [0071.243] GetProcessHeap () returned 0x3a00000 [0071.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.243] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0071.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\241__connections_cellular_libyana (libya)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\241__connections_cellular_libyana (libya)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.244] GetProcessHeap () returned 0x3a00000 [0071.244] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.244] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90922e60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", cAlternateFileName="242__C~1.PRO")) returned 1 [0071.244] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.244] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.244] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.244] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.244] lstrcmpiW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.244] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml") returned 171 [0071.244] StrStrIW (lpFirst="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.244] lstrcmpW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.244] lstrcmpW (lpString1="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.244] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\242__connections_cellular_a1 mobilkom (liechtenstein)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.244] GetTickCount () returned 0x11522e6 [0071.244] GetTickCount () returned 0x11522e6 [0071.244] GetTickCount () returned 0x11522e6 [0071.244] GetTickCount () returned 0x11522e6 [0071.244] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.245] GetProcessHeap () returned 0x3a00000 [0071.245] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.245] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0071.246] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.246] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0071.246] GetProcessHeap () returned 0x3a00000 [0071.246] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.246] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.246] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.246] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.246] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.246] CloseHandle (hObject=0x440) returned 1 [0071.246] GetProcessHeap () returned 0x3a00000 [0071.247] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.247] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0071.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\242__connections_cellular_a1 mobilkom (liechtenstein)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\242__connections_cellular_a1 mobilkom (liechtenstein)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.247] GetProcessHeap () returned 0x3a00000 [0071.247] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.247] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90922e60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="243__C~1.PRO")) returned 1 [0071.247] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.247] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.247] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.247] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.247] lstrcmpiW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.247] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml") returned 168 [0071.247] StrStrIW (lpFirst="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.247] lstrcmpW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.247] lstrcmpW (lpString1="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.248] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.248] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\243__connections_cellular_bitė lietuva (lithuania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.248] GetTickCount () returned 0x11522e6 [0071.248] GetTickCount () returned 0x11522e6 [0071.248] GetTickCount () returned 0x11522e6 [0071.248] GetTickCount () returned 0x11522e6 [0071.248] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.248] GetProcessHeap () returned 0x3a00000 [0071.248] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.248] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0071.365] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.365] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0071.365] GetProcessHeap () returned 0x3a00000 [0071.365] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.366] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.366] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.366] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.366] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.366] CloseHandle (hObject=0x440) returned 1 [0071.366] GetProcessHeap () returned 0x3a00000 [0071.366] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.366] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0071.366] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\243__connections_cellular_bitė lietuva (lithuania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\243__connections_cellular_bitė lietuva (lithuania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.367] GetProcessHeap () returned 0x3a00000 [0071.367] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.367] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90922e60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x302, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="244__C~1.PRO")) returned 1 [0071.367] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.368] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.368] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.368] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.368] lstrcmpiW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.368] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml") returned 163 [0071.368] StrStrIW (lpFirst="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.368] lstrcmpW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.368] lstrcmpW (lpString1="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.368] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.368] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\244__connections_cellular_omnitel (lithuania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.368] GetTickCount () returned 0x1152363 [0071.368] GetTickCount () returned 0x1152363 [0071.368] GetTickCount () returned 0x1152363 [0071.368] GetTickCount () returned 0x1152363 [0071.368] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.369] GetProcessHeap () returned 0x3a00000 [0071.369] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.369] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x302, lpOverlapped=0x0) returned 1 [0071.370] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcfe, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.370] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x302, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x302, lpOverlapped=0x0) returned 1 [0071.370] GetProcessHeap () returned 0x3a00000 [0071.370] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.370] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.370] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.370] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.371] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.371] CloseHandle (hObject=0x440) returned 1 [0071.371] GetProcessHeap () returned 0x3a00000 [0071.371] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.371] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0071.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\244__connections_cellular_omnitel (lithuania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\244__connections_cellular_omnitel (lithuania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.372] GetProcessHeap () returned 0x3a00000 [0071.372] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.372] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="245__C~1.PRO")) returned 1 [0071.372] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.372] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.372] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.372] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.372] lstrcmpiW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.372] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml") returned 161 [0071.372] StrStrIW (lpFirst="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.372] lstrcmpW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.372] lstrcmpW (lpString1="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.372] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.372] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\245__connections_cellular_tele2 (lithuania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.372] GetTickCount () returned 0x1152363 [0071.373] GetTickCount () returned 0x1152363 [0071.373] GetTickCount () returned 0x1152363 [0071.373] GetTickCount () returned 0x1152363 [0071.373] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.373] GetProcessHeap () returned 0x3a00000 [0071.373] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.373] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0071.375] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.375] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0071.375] GetProcessHeap () returned 0x3a00000 [0071.375] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.375] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.375] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.375] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.376] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.376] CloseHandle (hObject=0x440) returned 1 [0071.376] GetProcessHeap () returned 0x3a00000 [0071.376] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.376] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0071.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\245__connections_cellular_tele2 (lithuania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\245__connections_cellular_tele2 (lithuania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.376] GetProcessHeap () returned 0x3a00000 [0071.377] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.377] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", cAlternateFileName="246__C~1.PRO")) returned 1 [0071.377] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.377] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.377] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.377] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.377] lstrcmpiW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.377] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml") returned 161 [0071.377] StrStrIW (lpFirst="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.377] lstrcmpW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.377] lstrcmpW (lpString1="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.377] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\246__connections_cellular_tele2 (lithuania)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.377] GetTickCount () returned 0x1152372 [0071.377] GetTickCount () returned 0x1152372 [0071.377] GetTickCount () returned 0x1152372 [0071.377] GetTickCount () returned 0x1152372 [0071.377] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.378] GetProcessHeap () returned 0x3a00000 [0071.378] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.378] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0071.379] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.379] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0071.379] GetProcessHeap () returned 0x3a00000 [0071.379] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.379] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.379] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.379] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.379] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.379] CloseHandle (hObject=0x440) returned 1 [0071.382] GetProcessHeap () returned 0x3a00000 [0071.382] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.382] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0071.382] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\246__connections_cellular_tele2 (lithuania)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\246__connections_cellular_tele2 (lithuania)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.383] GetProcessHeap () returned 0x3a00000 [0071.383] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.383] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", cAlternateFileName="247__C~1.PRO")) returned 1 [0071.383] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.383] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.383] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.383] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.383] lstrcmpiW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.383] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml") returned 162 [0071.383] StrStrIW (lpFirst="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.383] lstrcmpW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.383] lstrcmpW (lpString1="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.383] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\247__connections_cellular_tango (luxembourg)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.383] GetTickCount () returned 0x1152372 [0071.383] GetTickCount () returned 0x1152372 [0071.383] GetTickCount () returned 0x1152372 [0071.383] GetTickCount () returned 0x1152372 [0071.383] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.384] GetProcessHeap () returned 0x3a00000 [0071.384] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.384] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x340, lpOverlapped=0x0) returned 1 [0071.385] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.385] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x340, lpOverlapped=0x0) returned 1 [0071.385] GetProcessHeap () returned 0x3a00000 [0071.385] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.385] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.385] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.385] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.385] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.386] CloseHandle (hObject=0x440) returned 1 [0071.386] GetProcessHeap () returned 0x3a00000 [0071.386] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.386] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0071.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\247__connections_cellular_tango (luxembourg)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\247__connections_cellular_tango (luxembourg)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.386] GetProcessHeap () returned 0x3a00000 [0071.386] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.386] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909490d0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", cAlternateFileName="248__C~1.PRO")) returned 1 [0071.386] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.387] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.387] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.387] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.387] lstrcmpiW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.387] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml") returned 163 [0071.387] StrStrIW (lpFirst="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.387] lstrcmpW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.387] lstrcmpW (lpString1="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.387] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\248__connections_cellular_orange (luxembourg)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.387] GetTickCount () returned 0x1152372 [0071.387] GetTickCount () returned 0x1152372 [0071.387] GetTickCount () returned 0x1152372 [0071.387] GetTickCount () returned 0x1152372 [0071.387] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.387] GetProcessHeap () returned 0x3a00000 [0071.387] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.387] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0071.389] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.389] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0071.389] GetProcessHeap () returned 0x3a00000 [0071.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.389] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.389] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.389] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.390] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.390] CloseHandle (hObject=0x440) returned 1 [0071.390] GetProcessHeap () returned 0x3a00000 [0071.390] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.390] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0071.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\248__connections_cellular_orange (luxembourg)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\248__connections_cellular_orange (luxembourg)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.390] GetProcessHeap () returned 0x3a00000 [0071.390] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.390] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="249__C~1.PRO")) returned 1 [0071.390] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.391] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.391] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.391] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.391] lstrcmpiW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.391] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 159 [0071.391] StrStrIW (lpFirst="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.391] lstrcmpW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.391] lstrcmpW (lpString1="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.391] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\249__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.391] GetTickCount () returned 0x1152382 [0071.391] GetTickCount () returned 0x1152382 [0071.391] GetTickCount () returned 0x1152382 [0071.391] GetTickCount () returned 0x1152382 [0071.391] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.391] GetProcessHeap () returned 0x3a00000 [0071.391] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.391] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0071.393] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.393] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0071.393] GetProcessHeap () returned 0x3a00000 [0071.393] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.393] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.393] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.393] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.393] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.393] CloseHandle (hObject=0x440) returned 1 [0071.393] GetProcessHeap () returned 0x3a00000 [0071.393] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.393] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0071.393] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\249__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\249__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.394] GetProcessHeap () returned 0x3a00000 [0071.394] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.394] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="24__CE~1.PRO")) returned 1 [0071.394] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0071.394] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0071.394] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0071.394] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0071.394] lstrcmpiW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0071.394] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0071.394] StrStrIW (lpFirst="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0071.394] lstrcmpW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.394] lstrcmpW (lpString1="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0071.394] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.394] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\24__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.395] GetTickCount () returned 0x1152382 [0071.395] GetTickCount () returned 0x1152382 [0071.395] GetTickCount () returned 0x1152382 [0071.395] GetTickCount () returned 0x1152382 [0071.395] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.396] GetProcessHeap () returned 0x3a00000 [0071.396] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.396] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0071.397] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.397] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0071.397] GetProcessHeap () returned 0x3a00000 [0071.397] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.397] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.397] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.398] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.398] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.398] CloseHandle (hObject=0x440) returned 1 [0071.398] GetProcessHeap () returned 0x3a00000 [0071.398] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.398] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 180 [0071.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\24__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\24__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.399] GetProcessHeap () returned 0x3a00000 [0071.399] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.399] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="250__C~1.PRO")) returned 1 [0071.399] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.399] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.399] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.399] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.399] lstrcmpiW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.399] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 159 [0071.399] StrStrIW (lpFirst="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.399] lstrcmpW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.399] lstrcmpW (lpString1="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.399] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.399] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\250__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.399] GetTickCount () returned 0x1152382 [0071.399] GetTickCount () returned 0x1152382 [0071.399] GetTickCount () returned 0x1152382 [0071.399] GetTickCount () returned 0x1152382 [0071.399] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.400] GetProcessHeap () returned 0x3a00000 [0071.400] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.400] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0071.472] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.472] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0071.472] GetProcessHeap () returned 0x3a00000 [0071.472] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.472] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.472] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.472] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.473] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.473] CloseHandle (hObject=0x440) returned 1 [0071.473] GetProcessHeap () returned 0x3a00000 [0071.473] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.473] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0071.473] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\250__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\250__connections_cellular_ctm (macao sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.474] GetProcessHeap () returned 0x3a00000 [0071.474] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.474] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="251__C~1.PRO")) returned 1 [0071.474] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.474] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.474] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.474] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.474] lstrcmpiW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.474] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 169 [0071.474] StrStrIW (lpFirst="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.474] lstrcmpW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.474] lstrcmpW (lpString1="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.474] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\251__connections_cellular_hutchison - 3 (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.474] GetTickCount () returned 0x11523d0 [0071.474] GetTickCount () returned 0x11523d0 [0071.474] GetTickCount () returned 0x11523d0 [0071.474] GetTickCount () returned 0x11523d0 [0071.475] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.475] GetProcessHeap () returned 0x3a00000 [0071.475] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.475] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0071.476] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.476] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0071.476] GetProcessHeap () returned 0x3a00000 [0071.476] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.476] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.476] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.477] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.477] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.477] CloseHandle (hObject=0x440) returned 1 [0071.477] GetProcessHeap () returned 0x3a00000 [0071.477] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.477] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0071.477] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\251__connections_cellular_hutchison - 3 (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\251__connections_cellular_hutchison - 3 (macao sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.477] GetProcessHeap () returned 0x3a00000 [0071.477] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.478] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9096f33b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="252__C~1.PRO")) returned 1 [0071.478] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.478] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.478] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.478] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.478] lstrcmpiW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.478] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0071.478] StrStrIW (lpFirst="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.478] lstrcmpW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.478] lstrcmpW (lpString1="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.478] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.478] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\252__connections_cellular_smartone (macao sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.478] GetTickCount () returned 0x11523d0 [0071.478] GetTickCount () returned 0x11523d0 [0071.478] GetTickCount () returned 0x11523d0 [0071.478] GetTickCount () returned 0x11523d0 [0071.478] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.478] GetProcessHeap () returned 0x3a00000 [0071.478] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.478] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0071.480] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.480] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0071.480] GetProcessHeap () returned 0x3a00000 [0071.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.480] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.480] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.480] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.480] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.480] CloseHandle (hObject=0x440) returned 1 [0071.480] GetProcessHeap () returned 0x3a00000 [0071.481] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.481] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\252__connections_cellular_smartone (macao sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\252__connections_cellular_smartone (macao sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.481] GetProcessHeap () returned 0x3a00000 [0071.481] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.481] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x361, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", cAlternateFileName="253__C~1.PRO")) returned 1 [0071.481] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.481] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.481] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.481] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.481] lstrcmpiW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.481] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml") returned 180 [0071.481] StrStrIW (lpFirst="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.481] lstrcmpW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.481] lstrcmpW (lpString1="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.481] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.481] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\253__connections_cellular_t-mobile macedonia (macedonia, fyro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.482] GetTickCount () returned 0x11523d0 [0071.482] GetTickCount () returned 0x11523d0 [0071.482] GetTickCount () returned 0x11523d0 [0071.482] GetTickCount () returned 0x11523d0 [0071.482] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.482] GetProcessHeap () returned 0x3a00000 [0071.482] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.482] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x361, lpOverlapped=0x0) returned 1 [0071.483] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.483] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x361, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x361, lpOverlapped=0x0) returned 1 [0071.484] GetProcessHeap () returned 0x3a00000 [0071.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.484] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.484] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.484] CloseHandle (hObject=0x440) returned 1 [0071.484] GetProcessHeap () returned 0x3a00000 [0071.484] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.484] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0071.484] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\253__connections_cellular_t-mobile macedonia (macedonia, fyro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\253__connections_cellular_t-mobile macedonia (macedonia, fyro)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.485] GetProcessHeap () returned 0x3a00000 [0071.485] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.485] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="254__C~1.PRO")) returned 1 [0071.485] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.485] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.485] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.485] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.485] lstrcmpiW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.485] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml") returned 180 [0071.485] StrStrIW (lpFirst="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.485] lstrcmpW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.485] lstrcmpW (lpString1="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.485] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.485] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\254__connections_cellular_vip operator (republic of macedonia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.485] GetTickCount () returned 0x11523e0 [0071.485] GetTickCount () returned 0x11523e0 [0071.485] GetTickCount () returned 0x11523e0 [0071.486] GetTickCount () returned 0x11523e0 [0071.486] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.486] GetProcessHeap () returned 0x3a00000 [0071.486] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.486] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x368, lpOverlapped=0x0) returned 1 [0071.487] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.487] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x368, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x368, lpOverlapped=0x0) returned 1 [0071.487] GetProcessHeap () returned 0x3a00000 [0071.487] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.487] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.487] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.487] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.488] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.488] CloseHandle (hObject=0x440) returned 1 [0071.488] GetProcessHeap () returned 0x3a00000 [0071.488] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.488] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0071.488] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\254__connections_cellular_vip operator (republic of macedonia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\254__connections_cellular_vip operator (republic of macedonia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.489] GetProcessHeap () returned 0x3a00000 [0071.489] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.489] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="255__C~1.PRO")) returned 1 [0071.490] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0071.490] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0071.490] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0071.490] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0071.490] lstrcmpiW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0071.490] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0071.490] StrStrIW (lpFirst="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0071.490] lstrcmpW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.490] lstrcmpW (lpString1="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0071.490] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\255__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.491] GetTickCount () returned 0x11523e0 [0071.491] GetTickCount () returned 0x11523e0 [0071.491] GetTickCount () returned 0x11523e0 [0071.491] GetTickCount () returned 0x11523e0 [0071.491] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.491] GetProcessHeap () returned 0x3a00000 [0071.491] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.491] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0071.492] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.492] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0071.492] GetProcessHeap () returned 0x3a00000 [0071.492] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.493] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.493] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.493] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.493] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.493] CloseHandle (hObject=0x440) returned 1 [0071.493] GetProcessHeap () returned 0x3a00000 [0071.493] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.494] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0071.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\255__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\255__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.494] GetProcessHeap () returned 0x3a00000 [0071.494] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.494] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909955a7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="256__C~1.PRO")) returned 1 [0071.494] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.494] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.494] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.494] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.494] lstrcmpiW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.494] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml") returned 170 [0071.494] StrStrIW (lpFirst="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.494] lstrcmpW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.494] lstrcmpW (lpString1="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.494] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.495] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\256__connections_cellular_celcom malaysia (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.495] GetTickCount () returned 0x11523e0 [0071.495] GetTickCount () returned 0x11523e0 [0071.495] GetTickCount () returned 0x11523e0 [0071.495] GetTickCount () returned 0x11523e0 [0071.495] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.495] GetProcessHeap () returned 0x3a00000 [0071.495] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.495] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0071.496] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.496] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0071.497] GetProcessHeap () returned 0x3a00000 [0071.497] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.497] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.497] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.497] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.497] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.497] CloseHandle (hObject=0x440) returned 1 [0071.497] GetProcessHeap () returned 0x3a00000 [0071.497] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.497] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0071.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\256__connections_cellular_celcom malaysia (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\256__connections_cellular_celcom malaysia (malaysia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.498] GetProcessHeap () returned 0x3a00000 [0071.498] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.498] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="257__C~1.PRO")) returned 1 [0071.498] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.498] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.498] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.498] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.498] lstrcmpiW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.499] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml") returned 159 [0071.499] StrStrIW (lpFirst="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.499] lstrcmpW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.499] lstrcmpW (lpString1="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.499] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.499] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\257__connections_cellular_digi (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.499] GetTickCount () returned 0x11523ef [0071.499] GetTickCount () returned 0x11523ef [0071.500] GetTickCount () returned 0x11523ef [0071.500] GetTickCount () returned 0x11523ef [0071.500] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.500] GetProcessHeap () returned 0x3a00000 [0071.500] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.500] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0071.501] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.501] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0071.501] GetProcessHeap () returned 0x3a00000 [0071.501] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.501] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.501] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.501] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.502] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.502] CloseHandle (hObject=0x440) returned 1 [0071.502] GetProcessHeap () returned 0x3a00000 [0071.502] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.502] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0071.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\257__connections_cellular_digi (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\257__connections_cellular_digi (malaysia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.502] GetProcessHeap () returned 0x3a00000 [0071.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.502] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="258__C~1.PRO")) returned 1 [0071.502] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.502] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.502] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.503] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.503] lstrcmpiW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.503] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml") returned 159 [0071.503] StrStrIW (lpFirst="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.503] lstrcmpW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.503] lstrcmpW (lpString1="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.503] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\258__connections_cellular_digi (malaysia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.503] GetTickCount () returned 0x11523ef [0071.503] GetTickCount () returned 0x11523ef [0071.503] GetTickCount () returned 0x11523ef [0071.503] GetTickCount () returned 0x11523ef [0071.503] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.503] GetProcessHeap () returned 0x3a00000 [0071.503] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.503] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0071.505] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.505] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0071.505] GetProcessHeap () returned 0x3a00000 [0071.505] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.505] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.505] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.505] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.505] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.505] CloseHandle (hObject=0x440) returned 1 [0071.505] GetProcessHeap () returned 0x3a00000 [0071.505] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.505] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0071.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\258__connections_cellular_digi (malaysia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\258__connections_cellular_digi (malaysia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.506] GetProcessHeap () returned 0x3a00000 [0071.506] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.506] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="259__C~1.PRO")) returned 1 [0071.506] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.506] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.506] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.506] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.506] lstrcmpiW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.506] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml") returned 160 [0071.506] StrStrIW (lpFirst="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.506] lstrcmpW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.506] lstrcmpW (lpString1="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.506] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.506] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\259__connections_cellular_maxis (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.507] GetTickCount () returned 0x11523ef [0071.507] GetTickCount () returned 0x11523ef [0071.507] GetTickCount () returned 0x11523ef [0071.507] GetTickCount () returned 0x11523ef [0071.507] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.507] GetProcessHeap () returned 0x3a00000 [0071.507] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.507] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0071.604] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.604] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0071.604] GetProcessHeap () returned 0x3a00000 [0071.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.604] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.604] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.605] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.605] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.605] CloseHandle (hObject=0x440) returned 1 [0071.605] GetProcessHeap () returned 0x3a00000 [0071.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.605] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0071.605] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\259__connections_cellular_maxis (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\259__connections_cellular_maxis (malaysia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.606] GetProcessHeap () returned 0x3a00000 [0071.606] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.606] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="25__CE~1.PRO")) returned 1 [0071.606] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0071.606] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0071.606] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0071.606] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0071.606] lstrcmpiW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0071.606] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0071.606] StrStrIW (lpFirst="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0071.606] lstrcmpW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.606] lstrcmpW (lpString1="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0071.606] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\25__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.607] GetTickCount () returned 0x115244d [0071.607] GetTickCount () returned 0x115244d [0071.607] GetTickCount () returned 0x115244d [0071.607] GetTickCount () returned 0x115244d [0071.607] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.607] GetProcessHeap () returned 0x3a00000 [0071.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.607] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0071.608] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.608] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0071.608] GetProcessHeap () returned 0x3a00000 [0071.608] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.608] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.608] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.609] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.609] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.609] CloseHandle (hObject=0x440) returned 1 [0071.609] GetProcessHeap () returned 0x3a00000 [0071.609] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.609] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0071.609] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\25__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\25__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.610] GetProcessHeap () returned 0x3a00000 [0071.610] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.610] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="260__C~1.PRO")) returned 1 [0071.610] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.610] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.610] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.610] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.610] lstrcmpiW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.610] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml") returned 160 [0071.610] StrStrIW (lpFirst="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.610] lstrcmpW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.610] lstrcmpW (lpString1="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.610] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\260__connections_cellular_maxis (malaysia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.610] GetTickCount () returned 0x115245d [0071.610] GetTickCount () returned 0x115245d [0071.611] GetTickCount () returned 0x115245d [0071.611] GetTickCount () returned 0x115245d [0071.611] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.611] GetProcessHeap () returned 0x3a00000 [0071.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.611] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.612] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.612] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.612] GetProcessHeap () returned 0x3a00000 [0071.612] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.612] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.612] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.612] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.613] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.613] CloseHandle (hObject=0x440) returned 1 [0071.613] GetProcessHeap () returned 0x3a00000 [0071.613] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.613] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0071.613] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\260__connections_cellular_maxis (malaysia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\260__connections_cellular_maxis (malaysia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.613] GetProcessHeap () returned 0x3a00000 [0071.613] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.613] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909bb812, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="261__C~1.PRO")) returned 1 [0071.613] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.613] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.614] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.614] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.614] lstrcmpiW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.614] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml") returned 160 [0071.614] StrStrIW (lpFirst="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.614] lstrcmpW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.614] lstrcmpW (lpString1="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.614] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.614] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\261__connections_cellular_maxis (malaysia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.614] GetTickCount () returned 0x115245d [0071.614] GetTickCount () returned 0x115245d [0071.614] GetTickCount () returned 0x115245d [0071.614] GetTickCount () returned 0x115245d [0071.614] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.614] GetProcessHeap () returned 0x3a00000 [0071.614] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.614] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0071.616] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.616] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0071.616] GetProcessHeap () returned 0x3a00000 [0071.616] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.616] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.616] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.616] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.616] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.616] CloseHandle (hObject=0x440) returned 1 [0071.616] GetProcessHeap () returned 0x3a00000 [0071.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.616] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0071.616] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\261__connections_cellular_maxis (malaysia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\261__connections_cellular_maxis (malaysia)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.617] GetProcessHeap () returned 0x3a00000 [0071.617] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.617] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="262__C~1.PRO")) returned 1 [0071.617] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.617] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.617] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.617] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.617] lstrcmpiW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.617] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml") returned 162 [0071.617] StrStrIW (lpFirst="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.617] lstrcmpW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.617] lstrcmpW (lpString1="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.617] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\262__connections_cellular_timecel (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.618] GetTickCount () returned 0x115245d [0071.618] GetTickCount () returned 0x115245d [0071.618] GetTickCount () returned 0x115245d [0071.618] GetTickCount () returned 0x115245d [0071.618] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.618] GetProcessHeap () returned 0x3a00000 [0071.618] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.618] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0071.620] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.620] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0071.620] GetProcessHeap () returned 0x3a00000 [0071.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.620] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.620] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.620] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.620] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.620] CloseHandle (hObject=0x440) returned 1 [0071.620] GetProcessHeap () returned 0x3a00000 [0071.620] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.620] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0071.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\262__connections_cellular_timecel (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\262__connections_cellular_timecel (malaysia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.621] GetProcessHeap () returned 0x3a00000 [0071.621] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.621] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="263__C~1.PRO")) returned 1 [0071.621] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.621] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.621] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.621] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.621] lstrcmpiW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.621] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml") returned 163 [0071.621] StrStrIW (lpFirst="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.621] lstrcmpW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.621] lstrcmpW (lpString1="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.621] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.621] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\263__connections_cellular_u mobile (malaysia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.622] GetTickCount () returned 0x115245d [0071.622] GetTickCount () returned 0x115245d [0071.622] GetTickCount () returned 0x115245d [0071.622] GetTickCount () returned 0x115245d [0071.622] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.622] GetProcessHeap () returned 0x3a00000 [0071.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.622] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0071.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0071.624] GetProcessHeap () returned 0x3a00000 [0071.624] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.624] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.624] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.625] CloseHandle (hObject=0x440) returned 1 [0071.625] GetProcessHeap () returned 0x3a00000 [0071.625] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.625] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0071.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\263__connections_cellular_u mobile (malaysia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\263__connections_cellular_u mobile (malaysia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.625] GetProcessHeap () returned 0x3a00000 [0071.625] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.626] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", cAlternateFileName="264__C~1.PRO")) returned 1 [0071.626] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.626] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.626] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.626] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.626] lstrcmpiW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.626] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml") returned 161 [0071.626] StrStrIW (lpFirst="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.626] lstrcmpW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.626] lstrcmpW (lpString1="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.626] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.626] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\264__connections_cellular_go mobile (malta)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.626] GetTickCount () returned 0x115246c [0071.626] GetTickCount () returned 0x115246c [0071.626] GetTickCount () returned 0x115246c [0071.626] GetTickCount () returned 0x115246c [0071.626] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.626] GetProcessHeap () returned 0x3a00000 [0071.626] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.626] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0071.628] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.628] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0071.628] GetProcessHeap () returned 0x3a00000 [0071.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.628] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.628] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.628] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.628] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.628] CloseHandle (hObject=0x440) returned 1 [0071.629] GetProcessHeap () returned 0x3a00000 [0071.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.629] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0071.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\264__connections_cellular_go mobile (malta)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\264__connections_cellular_go mobile (malta)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.629] GetProcessHeap () returned 0x3a00000 [0071.629] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.629] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x909e1a7e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", cAlternateFileName="265__C~1.PRO")) returned 1 [0071.629] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.629] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.629] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.630] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.630] lstrcmpiW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.630] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml") returned 161 [0071.630] StrStrIW (lpFirst="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.630] lstrcmpW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.630] lstrcmpW (lpString1="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.630] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\265__connections_cellular_go mobile (malta)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.630] GetTickCount () returned 0x115246c [0071.630] GetTickCount () returned 0x115246c [0071.630] GetTickCount () returned 0x115246c [0071.630] GetTickCount () returned 0x115246c [0071.630] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.630] GetProcessHeap () returned 0x3a00000 [0071.630] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.630] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x284, lpOverlapped=0x0) returned 1 [0071.632] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.632] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x284, lpOverlapped=0x0) returned 1 [0071.632] GetProcessHeap () returned 0x3a00000 [0071.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.632] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.632] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.632] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.632] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.632] CloseHandle (hObject=0x440) returned 1 [0071.632] GetProcessHeap () returned 0x3a00000 [0071.632] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.632] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0071.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\265__connections_cellular_go mobile (malta)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\265__connections_cellular_go mobile (malta)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.633] GetProcessHeap () returned 0x3a00000 [0071.633] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.633] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", cAlternateFileName="266__C~1.PRO")) returned 1 [0071.633] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.633] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.633] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.633] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.633] lstrcmpiW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.633] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml") returned 166 [0071.633] StrStrIW (lpFirst="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.633] lstrcmpW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.633] lstrcmpW (lpString1="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.633] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.633] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\266__connections_cellular_vodafone malta (malta)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.634] GetTickCount () returned 0x115246c [0071.634] GetTickCount () returned 0x115246c [0071.634] GetTickCount () returned 0x115246c [0071.634] GetTickCount () returned 0x115246c [0071.634] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.634] GetProcessHeap () returned 0x3a00000 [0071.634] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.634] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0071.635] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.635] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0071.635] GetProcessHeap () returned 0x3a00000 [0071.635] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.635] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.635] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.636] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.636] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.636] CloseHandle (hObject=0x440) returned 1 [0071.636] GetProcessHeap () returned 0x3a00000 [0071.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.636] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0071.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\266__connections_cellular_vodafone malta (malta)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\266__connections_cellular_vodafone malta (malta)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.637] GetProcessHeap () returned 0x3a00000 [0071.637] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.637] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="267__C~1.PRO")) returned 1 [0071.637] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0071.637] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0071.637] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0071.637] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0071.637] lstrcmpiW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0071.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0071.637] StrStrIW (lpFirst="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0071.637] lstrcmpW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.637] lstrcmpW (lpString1="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0071.637] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.637] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\267__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.637] GetTickCount () returned 0x115246c [0071.637] GetTickCount () returned 0x115246c [0071.637] GetTickCount () returned 0x115246c [0071.637] GetTickCount () returned 0x115246c [0071.637] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.637] GetProcessHeap () returned 0x3a00000 [0071.637] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.638] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0071.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0071.639] GetProcessHeap () returned 0x3a00000 [0071.639] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.639] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.639] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.782] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.782] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.782] CloseHandle (hObject=0x440) returned 1 [0071.782] GetProcessHeap () returned 0x3a00000 [0071.782] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.782] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0071.782] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\267__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\267__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.783] GetProcessHeap () returned 0x3a00000 [0071.783] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.783] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", cAlternateFileName="268__C~1.PRO")) returned 1 [0071.783] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.783] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.783] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.783] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.783] lstrcmpiW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.783] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml") returned 163 [0071.783] StrStrIW (lpFirst="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.783] lstrcmpW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.783] lstrcmpW (lpString1="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.783] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.783] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\268__connections_cellular_telcel gsm (mexico)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.784] GetTickCount () returned 0x1152509 [0071.784] GetTickCount () returned 0x1152509 [0071.784] GetTickCount () returned 0x1152509 [0071.784] GetTickCount () returned 0x1152509 [0071.784] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.784] GetProcessHeap () returned 0x3a00000 [0071.784] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.784] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0071.786] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.786] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0071.786] GetProcessHeap () returned 0x3a00000 [0071.786] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.786] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.786] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.786] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.786] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.786] CloseHandle (hObject=0x440) returned 1 [0071.786] GetProcessHeap () returned 0x3a00000 [0071.786] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.786] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0071.787] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\268__connections_cellular_telcel gsm (mexico)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\268__connections_cellular_telcel gsm (mexico)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.787] GetProcessHeap () returned 0x3a00000 [0071.787] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.787] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="269__C~1.PRO")) returned 1 [0071.787] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0071.787] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0071.787] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0071.787] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0071.787] lstrcmpiW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0071.787] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0071.787] StrStrIW (lpFirst="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0071.787] lstrcmpW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.787] lstrcmpW (lpString1="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0071.787] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.787] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\269__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.788] GetTickCount () returned 0x1152509 [0071.788] GetTickCount () returned 0x1152509 [0071.788] GetTickCount () returned 0x1152509 [0071.788] GetTickCount () returned 0x1152509 [0071.788] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.788] GetProcessHeap () returned 0x3a00000 [0071.788] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.788] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0071.789] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.789] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0071.789] GetProcessHeap () returned 0x3a00000 [0071.789] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.789] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.789] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.790] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.790] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.790] CloseHandle (hObject=0x440) returned 1 [0071.790] GetProcessHeap () returned 0x3a00000 [0071.790] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.790] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0071.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\269__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\269__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.791] GetProcessHeap () returned 0x3a00000 [0071.791] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.791] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x33b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="26__CO~1.PRO")) returned 1 [0071.791] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.791] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.791] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.791] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.791] lstrcmpiW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.791] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml") returned 155 [0071.791] StrStrIW (lpFirst="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.791] lstrcmpW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.791] lstrcmpW (lpString1="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.791] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.792] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\26__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.792] GetTickCount () returned 0x1152509 [0071.792] GetTickCount () returned 0x1152509 [0071.792] GetTickCount () returned 0x1152509 [0071.792] GetTickCount () returned 0x1152509 [0071.792] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.792] GetProcessHeap () returned 0x3a00000 [0071.792] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.792] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x33b, lpOverlapped=0x0) returned 1 [0071.793] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcc5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.793] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x33b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x33b, lpOverlapped=0x0) returned 1 [0071.794] GetProcessHeap () returned 0x3a00000 [0071.794] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.794] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.794] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.794] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.794] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.794] CloseHandle (hObject=0x440) returned 1 [0071.794] GetProcessHeap () returned 0x3a00000 [0071.794] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.794] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0071.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\26__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\26__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.795] GetProcessHeap () returned 0x3a00000 [0071.795] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.795] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a07ce9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x317, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", cAlternateFileName="270__C~1.PRO")) returned 1 [0071.795] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.795] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.795] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.795] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.795] lstrcmpiW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.795] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml") returned 163 [0071.795] StrStrIW (lpFirst="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.795] lstrcmpW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.795] lstrcmpW (lpString1="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.795] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.796] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\270__connections_cellular_telefonica (mexico)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.796] GetTickCount () returned 0x1152518 [0071.796] GetTickCount () returned 0x1152518 [0071.796] GetTickCount () returned 0x1152518 [0071.796] GetTickCount () returned 0x1152518 [0071.796] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.796] GetProcessHeap () returned 0x3a00000 [0071.796] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.796] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x317, lpOverlapped=0x0) returned 1 [0071.797] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffce9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.797] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x317, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x317, lpOverlapped=0x0) returned 1 [0071.798] GetProcessHeap () returned 0x3a00000 [0071.798] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.798] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.798] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.798] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.798] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.798] CloseHandle (hObject=0x440) returned 1 [0071.798] GetProcessHeap () returned 0x3a00000 [0071.798] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.798] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0071.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\270__connections_cellular_telefonica (mexico)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\270__connections_cellular_telefonica (mexico)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.799] GetProcessHeap () returned 0x3a00000 [0071.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.799] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a2df51, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x389, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", cAlternateFileName="271__C~1.PRO")) returned 1 [0071.801] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.801] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.801] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.801] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.801] lstrcmpiW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.801] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml") returned 164 [0071.801] StrStrIW (lpFirst="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.801] lstrcmpW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.801] lstrcmpW (lpString1="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.801] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.801] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\271__connections_cellular_telenor (montenegro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.802] GetTickCount () returned 0x1152518 [0071.802] GetTickCount () returned 0x1152518 [0071.802] GetTickCount () returned 0x1152518 [0071.802] GetTickCount () returned 0x1152518 [0071.802] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.802] GetProcessHeap () returned 0x3a00000 [0071.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.802] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x389, lpOverlapped=0x0) returned 1 [0071.803] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc77, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.803] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x389, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x389, lpOverlapped=0x0) returned 1 [0071.807] GetProcessHeap () returned 0x3a00000 [0071.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.807] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.807] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.807] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.807] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.807] CloseHandle (hObject=0x440) returned 1 [0071.808] GetProcessHeap () returned 0x3a00000 [0071.808] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.808] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\271__connections_cellular_telenor (montenegro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\271__connections_cellular_telenor (montenegro)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.808] GetProcessHeap () returned 0x3a00000 [0071.808] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.808] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a2df51, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", cAlternateFileName="272__C~1.PRO")) returned 1 [0071.808] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.808] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.808] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.808] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.808] lstrcmpiW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.809] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml") returned 165 [0071.809] StrStrIW (lpFirst="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.809] lstrcmpW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.809] lstrcmpW (lpString1="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.809] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\272__connections_cellular_t-mobile (montenegro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.809] GetTickCount () returned 0x1152518 [0071.809] GetTickCount () returned 0x1152518 [0071.809] GetTickCount () returned 0x1152518 [0071.809] GetTickCount () returned 0x1152518 [0071.809] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.809] GetProcessHeap () returned 0x3a00000 [0071.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.809] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0071.810] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.811] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0071.811] GetProcessHeap () returned 0x3a00000 [0071.811] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.811] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.811] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.811] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.811] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.811] CloseHandle (hObject=0x440) returned 1 [0071.811] GetProcessHeap () returned 0x3a00000 [0071.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.811] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.812] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\272__connections_cellular_t-mobile (montenegro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\272__connections_cellular_t-mobile (montenegro)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.812] GetProcessHeap () returned 0x3a00000 [0071.812] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.812] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a2df51, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", cAlternateFileName="273__C~1.PRO")) returned 1 [0071.812] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.812] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.812] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.812] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.812] lstrcmpiW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.812] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml") returned 175 [0071.812] StrStrIW (lpFirst="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.812] lstrcmpW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.813] lstrcmpW (lpString1="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.813] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\273__connections_cellular_crnogorski telekom (montenegro)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.813] GetTickCount () returned 0x1152528 [0071.813] GetTickCount () returned 0x1152528 [0071.813] GetTickCount () returned 0x1152528 [0071.813] GetTickCount () returned 0x1152528 [0071.813] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.813] GetProcessHeap () returned 0x3a00000 [0071.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.813] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x357, lpOverlapped=0x0) returned 1 [0071.814] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.814] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x357, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x357, lpOverlapped=0x0) returned 1 [0071.814] GetProcessHeap () returned 0x3a00000 [0071.815] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.815] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.815] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.815] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.815] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.815] CloseHandle (hObject=0x440) returned 1 [0071.815] GetProcessHeap () returned 0x3a00000 [0071.815] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.815] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0071.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\273__connections_cellular_crnogorski telekom (montenegro)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\273__connections_cellular_crnogorski telekom (montenegro)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.816] GetProcessHeap () returned 0x3a00000 [0071.816] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.816] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a541c1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a541c1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a541c1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", cAlternateFileName="274__C~1.PRO")) returned 1 [0071.816] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.816] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.816] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.816] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.816] lstrcmpiW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.816] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml") returned 167 [0071.816] StrStrIW (lpFirst="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.816] lstrcmpW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.816] lstrcmpW (lpString1="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.816] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.816] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\274__connections_cellular_maroc telecom (morocco)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.816] GetTickCount () returned 0x1152528 [0071.817] GetTickCount () returned 0x1152528 [0071.817] GetTickCount () returned 0x1152528 [0071.817] GetTickCount () returned 0x1152528 [0071.817] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.817] GetProcessHeap () returned 0x3a00000 [0071.817] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.817] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0071.860] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.860] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0071.860] GetProcessHeap () returned 0x3a00000 [0071.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.860] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.860] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.860] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.860] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.860] CloseHandle (hObject=0x440) returned 1 [0071.860] GetProcessHeap () returned 0x3a00000 [0071.860] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.860] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0071.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\274__connections_cellular_maroc telecom (morocco)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\274__connections_cellular_maroc telecom (morocco)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.861] GetProcessHeap () returned 0x3a00000 [0071.861] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.861] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a541c1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a541c1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a541c1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", cAlternateFileName="275__C~1.PRO")) returned 1 [0071.861] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.861] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.861] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.862] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.862] lstrcmpiW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.862] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml") returned 175 [0071.862] StrStrIW (lpFirst="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.862] lstrcmpW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.862] lstrcmpW (lpString1="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.862] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\275__connections_cellular_vodacom mozambique (mozambique)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.862] GetTickCount () returned 0x1152557 [0071.862] GetTickCount () returned 0x1152557 [0071.862] GetTickCount () returned 0x1152557 [0071.862] GetTickCount () returned 0x1152557 [0071.862] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.862] GetProcessHeap () returned 0x3a00000 [0071.862] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.862] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0071.864] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.864] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0071.864] GetProcessHeap () returned 0x3a00000 [0071.864] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.864] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.864] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.864] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.864] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.865] CloseHandle (hObject=0x440) returned 1 [0071.865] GetProcessHeap () returned 0x3a00000 [0071.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.865] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0071.865] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\275__connections_cellular_vodacom mozambique (mozambique)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\275__connections_cellular_vodacom mozambique (mozambique)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.865] GetProcessHeap () returned 0x3a00000 [0071.865] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.865] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="276__C~1.PRO")) returned 1 [0071.865] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.865] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.866] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.866] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.866] lstrcmpiW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.866] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml") returned 164 [0071.866] StrStrIW (lpFirst="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.866] lstrcmpW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.866] lstrcmpW (lpString1="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.866] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.866] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\276__connections_cellular_kpn-hi (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.866] GetTickCount () returned 0x1152557 [0071.866] GetTickCount () returned 0x1152557 [0071.866] GetTickCount () returned 0x1152557 [0071.866] GetTickCount () returned 0x1152557 [0071.866] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.866] GetProcessHeap () returned 0x3a00000 [0071.866] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.866] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0071.868] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.868] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0071.868] GetProcessHeap () returned 0x3a00000 [0071.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.868] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.868] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.868] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.868] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.868] CloseHandle (hObject=0x440) returned 1 [0071.868] GetProcessHeap () returned 0x3a00000 [0071.868] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.868] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\276__connections_cellular_kpn-hi (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\276__connections_cellular_kpn-hi (netherlands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.869] GetProcessHeap () returned 0x3a00000 [0071.869] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.869] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", cAlternateFileName="277__C~1.PRO")) returned 1 [0071.869] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.869] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.869] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.869] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.869] lstrcmpiW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.869] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml") returned 164 [0071.869] StrStrIW (lpFirst="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.869] lstrcmpW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.869] lstrcmpW (lpString1="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.869] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.869] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\277__connections_cellular_kpn-hi (netherlands)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.870] GetTickCount () returned 0x1152557 [0071.870] GetTickCount () returned 0x1152557 [0071.870] GetTickCount () returned 0x1152557 [0071.870] GetTickCount () returned 0x1152557 [0071.870] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.870] GetProcessHeap () returned 0x3a00000 [0071.870] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.870] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e2, lpOverlapped=0x0) returned 1 [0071.871] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.871] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e2, lpOverlapped=0x0) returned 1 [0071.871] GetProcessHeap () returned 0x3a00000 [0071.871] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.871] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.872] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.872] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.872] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.872] CloseHandle (hObject=0x440) returned 1 [0071.872] GetProcessHeap () returned 0x3a00000 [0071.872] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.872] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\277__connections_cellular_kpn-hi (netherlands)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\277__connections_cellular_kpn-hi (netherlands)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.873] GetProcessHeap () returned 0x3a00000 [0071.873] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.873] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", cAlternateFileName="278__C~1.PRO")) returned 1 [0071.873] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.873] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.873] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.873] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.873] lstrcmpiW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.873] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml") returned 165 [0071.873] StrStrIW (lpFirst="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.873] lstrcmpW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.873] lstrcmpW (lpString1="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.873] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.873] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\278__connections_cellular_kpn-hi (netherlands)_i10$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.884] GetTickCount () returned 0x1152566 [0071.884] GetTickCount () returned 0x1152566 [0071.884] GetTickCount () returned 0x1152566 [0071.884] GetTickCount () returned 0x1152566 [0071.884] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.884] GetProcessHeap () returned 0x3a00000 [0071.884] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.884] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0071.885] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.885] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0071.885] GetProcessHeap () returned 0x3a00000 [0071.885] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.885] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.886] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.886] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.886] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.886] CloseHandle (hObject=0x440) returned 1 [0071.886] GetProcessHeap () returned 0x3a00000 [0071.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.886] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\278__connections_cellular_kpn-hi (netherlands)_i10$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\278__connections_cellular_kpn-hi (netherlands)_i10$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.887] GetProcessHeap () returned 0x3a00000 [0071.887] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.887] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90a7a428, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", cAlternateFileName="279__C~1.PRO")) returned 1 [0071.887] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.887] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.887] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.887] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.887] lstrcmpiW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.887] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml") returned 165 [0071.887] StrStrIW (lpFirst="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.887] lstrcmpW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.887] lstrcmpW (lpString1="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.887] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\279__connections_cellular_kpn-hi (netherlands)_i11$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.888] GetTickCount () returned 0x1152566 [0071.888] GetTickCount () returned 0x1152566 [0071.888] GetTickCount () returned 0x1152566 [0071.888] GetTickCount () returned 0x1152566 [0071.888] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.888] GetProcessHeap () returned 0x3a00000 [0071.888] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.888] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e0, lpOverlapped=0x0) returned 1 [0071.889] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.889] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e0, lpOverlapped=0x0) returned 1 [0071.890] GetProcessHeap () returned 0x3a00000 [0071.890] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.890] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.890] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.890] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.890] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.890] CloseHandle (hObject=0x440) returned 1 [0071.890] GetProcessHeap () returned 0x3a00000 [0071.890] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.890] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\279__connections_cellular_kpn-hi (netherlands)_i11$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\279__connections_cellular_kpn-hi (netherlands)_i11$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.891] GetProcessHeap () returned 0x3a00000 [0071.891] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.891] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901892f8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="27__CO~1.PRO")) returned 1 [0071.891] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.891] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.891] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.891] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.891] lstrcmpiW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.891] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml") returned 155 [0071.891] StrStrIW (lpFirst="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.891] lstrcmpW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.891] lstrcmpW (lpString1="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.891] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.891] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\27__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.891] GetTickCount () returned 0x1152576 [0071.891] GetTickCount () returned 0x1152576 [0071.891] GetTickCount () returned 0x1152576 [0071.892] GetTickCount () returned 0x1152576 [0071.892] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.892] GetProcessHeap () returned 0x3a00000 [0071.892] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.892] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0071.893] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.893] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0071.893] GetProcessHeap () returned 0x3a00000 [0071.893] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.893] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.893] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.893] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.893] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.894] CloseHandle (hObject=0x440) returned 1 [0071.894] GetProcessHeap () returned 0x3a00000 [0071.894] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.894] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0071.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\27__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\27__connections_cellular_a1 (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.894] GetProcessHeap () returned 0x3a00000 [0071.894] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.894] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", cAlternateFileName="280__C~1.PRO")) returned 1 [0071.894] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.894] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.894] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.894] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.894] lstrcmpiW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.895] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml") returned 165 [0071.895] StrStrIW (lpFirst="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.895] lstrcmpW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.895] lstrcmpW (lpString1="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.895] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.895] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\280__connections_cellular_kpn-hi (netherlands)_i12$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.895] GetTickCount () returned 0x1152576 [0071.895] GetTickCount () returned 0x1152576 [0071.895] GetTickCount () returned 0x1152576 [0071.895] GetTickCount () returned 0x1152576 [0071.895] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.895] GetProcessHeap () returned 0x3a00000 [0071.895] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.895] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e8, lpOverlapped=0x0) returned 1 [0071.897] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd18, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.897] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e8, lpOverlapped=0x0) returned 1 [0071.897] GetProcessHeap () returned 0x3a00000 [0071.897] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.897] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.897] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.897] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.897] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.897] CloseHandle (hObject=0x440) returned 1 [0071.897] GetProcessHeap () returned 0x3a00000 [0071.897] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.897] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.898] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\280__connections_cellular_kpn-hi (netherlands)_i12$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\280__connections_cellular_kpn-hi (netherlands)_i12$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.898] GetProcessHeap () returned 0x3a00000 [0071.898] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.898] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", cAlternateFileName="281__C~1.PRO")) returned 1 [0071.898] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.898] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.898] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.898] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.898] lstrcmpiW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.898] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml") returned 165 [0071.898] StrStrIW (lpFirst="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.898] lstrcmpW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.898] lstrcmpW (lpString1="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.898] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.898] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\281__connections_cellular_kpn-hi (netherlands)_i13$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.899] GetTickCount () returned 0x1152576 [0071.899] GetTickCount () returned 0x1152576 [0071.899] GetTickCount () returned 0x1152576 [0071.899] GetTickCount () returned 0x1152576 [0071.899] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.899] GetProcessHeap () returned 0x3a00000 [0071.899] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.899] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0071.900] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.900] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0071.900] GetProcessHeap () returned 0x3a00000 [0071.900] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.900] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.901] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.901] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.901] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.901] CloseHandle (hObject=0x440) returned 1 [0071.901] GetProcessHeap () returned 0x3a00000 [0071.901] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.901] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.901] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\281__connections_cellular_kpn-hi (netherlands)_i13$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\281__connections_cellular_kpn-hi (netherlands)_i13$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.902] GetProcessHeap () returned 0x3a00000 [0071.902] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.902] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", cAlternateFileName="282__C~1.PRO")) returned 1 [0071.902] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.902] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.902] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.902] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.902] lstrcmpiW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.902] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml") returned 165 [0071.902] StrStrIW (lpFirst="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.902] lstrcmpW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.902] lstrcmpW (lpString1="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.902] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.902] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\282__connections_cellular_kpn-hi (netherlands)_i14$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.902] GetTickCount () returned 0x1152576 [0071.902] GetTickCount () returned 0x1152576 [0071.902] GetTickCount () returned 0x1152576 [0071.902] GetTickCount () returned 0x1152576 [0071.902] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.902] GetProcessHeap () returned 0x3a00000 [0071.903] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.903] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0071.904] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.904] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0071.905] GetProcessHeap () returned 0x3a00000 [0071.905] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.905] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.905] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.905] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.905] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.905] CloseHandle (hObject=0x440) returned 1 [0071.905] GetProcessHeap () returned 0x3a00000 [0071.905] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.905] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\282__connections_cellular_kpn-hi (netherlands)_i14$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\282__connections_cellular_kpn-hi (netherlands)_i14$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.906] GetProcessHeap () returned 0x3a00000 [0071.906] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.906] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2df, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", cAlternateFileName="283__C~1.PRO")) returned 1 [0071.906] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.906] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.906] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.906] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.906] lstrcmpiW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.906] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml") returned 165 [0071.906] StrStrIW (lpFirst="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.906] lstrcmpW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.906] lstrcmpW (lpString1="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.906] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.906] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\283__connections_cellular_kpn-hi (netherlands)_i15$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.906] GetTickCount () returned 0x1152586 [0071.907] GetTickCount () returned 0x1152586 [0071.907] GetTickCount () returned 0x1152586 [0071.907] GetTickCount () returned 0x1152586 [0071.907] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.907] GetProcessHeap () returned 0x3a00000 [0071.907] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.907] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2df, lpOverlapped=0x0) returned 1 [0071.961] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd21, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.961] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2df, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2df, lpOverlapped=0x0) returned 1 [0071.962] GetProcessHeap () returned 0x3a00000 [0071.962] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.962] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.962] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.962] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.962] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.962] CloseHandle (hObject=0x440) returned 1 [0071.962] GetProcessHeap () returned 0x3a00000 [0071.962] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.962] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0071.962] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\283__connections_cellular_kpn-hi (netherlands)_i15$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\283__connections_cellular_kpn-hi (netherlands)_i15$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.963] GetProcessHeap () returned 0x3a00000 [0071.963] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.963] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", cAlternateFileName="284__C~1.PRO")) returned 1 [0071.963] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.963] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.963] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.963] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.963] lstrcmpiW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.963] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml") returned 164 [0071.963] StrStrIW (lpFirst="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.963] lstrcmpW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.963] lstrcmpW (lpString1="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.963] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.963] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\284__connections_cellular_kpn-hi (netherlands)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.964] GetTickCount () returned 0x11525b5 [0071.964] GetTickCount () returned 0x11525b5 [0071.964] GetTickCount () returned 0x11525b5 [0071.964] GetTickCount () returned 0x11525b5 [0071.964] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.964] GetProcessHeap () returned 0x3a00000 [0071.964] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.964] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0071.965] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.965] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0071.966] GetProcessHeap () returned 0x3a00000 [0071.966] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.966] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.966] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.966] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.966] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.966] CloseHandle (hObject=0x440) returned 1 [0071.966] GetProcessHeap () returned 0x3a00000 [0071.966] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.966] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.966] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\284__connections_cellular_kpn-hi (netherlands)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\284__connections_cellular_kpn-hi (netherlands)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.967] GetProcessHeap () returned 0x3a00000 [0071.967] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.967] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aa0698, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", cAlternateFileName="285__C~1.PRO")) returned 1 [0071.967] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.967] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.967] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.967] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.967] lstrcmpiW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.967] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml") returned 164 [0071.967] StrStrIW (lpFirst="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.967] lstrcmpW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.967] lstrcmpW (lpString1="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.967] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.967] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\285__connections_cellular_kpn-hi (netherlands)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.968] GetTickCount () returned 0x11525c4 [0071.968] GetTickCount () returned 0x11525c4 [0071.968] GetTickCount () returned 0x11525c4 [0071.968] GetTickCount () returned 0x11525c4 [0071.968] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.968] GetProcessHeap () returned 0x3a00000 [0071.968] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.968] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0071.969] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.969] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0071.969] GetProcessHeap () returned 0x3a00000 [0071.969] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.969] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.969] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.970] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.970] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.970] CloseHandle (hObject=0x440) returned 1 [0071.970] GetProcessHeap () returned 0x3a00000 [0071.970] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.970] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\285__connections_cellular_kpn-hi (netherlands)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\285__connections_cellular_kpn-hi (netherlands)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.970] GetProcessHeap () returned 0x3a00000 [0071.970] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.970] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", cAlternateFileName="286__C~1.PRO")) returned 1 [0071.971] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.971] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.971] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.971] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.971] lstrcmpiW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.971] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml") returned 164 [0071.971] StrStrIW (lpFirst="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.971] lstrcmpW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.971] lstrcmpW (lpString1="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.971] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.971] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\286__connections_cellular_kpn-hi (netherlands)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.971] GetTickCount () returned 0x11525c4 [0071.972] GetTickCount () returned 0x11525c4 [0071.972] GetTickCount () returned 0x11525c4 [0071.972] GetTickCount () returned 0x11525c4 [0071.972] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.972] GetProcessHeap () returned 0x3a00000 [0071.972] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.972] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0071.973] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.973] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0071.973] GetProcessHeap () returned 0x3a00000 [0071.973] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.973] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.973] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.974] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.974] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.974] CloseHandle (hObject=0x440) returned 1 [0071.974] GetProcessHeap () returned 0x3a00000 [0071.974] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.974] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.974] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\286__connections_cellular_kpn-hi (netherlands)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\286__connections_cellular_kpn-hi (netherlands)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.974] GetProcessHeap () returned 0x3a00000 [0071.974] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.974] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", cAlternateFileName="287__C~1.PRO")) returned 1 [0071.976] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.976] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.976] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.976] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.976] lstrcmpiW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.976] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml") returned 164 [0071.977] StrStrIW (lpFirst="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.977] lstrcmpW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.977] lstrcmpW (lpString1="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.977] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.977] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\287__connections_cellular_kpn-hi (netherlands)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.977] GetTickCount () returned 0x11525c4 [0071.977] GetTickCount () returned 0x11525c4 [0071.977] GetTickCount () returned 0x11525c4 [0071.977] GetTickCount () returned 0x11525c4 [0071.977] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.977] GetProcessHeap () returned 0x3a00000 [0071.977] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.977] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0071.978] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.978] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0071.979] GetProcessHeap () returned 0x3a00000 [0071.979] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.979] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.979] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.979] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0071.979] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0071.979] CloseHandle (hObject=0x440) returned 1 [0071.979] GetProcessHeap () returned 0x3a00000 [0071.979] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0071.979] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0071.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\287__connections_cellular_kpn-hi (netherlands)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\287__connections_cellular_kpn-hi (netherlands)_i5$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0071.980] GetProcessHeap () returned 0x3a00000 [0071.980] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0071.980] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", cAlternateFileName="288__C~1.PRO")) returned 1 [0071.980] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0071.980] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0071.980] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0071.980] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0071.980] lstrcmpiW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0071.980] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml") returned 164 [0071.980] StrStrIW (lpFirst="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0071.980] lstrcmpW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0071.980] lstrcmpW (lpString1="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0071.980] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0071.980] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\288__connections_cellular_kpn-hi (netherlands)_i6$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0071.980] GetTickCount () returned 0x11525c4 [0071.980] GetTickCount () returned 0x11525c4 [0071.980] GetTickCount () returned 0x11525c4 [0071.980] GetTickCount () returned 0x11525c4 [0071.981] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0071.981] GetProcessHeap () returned 0x3a00000 [0071.981] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0071.981] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0071.982] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0071.982] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0071.982] GetProcessHeap () returned 0x3a00000 [0071.982] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0071.982] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.982] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0071.982] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.022] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.022] CloseHandle (hObject=0x440) returned 1 [0072.023] GetProcessHeap () returned 0x3a00000 [0072.023] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.023] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0072.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\288__connections_cellular_kpn-hi (netherlands)_i6$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\288__connections_cellular_kpn-hi (netherlands)_i6$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.024] GetProcessHeap () returned 0x3a00000 [0072.024] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.024] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", cAlternateFileName="289__C~1.PRO")) returned 1 [0072.024] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.024] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.024] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.024] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.024] lstrcmpiW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.024] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml") returned 164 [0072.024] StrStrIW (lpFirst="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.024] lstrcmpW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.024] lstrcmpW (lpString1="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.024] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.024] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\289__connections_cellular_kpn-hi (netherlands)_i7$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.024] GetTickCount () returned 0x11525f3 [0072.024] GetTickCount () returned 0x11525f3 [0072.024] GetTickCount () returned 0x11525f3 [0072.024] GetTickCount () returned 0x11525f3 [0072.025] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.025] GetProcessHeap () returned 0x3a00000 [0072.025] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.025] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0072.026] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.026] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0072.026] GetProcessHeap () returned 0x3a00000 [0072.026] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.026] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.026] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.027] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.027] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.027] CloseHandle (hObject=0x440) returned 1 [0072.027] GetProcessHeap () returned 0x3a00000 [0072.027] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.027] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0072.027] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\289__connections_cellular_kpn-hi (netherlands)_i7$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\289__connections_cellular_kpn-hi (netherlands)_i7$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.028] GetProcessHeap () returned 0x3a00000 [0072.028] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.028] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901af563, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x288, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="28__CO~1.PRO")) returned 1 [0072.028] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.028] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.028] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.028] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.028] lstrcmpiW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.028] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml") returned 166 [0072.028] StrStrIW (lpFirst="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.028] lstrcmpW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.028] lstrcmpW (lpString1="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.028] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.028] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\28__connections_cellular_hutchison - 3 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.029] GetTickCount () returned 0x11525f3 [0072.029] GetTickCount () returned 0x11525f3 [0072.029] GetTickCount () returned 0x11525f3 [0072.029] GetTickCount () returned 0x11525f3 [0072.029] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.029] GetProcessHeap () returned 0x3a00000 [0072.029] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.029] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x288, lpOverlapped=0x0) returned 1 [0072.031] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.031] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x288, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x288, lpOverlapped=0x0) returned 1 [0072.031] GetProcessHeap () returned 0x3a00000 [0072.031] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.031] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.031] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.031] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.031] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.031] CloseHandle (hObject=0x440) returned 1 [0072.032] GetProcessHeap () returned 0x3a00000 [0072.032] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.032] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\28__connections_cellular_hutchison - 3 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\28__connections_cellular_hutchison - 3 (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.032] GetProcessHeap () returned 0x3a00000 [0072.032] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.032] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", cAlternateFileName="290__C~1.PRO")) returned 1 [0072.032] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.032] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.032] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.032] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.032] lstrcmpiW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.032] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml") returned 164 [0072.032] StrStrIW (lpFirst="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.033] lstrcmpW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.033] lstrcmpW (lpString1="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.033] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.033] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\290__connections_cellular_kpn-hi (netherlands)_i8$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.033] GetTickCount () returned 0x1152603 [0072.033] GetTickCount () returned 0x1152603 [0072.033] GetTickCount () returned 0x1152603 [0072.033] GetTickCount () returned 0x1152603 [0072.033] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.033] GetProcessHeap () returned 0x3a00000 [0072.033] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.033] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e3, lpOverlapped=0x0) returned 1 [0072.034] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.034] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e3, lpOverlapped=0x0) returned 1 [0072.035] GetProcessHeap () returned 0x3a00000 [0072.035] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.035] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.035] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.035] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.035] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.035] CloseHandle (hObject=0x440) returned 1 [0072.035] GetProcessHeap () returned 0x3a00000 [0072.035] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.035] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0072.035] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\290__connections_cellular_kpn-hi (netherlands)_i8$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\290__connections_cellular_kpn-hi (netherlands)_i8$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.036] GetProcessHeap () returned 0x3a00000 [0072.036] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.036] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ac6903, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", cAlternateFileName="291__C~1.PRO")) returned 1 [0072.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.036] lstrcmpiW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.036] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml") returned 164 [0072.036] StrStrIW (lpFirst="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.036] lstrcmpW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.036] lstrcmpW (lpString1="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.036] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.036] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\291__connections_cellular_kpn-hi (netherlands)_i9$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.037] GetTickCount () returned 0x1152603 [0072.037] GetTickCount () returned 0x1152603 [0072.037] GetTickCount () returned 0x1152603 [0072.037] GetTickCount () returned 0x1152603 [0072.037] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.037] GetProcessHeap () returned 0x3a00000 [0072.037] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.037] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0072.081] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.082] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0072.082] GetProcessHeap () returned 0x3a00000 [0072.082] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.082] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.082] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.082] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.082] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.082] CloseHandle (hObject=0x440) returned 1 [0072.082] GetProcessHeap () returned 0x3a00000 [0072.082] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.082] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0072.082] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\291__connections_cellular_kpn-hi (netherlands)_i9$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\291__connections_cellular_kpn-hi (netherlands)_i9$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.083] GetProcessHeap () returned 0x3a00000 [0072.083] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.083] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="292__C~1.PRO")) returned 1 [0072.084] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.084] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.084] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.084] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.084] lstrcmpiW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.084] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml") returned 163 [0072.084] StrStrIW (lpFirst="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.084] lstrcmpW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.084] lstrcmpW (lpString1="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.084] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\292__connections_cellular_tele2 (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.084] GetTickCount () returned 0x1152632 [0072.084] GetTickCount () returned 0x1152632 [0072.084] GetTickCount () returned 0x1152632 [0072.084] GetTickCount () returned 0x1152632 [0072.084] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.085] GetProcessHeap () returned 0x3a00000 [0072.085] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.085] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0072.086] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.086] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0072.086] GetProcessHeap () returned 0x3a00000 [0072.086] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.086] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.086] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.086] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.086] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.087] CloseHandle (hObject=0x440) returned 1 [0072.087] GetProcessHeap () returned 0x3a00000 [0072.087] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.087] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.087] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\292__connections_cellular_tele2 (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\292__connections_cellular_tele2 (netherlands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.087] GetProcessHeap () returned 0x3a00000 [0072.087] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.087] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", cAlternateFileName="293__C~1.PRO")) returned 1 [0072.088] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.088] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.088] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.088] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.088] lstrcmpiW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.088] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml") returned 163 [0072.088] StrStrIW (lpFirst="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.088] lstrcmpW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.088] lstrcmpW (lpString1="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.088] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\293__connections_cellular_tele2 (netherlands)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.088] GetTickCount () returned 0x1152632 [0072.088] GetTickCount () returned 0x1152632 [0072.088] GetTickCount () returned 0x1152632 [0072.088] GetTickCount () returned 0x1152632 [0072.088] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.088] GetProcessHeap () returned 0x3a00000 [0072.088] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.088] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0072.090] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.090] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0072.090] GetProcessHeap () returned 0x3a00000 [0072.090] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.090] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.090] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.090] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.090] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.090] CloseHandle (hObject=0x440) returned 1 [0072.091] GetProcessHeap () returned 0x3a00000 [0072.091] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.091] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.091] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\293__connections_cellular_tele2 (netherlands)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\293__connections_cellular_tele2 (netherlands)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.091] GetProcessHeap () returned 0x3a00000 [0072.091] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.091] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="294__C~1.PRO")) returned 1 [0072.091] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.091] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.091] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.091] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.091] lstrcmpiW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.091] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml") returned 165 [0072.091] StrStrIW (lpFirst="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.091] lstrcmpW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.092] lstrcmpW (lpString1="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.092] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.092] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\294__connections_cellular_telfort (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.092] GetTickCount () returned 0x1152632 [0072.092] GetTickCount () returned 0x1152641 [0072.092] GetTickCount () returned 0x1152641 [0072.092] GetTickCount () returned 0x1152641 [0072.092] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.092] GetProcessHeap () returned 0x3a00000 [0072.092] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.092] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0072.094] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.094] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0072.094] GetProcessHeap () returned 0x3a00000 [0072.094] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.094] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.094] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.094] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.094] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.094] CloseHandle (hObject=0x440) returned 1 [0072.094] GetProcessHeap () returned 0x3a00000 [0072.094] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.094] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.095] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\294__connections_cellular_telfort (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\294__connections_cellular_telfort (netherlands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.095] GetProcessHeap () returned 0x3a00000 [0072.095] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.095] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90aecb6b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", cAlternateFileName="295__C~1.PRO")) returned 1 [0072.095] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.095] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.095] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.095] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.095] lstrcmpiW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.095] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml") returned 165 [0072.095] StrStrIW (lpFirst="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.095] lstrcmpW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.095] lstrcmpW (lpString1="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.096] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.096] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\295__connections_cellular_telfort (netherlands)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.096] GetTickCount () returned 0x1152641 [0072.096] GetTickCount () returned 0x1152641 [0072.096] GetTickCount () returned 0x1152641 [0072.096] GetTickCount () returned 0x1152641 [0072.096] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.096] GetProcessHeap () returned 0x3a00000 [0072.096] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.096] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0072.097] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.097] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0072.098] GetProcessHeap () returned 0x3a00000 [0072.098] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.098] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.098] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.098] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.098] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.098] CloseHandle (hObject=0x440) returned 1 [0072.098] GetProcessHeap () returned 0x3a00000 [0072.098] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.098] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\295__connections_cellular_telfort (netherlands)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\295__connections_cellular_telfort (netherlands)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.099] GetProcessHeap () returned 0x3a00000 [0072.099] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.099] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", cAlternateFileName="296__C~1.PRO")) returned 1 [0072.099] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.099] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.099] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.099] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.099] lstrcmpiW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.099] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml") returned 165 [0072.099] StrStrIW (lpFirst="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.099] lstrcmpW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.099] lstrcmpW (lpString1="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.099] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.099] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\296__connections_cellular_telfort (netherlands)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.100] GetTickCount () returned 0x1152641 [0072.100] GetTickCount () returned 0x1152641 [0072.100] GetTickCount () returned 0x1152641 [0072.100] GetTickCount () returned 0x1152641 [0072.100] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.100] GetProcessHeap () returned 0x3a00000 [0072.100] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.100] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e0, lpOverlapped=0x0) returned 1 [0072.101] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.101] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e0, lpOverlapped=0x0) returned 1 [0072.101] GetProcessHeap () returned 0x3a00000 [0072.101] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.101] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.101] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.102] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.102] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.102] CloseHandle (hObject=0x440) returned 1 [0072.102] GetProcessHeap () returned 0x3a00000 [0072.102] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.102] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.102] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\296__connections_cellular_telfort (netherlands)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\296__connections_cellular_telfort (netherlands)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.102] GetProcessHeap () returned 0x3a00000 [0072.102] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.102] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="297__C~1.PRO")) returned 1 [0072.103] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.103] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.103] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.103] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.103] lstrcmpiW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.103] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml") returned 178 [0072.103] StrStrIW (lpFirst="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.103] lstrcmpW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.103] lstrcmpW (lpString1="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.103] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.103] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\297__connections_cellular_t-mobile netherlands (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.103] GetTickCount () returned 0x1152641 [0072.103] GetTickCount () returned 0x1152641 [0072.103] GetTickCount () returned 0x1152641 [0072.103] GetTickCount () returned 0x1152641 [0072.103] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.103] GetProcessHeap () returned 0x3a00000 [0072.103] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.103] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e7, lpOverlapped=0x0) returned 1 [0072.105] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.105] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e7, lpOverlapped=0x0) returned 1 [0072.105] GetProcessHeap () returned 0x3a00000 [0072.105] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.105] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.105] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.105] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.105] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.106] CloseHandle (hObject=0x440) returned 1 [0072.106] GetProcessHeap () returned 0x3a00000 [0072.106] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.106] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 197 [0072.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\297__connections_cellular_t-mobile netherlands (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\297__connections_cellular_t-mobile netherlands (netherlands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.106] GetProcessHeap () returned 0x3a00000 [0072.106] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.106] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="298__C~1.PRO")) returned 1 [0072.106] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.106] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.107] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.107] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.107] lstrcmpiW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.107] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml") returned 169 [0072.107] StrStrIW (lpFirst="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.107] lstrcmpW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.107] lstrcmpW (lpString1="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.107] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.107] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\298__connections_cellular_vodafone nl (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.107] GetTickCount () returned 0x1152641 [0072.107] GetTickCount () returned 0x1152641 [0072.107] GetTickCount () returned 0x1152641 [0072.107] GetTickCount () returned 0x1152641 [0072.107] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.107] GetProcessHeap () returned 0x3a00000 [0072.107] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.107] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35d, lpOverlapped=0x0) returned 1 [0072.109] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.109] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35d, lpOverlapped=0x0) returned 1 [0072.109] GetProcessHeap () returned 0x3a00000 [0072.109] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.109] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.109] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.109] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.109] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.109] CloseHandle (hObject=0x440) returned 1 [0072.109] GetProcessHeap () returned 0x3a00000 [0072.109] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.109] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0072.109] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\298__connections_cellular_vodafone nl (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\298__connections_cellular_vodafone nl (netherlands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.110] GetProcessHeap () returned 0x3a00000 [0072.110] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.110] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="299__C~1.PRO")) returned 1 [0072.110] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.110] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.110] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.110] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.110] lstrcmpiW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.110] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.110] StrStrIW (lpFirst="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.110] lstrcmpW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.110] lstrcmpW (lpString1="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.110] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.110] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\299__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.111] GetTickCount () returned 0x1152651 [0072.111] GetTickCount () returned 0x1152651 [0072.111] GetTickCount () returned 0x1152651 [0072.111] GetTickCount () returned 0x1152651 [0072.111] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.111] GetProcessHeap () returned 0x3a00000 [0072.111] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.111] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.112] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.112] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.112] GetProcessHeap () returned 0x3a00000 [0072.112] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.112] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.112] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.113] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.113] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.113] CloseHandle (hObject=0x440) returned 1 [0072.113] GetProcessHeap () returned 0x3a00000 [0072.113] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.113] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\299__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\299__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.117] GetProcessHeap () returned 0x3a00000 [0072.117] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.117] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901af563, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="29__CO~1.PRO")) returned 1 [0072.117] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.117] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.117] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.117] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.117] lstrcmpiW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.117] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml") returned 162 [0072.117] StrStrIW (lpFirst="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.117] lstrcmpW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.117] lstrcmpW (lpString1="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.117] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.117] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\29__connections_cellular_tele.ring (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.118] GetTickCount () returned 0x1152651 [0072.118] GetTickCount () returned 0x1152651 [0072.118] GetTickCount () returned 0x1152651 [0072.118] GetTickCount () returned 0x1152651 [0072.118] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.118] GetProcessHeap () returned 0x3a00000 [0072.118] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.118] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0072.158] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.158] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0072.158] GetProcessHeap () returned 0x3a00000 [0072.158] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.158] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.158] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.158] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.159] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.159] CloseHandle (hObject=0x440) returned 1 [0072.159] GetProcessHeap () returned 0x3a00000 [0072.159] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.159] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0072.159] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\29__connections_cellular_tele.ring (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\29__connections_cellular_tele.ring (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.160] GetProcessHeap () returned 0x3a00000 [0072.160] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.160] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="2__CON~1.PRO")) returned 1 [0072.161] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.161] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.161] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.161] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.161] lstrcmpiW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.161] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml") returned 158 [0072.161] StrStrIW (lpFirst="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.161] lstrcmpW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.161] lstrcmpW (lpString1="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.161] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.161] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\2__connections_cellular_djezzy (algeria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.162] GetTickCount () returned 0x1152680 [0072.162] GetTickCount () returned 0x1152680 [0072.162] GetTickCount () returned 0x1152680 [0072.162] GetTickCount () returned 0x1152680 [0072.162] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.162] GetProcessHeap () returned 0x3a00000 [0072.162] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.163] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0072.164] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.164] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0072.164] GetProcessHeap () returned 0x3a00000 [0072.164] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.164] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.165] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.165] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.165] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.165] CloseHandle (hObject=0x440) returned 1 [0072.165] GetProcessHeap () returned 0x3a00000 [0072.165] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.165] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0072.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\2__connections_cellular_djezzy (algeria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\2__connections_cellular_djezzy (algeria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.166] GetProcessHeap () returned 0x3a00000 [0072.166] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.166] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b12dd6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="300__C~1.PRO")) returned 1 [0072.166] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.166] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.166] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.166] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.166] lstrcmpiW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.166] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml") returned 166 [0072.166] StrStrIW (lpFirst="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.167] lstrcmpW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.167] lstrcmpW (lpString1="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.167] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.167] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\300__connections_cellular_2degrees (new zealand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.167] GetTickCount () returned 0x1152680 [0072.167] GetTickCount () returned 0x1152680 [0072.167] GetTickCount () returned 0x1152680 [0072.167] GetTickCount () returned 0x1152680 [0072.167] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.167] GetProcessHeap () returned 0x3a00000 [0072.167] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.168] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0072.169] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.169] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0072.169] GetProcessHeap () returned 0x3a00000 [0072.169] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.170] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.170] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.170] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.170] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.170] CloseHandle (hObject=0x440) returned 1 [0072.170] GetProcessHeap () returned 0x3a00000 [0072.171] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.171] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\300__connections_cellular_2degrees (new zealand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\300__connections_cellular_2degrees (new zealand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.171] GetProcessHeap () returned 0x3a00000 [0072.171] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.171] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="301__C~1.PRO")) returned 1 [0072.175] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.175] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.175] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.175] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.175] lstrcmpiW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.175] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml") returned 177 [0072.175] StrStrIW (lpFirst="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.175] lstrcmpW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.175] lstrcmpW (lpString1="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.175] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.175] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\301__connections_cellular_telecom new zealand (new zealand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.176] GetTickCount () returned 0x115268f [0072.176] GetTickCount () returned 0x115268f [0072.176] GetTickCount () returned 0x115268f [0072.176] GetTickCount () returned 0x115268f [0072.176] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.176] GetProcessHeap () returned 0x3a00000 [0072.176] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.176] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0072.178] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.178] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0072.178] GetProcessHeap () returned 0x3a00000 [0072.178] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.178] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.178] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.178] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.178] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.179] CloseHandle (hObject=0x440) returned 1 [0072.179] GetProcessHeap () returned 0x3a00000 [0072.179] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.179] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 196 [0072.179] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\301__connections_cellular_telecom new zealand (new zealand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\301__connections_cellular_telecom new zealand (new zealand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.180] GetProcessHeap () returned 0x3a00000 [0072.180] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.180] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", cAlternateFileName="302__C~1.PRO")) returned 1 [0072.180] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.180] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.180] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.180] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.180] lstrcmpiW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.180] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml") returned 177 [0072.180] StrStrIW (lpFirst="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.180] lstrcmpW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.180] lstrcmpW (lpString1="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.180] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.180] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\302__connections_cellular_telecom new zealand (new zealand)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.181] GetTickCount () returned 0x115268f [0072.181] GetTickCount () returned 0x115268f [0072.181] GetTickCount () returned 0x115268f [0072.181] GetTickCount () returned 0x115268f [0072.181] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.181] GetProcessHeap () returned 0x3a00000 [0072.181] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.181] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x326, lpOverlapped=0x0) returned 1 [0072.183] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcda, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.183] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x326, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x326, lpOverlapped=0x0) returned 1 [0072.183] GetProcessHeap () returned 0x3a00000 [0072.184] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.184] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.184] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.184] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.184] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.184] CloseHandle (hObject=0x440) returned 1 [0072.184] GetProcessHeap () returned 0x3a00000 [0072.184] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.184] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 196 [0072.184] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\302__connections_cellular_telecom new zealand (new zealand)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\302__connections_cellular_telecom new zealand (new zealand)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.185] GetProcessHeap () returned 0x3a00000 [0072.185] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.185] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="303__C~1.PRO")) returned 1 [0072.185] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.185] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.185] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.185] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.185] lstrcmpiW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.185] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml") returned 169 [0072.185] StrStrIW (lpFirst="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.185] lstrcmpW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.186] lstrcmpW (lpString1="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.186] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.186] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\303__connections_cellular_vodafone nz (new zealand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.187] GetTickCount () returned 0x115269f [0072.187] GetTickCount () returned 0x115269f [0072.187] GetTickCount () returned 0x115269f [0072.187] GetTickCount () returned 0x115269f [0072.187] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.187] GetProcessHeap () returned 0x3a00000 [0072.187] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.187] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x30b, lpOverlapped=0x0) returned 1 [0072.189] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.189] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x30b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x30b, lpOverlapped=0x0) returned 1 [0072.189] GetProcessHeap () returned 0x3a00000 [0072.189] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.189] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.189] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.189] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.190] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.190] CloseHandle (hObject=0x440) returned 1 [0072.190] GetProcessHeap () returned 0x3a00000 [0072.190] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.190] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0072.190] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\303__connections_cellular_vodafone nz (new zealand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\303__connections_cellular_vodafone nz (new zealand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.191] GetProcessHeap () returned 0x3a00000 [0072.191] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.191] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b39042, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="304__C~1.PRO")) returned 1 [0072.191] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.191] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.191] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.191] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.191] lstrcmpiW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.191] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.191] StrStrIW (lpFirst="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.191] lstrcmpW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.191] lstrcmpW (lpString1="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.191] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.191] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\304__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.191] GetTickCount () returned 0x115269f [0072.192] GetTickCount () returned 0x115269f [0072.192] GetTickCount () returned 0x115269f [0072.192] GetTickCount () returned 0x115269f [0072.192] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.192] GetProcessHeap () returned 0x3a00000 [0072.192] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.192] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.193] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.193] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.193] GetProcessHeap () returned 0x3a00000 [0072.193] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.193] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.193] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.194] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.194] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.194] CloseHandle (hObject=0x440) returned 1 [0072.194] GetProcessHeap () returned 0x3a00000 [0072.194] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.194] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\304__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\304__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.195] GetProcessHeap () returned 0x3a00000 [0072.195] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.195] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2fd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", cAlternateFileName="305__C~1.PRO")) returned 1 [0072.195] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.195] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.195] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.195] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.195] lstrcmpiW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.195] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml") returned 161 [0072.195] StrStrIW (lpFirst="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.195] lstrcmpW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.195] lstrcmpW (lpString1="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.195] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.195] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\305__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.195] GetTickCount () returned 0x115269f [0072.195] GetTickCount () returned 0x115269f [0072.195] GetTickCount () returned 0x115269f [0072.195] GetTickCount () returned 0x115269f [0072.195] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.196] GetProcessHeap () returned 0x3a00000 [0072.196] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.196] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2fd, lpOverlapped=0x0) returned 1 [0072.241] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd03, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.241] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2fd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2fd, lpOverlapped=0x0) returned 1 [0072.241] GetProcessHeap () returned 0x3a00000 [0072.241] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.241] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.241] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.241] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.241] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.241] CloseHandle (hObject=0x440) returned 1 [0072.241] GetProcessHeap () returned 0x3a00000 [0072.241] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.242] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0072.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\305__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\305__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.243] GetProcessHeap () returned 0x3a00000 [0072.243] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.243] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x311, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", cAlternateFileName="306__C~1.PRO")) returned 1 [0072.243] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.243] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.243] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.243] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.243] lstrcmpiW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.243] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml") returned 161 [0072.243] StrStrIW (lpFirst="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.243] lstrcmpW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.243] lstrcmpW (lpString1="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.243] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\306__connections_cellular_claro (nicaragua)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.243] GetTickCount () returned 0x11526ce [0072.243] GetTickCount () returned 0x11526ce [0072.243] GetTickCount () returned 0x11526ce [0072.243] GetTickCount () returned 0x11526ce [0072.243] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.244] GetProcessHeap () returned 0x3a00000 [0072.244] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.244] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x311, lpOverlapped=0x0) returned 1 [0072.245] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcef, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x311, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x311, lpOverlapped=0x0) returned 1 [0072.245] GetProcessHeap () returned 0x3a00000 [0072.245] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.245] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.246] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.246] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.246] CloseHandle (hObject=0x440) returned 1 [0072.246] GetProcessHeap () returned 0x3a00000 [0072.246] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.246] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0072.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\306__connections_cellular_claro (nicaragua)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\306__connections_cellular_claro (nicaragua)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.247] GetProcessHeap () returned 0x3a00000 [0072.247] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.247] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", cAlternateFileName="307__C~1.PRO")) returned 1 [0072.247] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.247] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.247] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.247] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.247] lstrcmpiW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.247] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml") returned 161 [0072.247] StrStrIW (lpFirst="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.247] lstrcmpW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.247] lstrcmpW (lpString1="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.247] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\307__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.247] GetTickCount () returned 0x11526ce [0072.247] GetTickCount () returned 0x11526ce [0072.247] GetTickCount () returned 0x11526ce [0072.247] GetTickCount () returned 0x11526ce [0072.247] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.248] GetProcessHeap () returned 0x3a00000 [0072.248] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.248] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0072.249] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.249] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0072.249] GetProcessHeap () returned 0x3a00000 [0072.249] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.249] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.249] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.250] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.250] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.250] CloseHandle (hObject=0x440) returned 1 [0072.250] GetProcessHeap () returned 0x3a00000 [0072.250] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.250] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0072.250] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\307__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\307__connections_cellular_claro (nicaragua)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.251] GetProcessHeap () returned 0x3a00000 [0072.251] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.251] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b5f2b1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x322, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", cAlternateFileName="308__C~1.PRO")) returned 1 [0072.251] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.251] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.251] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.251] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.251] lstrcmpiW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.251] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml") returned 166 [0072.251] StrStrIW (lpFirst="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.251] lstrcmpW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.251] lstrcmpW (lpString1="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.251] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.251] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\308__connections_cellular_telefonica (nicaragua)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.251] GetTickCount () returned 0x11526dd [0072.251] GetTickCount () returned 0x11526dd [0072.251] GetTickCount () returned 0x11526dd [0072.251] GetTickCount () returned 0x11526dd [0072.251] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.251] GetProcessHeap () returned 0x3a00000 [0072.252] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.252] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x322, lpOverlapped=0x0) returned 1 [0072.253] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcde, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.253] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x322, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x322, lpOverlapped=0x0) returned 1 [0072.253] GetProcessHeap () returned 0x3a00000 [0072.253] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.253] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.253] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.253] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.253] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.254] CloseHandle (hObject=0x440) returned 1 [0072.254] GetProcessHeap () returned 0x3a00000 [0072.254] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.254] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.254] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\308__connections_cellular_telefonica (nicaragua)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\308__connections_cellular_telefonica (nicaragua)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.254] GetProcessHeap () returned 0x3a00000 [0072.254] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.254] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="309__C~1.PRO")) returned 1 [0072.254] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.254] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.254] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.254] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.254] lstrcmpiW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.255] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml") returned 157 [0072.255] StrStrIW (lpFirst="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.255] lstrcmpW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.255] lstrcmpW (lpString1="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.255] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\309__connections_cellular_mtn (nigeria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.255] GetTickCount () returned 0x11526dd [0072.255] GetTickCount () returned 0x11526dd [0072.255] GetTickCount () returned 0x11526dd [0072.255] GetTickCount () returned 0x11526dd [0072.255] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.255] GetProcessHeap () returned 0x3a00000 [0072.255] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.255] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0072.257] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.257] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0072.257] GetProcessHeap () returned 0x3a00000 [0072.257] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.257] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.257] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.257] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.257] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.257] CloseHandle (hObject=0x440) returned 1 [0072.257] GetProcessHeap () returned 0x3a00000 [0072.257] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.257] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0072.257] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\309__connections_cellular_mtn (nigeria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\309__connections_cellular_mtn (nigeria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.258] GetProcessHeap () returned 0x3a00000 [0072.258] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.258] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901af563, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="30__CO~1.PRO")) returned 1 [0072.258] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.258] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.258] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.258] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.258] lstrcmpiW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.258] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml") returned 169 [0072.258] StrStrIW (lpFirst="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.258] lstrcmpW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.258] lstrcmpW (lpString1="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.258] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\30__connections_cellular_t-mobile austria (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.259] GetTickCount () returned 0x11526dd [0072.259] GetTickCount () returned 0x11526dd [0072.259] GetTickCount () returned 0x11526dd [0072.259] GetTickCount () returned 0x11526dd [0072.259] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.259] GetProcessHeap () returned 0x3a00000 [0072.259] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.259] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35b, lpOverlapped=0x0) returned 1 [0072.261] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.261] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35b, lpOverlapped=0x0) returned 1 [0072.261] GetProcessHeap () returned 0x3a00000 [0072.261] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.261] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.261] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.261] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.261] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.261] CloseHandle (hObject=0x440) returned 1 [0072.261] GetProcessHeap () returned 0x3a00000 [0072.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.261] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0072.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\30__connections_cellular_t-mobile austria (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\30__connections_cellular_t-mobile austria (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.262] GetProcessHeap () returned 0x3a00000 [0072.262] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.262] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", cAlternateFileName="310__C~1.PRO")) returned 1 [0072.262] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.262] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.262] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.262] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.262] lstrcmpiW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.262] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml") returned 159 [0072.262] StrStrIW (lpFirst="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.262] lstrcmpW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.262] lstrcmpW (lpString1="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.262] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\310__connections_cellular_netcom (norway)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.263] GetTickCount () returned 0x11526dd [0072.263] GetTickCount () returned 0x11526dd [0072.263] GetTickCount () returned 0x11526dd [0072.263] GetTickCount () returned 0x11526dd [0072.263] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.263] GetProcessHeap () returned 0x3a00000 [0072.263] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.263] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0072.265] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.265] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0072.265] GetProcessHeap () returned 0x3a00000 [0072.265] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.265] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.265] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.266] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.266] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.266] CloseHandle (hObject=0x440) returned 1 [0072.266] GetProcessHeap () returned 0x3a00000 [0072.266] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.266] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0072.266] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\310__connections_cellular_netcom (norway)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\310__connections_cellular_netcom (norway)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.267] GetProcessHeap () returned 0x3a00000 [0072.267] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.267] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", cAlternateFileName="311__C~1.PRO")) returned 1 [0072.267] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.267] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.267] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.267] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.267] lstrcmpiW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.267] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml") returned 163 [0072.267] StrStrIW (lpFirst="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.267] lstrcmpW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.267] lstrcmpW (lpString1="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.267] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.267] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\311__connections_cellular_tdc norway (norway)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.267] GetTickCount () returned 0x11526ed [0072.267] GetTickCount () returned 0x11526ed [0072.267] GetTickCount () returned 0x11526ed [0072.267] GetTickCount () returned 0x11526ed [0072.267] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.268] GetProcessHeap () returned 0x3a00000 [0072.268] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.268] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0072.269] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.269] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0072.269] GetProcessHeap () returned 0x3a00000 [0072.269] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.269] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.269] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.269] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.269] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.269] CloseHandle (hObject=0x440) returned 1 [0072.269] GetProcessHeap () returned 0x3a00000 [0072.270] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.270] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.270] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\311__connections_cellular_tdc norway (norway)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\311__connections_cellular_tdc norway (norway)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.270] GetProcessHeap () returned 0x3a00000 [0072.270] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.270] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90b85519, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", cAlternateFileName="312__C~1.PRO")) returned 1 [0072.270] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.270] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.270] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.270] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.270] lstrcmpiW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.270] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml") returned 160 [0072.270] StrStrIW (lpFirst="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.270] lstrcmpW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.270] lstrcmpW (lpString1="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.271] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\312__connections_cellular_telenor (norway)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.271] GetTickCount () returned 0x11526ed [0072.271] GetTickCount () returned 0x11526ed [0072.271] GetTickCount () returned 0x11526ed [0072.271] GetTickCount () returned 0x11526ed [0072.271] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.271] GetProcessHeap () returned 0x3a00000 [0072.271] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.271] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0072.272] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.272] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0072.273] GetProcessHeap () returned 0x3a00000 [0072.273] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.273] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.273] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.273] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.273] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.273] CloseHandle (hObject=0x440) returned 1 [0072.273] GetProcessHeap () returned 0x3a00000 [0072.273] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.273] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\312__connections_cellular_telenor (norway)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\312__connections_cellular_telenor (norway)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.274] GetProcessHeap () returned 0x3a00000 [0072.274] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.274] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ed, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", cAlternateFileName="313__C~1.PRO")) returned 1 [0072.274] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.274] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.274] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.274] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.274] lstrcmpiW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.274] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml") returned 195 [0072.274] StrStrIW (lpFirst="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.274] lstrcmpW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.274] lstrcmpW (lpString1="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.274] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.274] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\313__connections_cellular_omani qatari telecommunications company saoc (oman)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.275] GetTickCount () returned 0x11526ed [0072.275] GetTickCount () returned 0x11526ed [0072.275] GetTickCount () returned 0x11526ed [0072.275] GetTickCount () returned 0x11526ed [0072.275] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.275] GetProcessHeap () returned 0x3a00000 [0072.275] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.275] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ed, lpOverlapped=0x0) returned 1 [0072.367] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd13, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.367] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ed, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ed, lpOverlapped=0x0) returned 1 [0072.367] GetProcessHeap () returned 0x3a00000 [0072.367] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.367] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.367] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.367] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.368] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.368] CloseHandle (hObject=0x440) returned 1 [0072.368] GetProcessHeap () returned 0x3a00000 [0072.368] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.368] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 214 [0072.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\313__connections_cellular_omani qatari telecommunications company saoc (oman)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\313__connections_cellular_omani qatari telecommunications company saoc (oman)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.369] GetProcessHeap () returned 0x3a00000 [0072.369] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="314__C~1.PRO")) returned 1 [0072.369] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.369] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.369] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.369] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.369] lstrcmpiW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.369] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml") returned 167 [0072.369] StrStrIW (lpFirst="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.369] lstrcmpW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.369] lstrcmpW (lpString1="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.369] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\314__connections_cellular_mobilink gsm (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.370] GetTickCount () returned 0x115274b [0072.370] GetTickCount () returned 0x115274b [0072.370] GetTickCount () returned 0x115274b [0072.370] GetTickCount () returned 0x115274b [0072.370] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.370] GetProcessHeap () returned 0x3a00000 [0072.370] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.370] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x29a, lpOverlapped=0x0) returned 1 [0072.371] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd66, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.371] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x29a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x29a, lpOverlapped=0x0) returned 1 [0072.372] GetProcessHeap () returned 0x3a00000 [0072.372] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.372] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.372] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.372] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.372] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.372] CloseHandle (hObject=0x440) returned 1 [0072.372] GetProcessHeap () returned 0x3a00000 [0072.372] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.372] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0072.372] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\314__connections_cellular_mobilink gsm (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\314__connections_cellular_mobilink gsm (pakistan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.373] GetProcessHeap () returned 0x3a00000 [0072.373] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.373] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="315__C~1.PRO")) returned 1 [0072.373] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.373] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.373] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.373] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.373] lstrcmpiW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.373] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml") returned 167 [0072.373] StrStrIW (lpFirst="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.374] lstrcmpW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.374] lstrcmpW (lpString1="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.374] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\315__connections_cellular_mobilink gsm (pakistan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.374] GetTickCount () returned 0x115275a [0072.374] GetTickCount () returned 0x115275a [0072.374] GetTickCount () returned 0x115275a [0072.374] GetTickCount () returned 0x115275a [0072.374] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.374] GetProcessHeap () returned 0x3a00000 [0072.374] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.374] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28f, lpOverlapped=0x0) returned 1 [0072.376] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd71, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.376] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28f, lpOverlapped=0x0) returned 1 [0072.376] GetProcessHeap () returned 0x3a00000 [0072.376] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.376] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.376] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.376] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.376] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.376] CloseHandle (hObject=0x440) returned 1 [0072.376] GetProcessHeap () returned 0x3a00000 [0072.376] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.376] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0072.376] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\315__connections_cellular_mobilink gsm (pakistan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\315__connections_cellular_mobilink gsm (pakistan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.377] GetProcessHeap () returned 0x3a00000 [0072.377] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.377] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bab788, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x346, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="316__C~1.PRO")) returned 1 [0072.377] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.377] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.377] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.377] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.377] lstrcmpiW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.377] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml") returned 162 [0072.377] StrStrIW (lpFirst="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.377] lstrcmpW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.377] lstrcmpW (lpString1="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.377] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.377] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\316__connections_cellular_telenor (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.378] GetTickCount () returned 0x115275a [0072.378] GetTickCount () returned 0x115275a [0072.378] GetTickCount () returned 0x115275a [0072.378] GetTickCount () returned 0x115275a [0072.378] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.378] GetProcessHeap () returned 0x3a00000 [0072.378] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.378] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x346, lpOverlapped=0x0) returned 1 [0072.379] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcba, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.379] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x346, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x346, lpOverlapped=0x0) returned 1 [0072.379] GetProcessHeap () returned 0x3a00000 [0072.379] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.379] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.380] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.380] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.380] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.380] CloseHandle (hObject=0x440) returned 1 [0072.380] GetProcessHeap () returned 0x3a00000 [0072.380] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.380] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0072.380] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\316__connections_cellular_telenor (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\316__connections_cellular_telenor (pakistan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.381] GetProcessHeap () returned 0x3a00000 [0072.381] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.381] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x288, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="317__C~1.PRO")) returned 1 [0072.383] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.383] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.383] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.383] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.383] lstrcmpiW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.383] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml") returned 160 [0072.383] StrStrIW (lpFirst="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.383] lstrcmpW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.383] lstrcmpW (lpString1="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.383] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.383] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\317__connections_cellular_ufone (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.384] GetTickCount () returned 0x115275a [0072.384] GetTickCount () returned 0x115275a [0072.384] GetTickCount () returned 0x115275a [0072.384] GetTickCount () returned 0x115275a [0072.384] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.384] GetProcessHeap () returned 0x3a00000 [0072.384] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.384] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x288, lpOverlapped=0x0) returned 1 [0072.385] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.385] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x288, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x288, lpOverlapped=0x0) returned 1 [0072.385] GetProcessHeap () returned 0x3a00000 [0072.385] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.385] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.386] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.386] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.386] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.386] CloseHandle (hObject=0x440) returned 1 [0072.386] GetProcessHeap () returned 0x3a00000 [0072.386] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.386] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\317__connections_cellular_ufone (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\317__connections_cellular_ufone (pakistan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.387] GetProcessHeap () returned 0x3a00000 [0072.387] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.387] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="318__C~1.PRO")) returned 1 [0072.387] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.387] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.387] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.387] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.387] lstrcmpiW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.387] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml") returned 168 [0072.387] StrStrIW (lpFirst="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.387] lstrcmpW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.387] lstrcmpW (lpString1="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.387] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\318__connections_cellular_warid telecom (pakistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.387] GetTickCount () returned 0x115275a [0072.387] GetTickCount () returned 0x115275a [0072.387] GetTickCount () returned 0x115275a [0072.387] GetTickCount () returned 0x115275a [0072.387] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.387] GetProcessHeap () returned 0x3a00000 [0072.387] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.388] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0072.389] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.389] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0072.389] GetProcessHeap () returned 0x3a00000 [0072.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.389] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.389] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.389] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.390] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.390] CloseHandle (hObject=0x440) returned 1 [0072.390] GetProcessHeap () returned 0x3a00000 [0072.390] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.390] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0072.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\318__connections_cellular_warid telecom (pakistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\318__connections_cellular_warid telecom (pakistan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.391] GetProcessHeap () returned 0x3a00000 [0072.391] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.391] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", cAlternateFileName="319__C~1.PRO")) returned 1 [0072.391] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.391] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.391] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.391] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.391] lstrcmpiW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.391] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml") returned 176 [0072.391] StrStrIW (lpFirst="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.391] lstrcmpW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.391] lstrcmpW (lpString1="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.391] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\319__connections_cellular_aljawwal (palestinian authority)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.391] GetTickCount () returned 0x115276a [0072.391] GetTickCount () returned 0x115276a [0072.391] GetTickCount () returned 0x115276a [0072.391] GetTickCount () returned 0x115276a [0072.391] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.391] GetProcessHeap () returned 0x3a00000 [0072.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.392] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1f2, lpOverlapped=0x0) returned 1 [0072.393] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.393] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1f2, lpOverlapped=0x0) returned 1 [0072.393] GetProcessHeap () returned 0x3a00000 [0072.393] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.393] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.393] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.393] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.393] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.393] CloseHandle (hObject=0x440) returned 1 [0072.394] GetProcessHeap () returned 0x3a00000 [0072.394] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.394] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0072.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\319__connections_cellular_aljawwal (palestinian authority)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\319__connections_cellular_aljawwal (palestinian authority)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.394] GetProcessHeap () returned 0x3a00000 [0072.394] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.394] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x363, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="31__CO~1.PRO")) returned 1 [0072.394] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.394] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.394] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.394] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.394] lstrcmpiW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.394] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml") returned 165 [0072.395] StrStrIW (lpFirst="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.395] lstrcmpW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.395] lstrcmpW (lpString1="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.395] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.395] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\31__connections_cellular_t-mobile m2m (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.395] GetTickCount () returned 0x115276a [0072.395] GetTickCount () returned 0x115276a [0072.395] GetTickCount () returned 0x115276a [0072.395] GetTickCount () returned 0x115276a [0072.395] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.395] GetProcessHeap () returned 0x3a00000 [0072.395] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.395] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x363, lpOverlapped=0x0) returned 1 [0072.397] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.397] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x363, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x363, lpOverlapped=0x0) returned 1 [0072.397] GetProcessHeap () returned 0x3a00000 [0072.397] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.397] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.397] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.397] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.397] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.397] CloseHandle (hObject=0x440) returned 1 [0072.397] GetProcessHeap () returned 0x3a00000 [0072.397] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.397] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.397] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\31__connections_cellular_t-mobile m2m (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\31__connections_cellular_t-mobile m2m (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.398] GetProcessHeap () returned 0x3a00000 [0072.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.398] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bd19f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", cAlternateFileName="320__C~1.PRO")) returned 1 [0072.398] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.398] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.398] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.398] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.398] lstrcmpiW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.398] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml") returned 171 [0072.398] StrStrIW (lpFirst="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.398] lstrcmpW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.398] lstrcmpW (lpString1="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.398] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.398] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\320__connections_cellular_cable and wireless (panama)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.399] GetTickCount () returned 0x115276a [0072.399] GetTickCount () returned 0x115276a [0072.399] GetTickCount () returned 0x115276a [0072.399] GetTickCount () returned 0x115276a [0072.399] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.399] GetProcessHeap () returned 0x3a00000 [0072.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.399] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0072.400] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.400] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0072.401] GetProcessHeap () returned 0x3a00000 [0072.401] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.401] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.401] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.401] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.401] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.401] CloseHandle (hObject=0x440) returned 1 [0072.401] GetProcessHeap () returned 0x3a00000 [0072.401] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.401] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0072.401] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\320__connections_cellular_cable and wireless (panama)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\320__connections_cellular_cable and wireless (panama)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.402] GetProcessHeap () returned 0x3a00000 [0072.402] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.402] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", cAlternateFileName="321__C~1.PRO")) returned 1 [0072.402] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.402] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.402] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.402] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.402] lstrcmpiW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.402] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml") returned 158 [0072.402] StrStrIW (lpFirst="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.402] lstrcmpW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.402] lstrcmpW (lpString1="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.402] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.402] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\321__connections_cellular_claro (panama)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.438] GetTickCount () returned 0x1152799 [0072.438] GetTickCount () returned 0x1152799 [0072.438] GetTickCount () returned 0x1152799 [0072.438] GetTickCount () returned 0x1152799 [0072.438] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.439] GetProcessHeap () returned 0x3a00000 [0072.439] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.439] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0072.440] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.440] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0072.440] GetProcessHeap () returned 0x3a00000 [0072.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.440] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.440] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.440] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.441] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.441] CloseHandle (hObject=0x440) returned 1 [0072.441] GetProcessHeap () returned 0x3a00000 [0072.441] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.441] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0072.441] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\321__connections_cellular_claro (panama)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\321__connections_cellular_claro (panama)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.442] GetProcessHeap () returned 0x3a00000 [0072.442] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.442] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", cAlternateFileName="322__C~1.PRO")) returned 1 [0072.442] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.442] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.442] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.442] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.442] lstrcmpiW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.442] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml") returned 163 [0072.442] StrStrIW (lpFirst="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.442] lstrcmpW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.442] lstrcmpW (lpString1="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.442] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.442] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\322__connections_cellular_telefonica (panama)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.442] GetTickCount () returned 0x1152799 [0072.443] GetTickCount () returned 0x1152799 [0072.443] GetTickCount () returned 0x1152799 [0072.443] GetTickCount () returned 0x1152799 [0072.443] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.443] GetProcessHeap () returned 0x3a00000 [0072.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.443] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0072.444] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.444] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0072.444] GetProcessHeap () returned 0x3a00000 [0072.444] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.444] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.444] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.445] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.445] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.445] CloseHandle (hObject=0x440) returned 1 [0072.445] GetProcessHeap () returned 0x3a00000 [0072.445] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.445] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.445] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\322__connections_cellular_telefonica (panama)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\322__connections_cellular_telefonica (panama)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.446] GetProcessHeap () returned 0x3a00000 [0072.446] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.446] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="323__C~1.PRO")) returned 1 [0072.446] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.446] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.446] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.446] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.446] lstrcmpiW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.446] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml") returned 160 [0072.446] StrStrIW (lpFirst="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.446] lstrcmpW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.446] lstrcmpW (lpString1="323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.446] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.446] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\323__connections_cellular_claro (paraguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.446] GetTickCount () returned 0x1152799 [0072.446] GetTickCount () returned 0x1152799 [0072.446] GetTickCount () returned 0x1152799 [0072.446] GetTickCount () returned 0x1152799 [0072.446] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.446] GetProcessHeap () returned 0x3a00000 [0072.447] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.447] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0072.448] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.448] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0072.448] GetProcessHeap () returned 0x3a00000 [0072.448] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.448] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.448] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.448] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.448] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.448] CloseHandle (hObject=0x440) returned 1 [0072.449] GetProcessHeap () returned 0x3a00000 [0072.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.449] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\323__connections_cellular_claro (paraguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\323__Connections_Cellular_Claro (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\323__connections_cellular_claro (paraguay)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.449] GetProcessHeap () returned 0x3a00000 [0072.449] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.449] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90bf7c60, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="324__C~1.PRO")) returned 1 [0072.449] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.449] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.449] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.449] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.449] lstrcmpiW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.449] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml") returned 162 [0072.449] StrStrIW (lpFirst="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.449] lstrcmpW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.450] lstrcmpW (lpString1="324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.450] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.450] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\324__connections_cellular_telecel (paraguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.450] GetTickCount () returned 0x1152799 [0072.450] GetTickCount () returned 0x1152799 [0072.450] GetTickCount () returned 0x1152799 [0072.450] GetTickCount () returned 0x1152799 [0072.450] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.450] GetProcessHeap () returned 0x3a00000 [0072.450] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.450] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0072.452] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.452] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0072.452] GetProcessHeap () returned 0x3a00000 [0072.452] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.452] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.452] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.452] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.452] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.452] CloseHandle (hObject=0x440) returned 1 [0072.452] GetProcessHeap () returned 0x3a00000 [0072.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.452] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0072.453] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\324__connections_cellular_telecel (paraguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\324__Connections_Cellular_Telecel (Paraguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\324__connections_cellular_telecel (paraguay)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.453] GetProcessHeap () returned 0x3a00000 [0072.453] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.453] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ba, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", cAlternateFileName="325__C~1.PRO")) returned 1 [0072.453] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.453] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.453] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.453] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.453] lstrcmpiW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.453] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml") returned 156 [0072.453] StrStrIW (lpFirst="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.454] lstrcmpW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.454] lstrcmpW (lpString1="325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.454] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.454] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\325__connections_cellular_claro (peru)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.454] GetTickCount () returned 0x11527a9 [0072.454] GetTickCount () returned 0x11527a9 [0072.454] GetTickCount () returned 0x11527a9 [0072.454] GetTickCount () returned 0x11527a9 [0072.454] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.454] GetProcessHeap () returned 0x3a00000 [0072.454] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.454] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ba, lpOverlapped=0x0) returned 1 [0072.455] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.455] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ba, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ba, lpOverlapped=0x0) returned 1 [0072.456] GetProcessHeap () returned 0x3a00000 [0072.456] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.456] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.456] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.456] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.456] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.456] CloseHandle (hObject=0x440) returned 1 [0072.456] GetProcessHeap () returned 0x3a00000 [0072.456] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.456] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0072.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\325__connections_cellular_claro (peru)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\325__Connections_Cellular_Claro (Peru)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\325__connections_cellular_claro (peru)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.457] GetProcessHeap () returned 0x3a00000 [0072.457] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.457] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", cAlternateFileName="326__C~1.PRO")) returned 1 [0072.457] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.457] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.457] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.457] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.457] lstrcmpiW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.457] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml") returned 161 [0072.457] StrStrIW (lpFirst="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.457] lstrcmpW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.457] lstrcmpW (lpString1="326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.457] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\326__connections_cellular_telefonica (peru)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.457] GetTickCount () returned 0x11527a9 [0072.457] GetTickCount () returned 0x11527a9 [0072.457] GetTickCount () returned 0x11527a9 [0072.457] GetTickCount () returned 0x11527a9 [0072.458] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.458] GetProcessHeap () returned 0x3a00000 [0072.458] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.458] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0072.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0072.459] GetProcessHeap () returned 0x3a00000 [0072.459] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.460] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.460] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.460] CloseHandle (hObject=0x440) returned 1 [0072.460] GetProcessHeap () returned 0x3a00000 [0072.460] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.460] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0072.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\326__connections_cellular_telefonica (peru)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\326__Connections_Cellular_Telefonica (Peru)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\326__connections_cellular_telefonica (peru)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.468] GetProcessHeap () returned 0x3a00000 [0072.468] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.468] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x292, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", cAlternateFileName="327__C~1.PRO")) returned 1 [0072.468] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.468] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.468] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.468] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.468] lstrcmpiW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.468] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml") returned 163 [0072.468] StrStrIW (lpFirst="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.468] lstrcmpW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.468] lstrcmpW (lpString1="327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.468] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.468] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\327__connections_cellular_globe (philippines)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.469] GetTickCount () returned 0x11527b8 [0072.469] GetTickCount () returned 0x11527b8 [0072.469] GetTickCount () returned 0x11527b8 [0072.469] GetTickCount () returned 0x11527b8 [0072.469] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.469] GetProcessHeap () returned 0x3a00000 [0072.469] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.469] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x292, lpOverlapped=0x0) returned 1 [0072.470] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.470] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x292, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x292, lpOverlapped=0x0) returned 1 [0072.470] GetProcessHeap () returned 0x3a00000 [0072.470] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.470] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.471] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.471] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.471] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.471] CloseHandle (hObject=0x440) returned 1 [0072.471] GetProcessHeap () returned 0x3a00000 [0072.471] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.471] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\327__connections_cellular_globe (philippines)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\327__Connections_Cellular_Globe (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\327__connections_cellular_globe (philippines)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.472] GetProcessHeap () returned 0x3a00000 [0072.472] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.472] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c1dec7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c1dec7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c1dec7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", cAlternateFileName="328__C~1.PRO")) returned 1 [0072.472] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.472] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.472] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.472] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.472] lstrcmpiW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.472] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml") returned 163 [0072.472] StrStrIW (lpFirst="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.472] lstrcmpW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.472] lstrcmpW (lpString1="328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.472] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\328__connections_cellular_globe (philippines)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.472] GetTickCount () returned 0x11527b8 [0072.472] GetTickCount () returned 0x11527b8 [0072.472] GetTickCount () returned 0x11527b8 [0072.472] GetTickCount () returned 0x11527b8 [0072.472] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.473] GetProcessHeap () returned 0x3a00000 [0072.473] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.473] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0072.528] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.528] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0072.528] GetProcessHeap () returned 0x3a00000 [0072.528] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.528] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.528] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.528] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.529] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.529] CloseHandle (hObject=0x440) returned 1 [0072.529] GetProcessHeap () returned 0x3a00000 [0072.529] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.529] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.529] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\328__connections_cellular_globe (philippines)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\328__Connections_Cellular_Globe (Philippines)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\328__connections_cellular_globe (philippines)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.530] GetProcessHeap () returned 0x3a00000 [0072.530] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.530] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c44137, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", cAlternateFileName="329__C~1.PRO")) returned 1 [0072.530] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.530] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.530] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.530] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.530] lstrcmpiW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.530] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml") returned 163 [0072.530] StrStrIW (lpFirst="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.530] lstrcmpW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.530] lstrcmpW (lpString1="329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\329__connections_cellular_smart (philippines)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.531] GetTickCount () returned 0x11527f7 [0072.531] GetTickCount () returned 0x11527f7 [0072.531] GetTickCount () returned 0x11527f7 [0072.531] GetTickCount () returned 0x11527f7 [0072.531] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.531] GetProcessHeap () returned 0x3a00000 [0072.531] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.531] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0072.533] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.533] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0072.533] GetProcessHeap () returned 0x3a00000 [0072.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.533] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.533] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.533] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.533] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.534] CloseHandle (hObject=0x440) returned 1 [0072.534] GetProcessHeap () returned 0x3a00000 [0072.534] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.534] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.534] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\329__connections_cellular_smart (philippines)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\329__Connections_Cellular_Smart (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\329__connections_cellular_smart (philippines)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.534] GetProcessHeap () returned 0x3a00000 [0072.534] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.534] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="32__CO~1.PRO")) returned 1 [0072.534] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.534] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.534] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.535] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.535] lstrcmpiW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.535] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml") returned 164 [0072.535] StrStrIW (lpFirst="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.535] lstrcmpW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.535] lstrcmpW (lpString1="32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.535] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.535] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\32__connections_cellular_azercell (azerbaijan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.535] GetTickCount () returned 0x11527f7 [0072.535] GetTickCount () returned 0x11527f7 [0072.535] GetTickCount () returned 0x11527f7 [0072.535] GetTickCount () returned 0x11527f7 [0072.535] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.535] GetProcessHeap () returned 0x3a00000 [0072.535] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.535] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0072.537] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.537] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0072.537] GetProcessHeap () returned 0x3a00000 [0072.537] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.537] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.537] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.537] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.537] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.537] CloseHandle (hObject=0x440) returned 1 [0072.537] GetProcessHeap () returned 0x3a00000 [0072.537] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.537] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0072.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\32__connections_cellular_azercell (azerbaijan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\32__Connections_Cellular_Azercell (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\32__connections_cellular_azercell (azerbaijan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.538] GetProcessHeap () returned 0x3a00000 [0072.538] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.538] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c44137, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", cAlternateFileName="330__C~1.PRO")) returned 1 [0072.538] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.538] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.538] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.538] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.538] lstrcmpiW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.538] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml") returned 170 [0072.539] StrStrIW (lpFirst="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.539] lstrcmpW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.539] lstrcmpW (lpString1="330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.539] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.539] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\330__connections_cellular_sun cellular (philippines)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.539] GetTickCount () returned 0x11527f7 [0072.539] GetTickCount () returned 0x11527f7 [0072.539] GetTickCount () returned 0x11527f7 [0072.539] GetTickCount () returned 0x11527f7 [0072.539] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.539] GetProcessHeap () returned 0x3a00000 [0072.539] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.539] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0072.541] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.541] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0072.541] GetProcessHeap () returned 0x3a00000 [0072.541] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.541] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.541] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.541] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.541] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.541] CloseHandle (hObject=0x440) returned 1 [0072.541] GetProcessHeap () returned 0x3a00000 [0072.541] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.541] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0072.541] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\330__connections_cellular_sun cellular (philippines)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\330__Connections_Cellular_Sun Cellular (Philippines)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\330__connections_cellular_sun cellular (philippines)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.542] GetProcessHeap () returned 0x3a00000 [0072.542] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.542] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c44137, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="331__C~1.PRO")) returned 1 [0072.542] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.542] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.542] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.542] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.542] lstrcmpiW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.542] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml") returned 159 [0072.542] StrStrIW (lpFirst="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.542] lstrcmpW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.542] lstrcmpW (lpString1="331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.542] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.543] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\331__connections_cellular_orange (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.543] GetTickCount () returned 0x11527f7 [0072.543] GetTickCount () returned 0x11527f7 [0072.543] GetTickCount () returned 0x11527f7 [0072.543] GetTickCount () returned 0x11527f7 [0072.543] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.543] GetProcessHeap () returned 0x3a00000 [0072.543] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.543] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34d, lpOverlapped=0x0) returned 1 [0072.544] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.545] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34d, lpOverlapped=0x0) returned 1 [0072.545] GetProcessHeap () returned 0x3a00000 [0072.545] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.545] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.545] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.545] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.545] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.545] CloseHandle (hObject=0x440) returned 1 [0072.545] GetProcessHeap () returned 0x3a00000 [0072.546] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.546] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0072.546] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\331__connections_cellular_orange (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\331__Connections_Cellular_Orange (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\331__connections_cellular_orange (poland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.546] GetProcessHeap () returned 0x3a00000 [0072.546] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.546] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c44137, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c44137, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="332__C~1.PRO")) returned 1 [0072.548] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.548] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.548] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.548] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.548] lstrcmpiW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.548] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml") returned 157 [0072.548] StrStrIW (lpFirst="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.548] lstrcmpW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.548] lstrcmpW (lpString1="332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.548] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.548] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\332__connections_cellular_play (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.549] GetTickCount () returned 0x1152806 [0072.549] GetTickCount () returned 0x1152806 [0072.549] GetTickCount () returned 0x1152806 [0072.549] GetTickCount () returned 0x1152806 [0072.549] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.549] GetProcessHeap () returned 0x3a00000 [0072.549] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.549] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x349, lpOverlapped=0x0) returned 1 [0072.551] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.551] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x349, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x349, lpOverlapped=0x0) returned 1 [0072.551] GetProcessHeap () returned 0x3a00000 [0072.551] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.551] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.551] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.551] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.551] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.551] CloseHandle (hObject=0x440) returned 1 [0072.551] GetProcessHeap () returned 0x3a00000 [0072.551] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.552] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0072.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\332__connections_cellular_play (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\332__Connections_Cellular_PLAY (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\332__connections_cellular_play (poland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.552] GetProcessHeap () returned 0x3a00000 [0072.552] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.552] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c6a39e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c6a39e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="333__C~1.PRO")) returned 1 [0072.552] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.552] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.552] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.552] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.552] lstrcmpiW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml") returned 160 [0072.552] StrStrIW (lpFirst="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.552] lstrcmpW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.552] lstrcmpW (lpString1="333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.552] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.553] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\333__connections_cellular_pl-plus (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.553] GetTickCount () returned 0x1152806 [0072.553] GetTickCount () returned 0x1152806 [0072.553] GetTickCount () returned 0x1152806 [0072.553] GetTickCount () returned 0x1152806 [0072.553] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.553] GetProcessHeap () returned 0x3a00000 [0072.553] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.553] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0072.554] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.554] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0072.555] GetProcessHeap () returned 0x3a00000 [0072.555] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.555] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.555] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.555] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.555] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.555] CloseHandle (hObject=0x440) returned 1 [0072.555] GetProcessHeap () returned 0x3a00000 [0072.555] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.555] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\333__connections_cellular_pl-plus (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\333__Connections_Cellular_PL-PLUS (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\333__connections_cellular_pl-plus (poland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.556] GetProcessHeap () returned 0x3a00000 [0072.556] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.556] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c6a39e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c6a39e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="334__C~1.PRO")) returned 1 [0072.556] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.556] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.556] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.556] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.556] lstrcmpiW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.556] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml") returned 168 [0072.556] StrStrIW (lpFirst="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.556] lstrcmpW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.556] lstrcmpW (lpString1="334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.556] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\334__connections_cellular_t-mobile poland (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.557] GetTickCount () returned 0x1152806 [0072.557] GetTickCount () returned 0x1152806 [0072.557] GetTickCount () returned 0x1152806 [0072.557] GetTickCount () returned 0x1152806 [0072.557] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.557] GetProcessHeap () returned 0x3a00000 [0072.557] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.557] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0072.558] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.558] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0072.558] GetProcessHeap () returned 0x3a00000 [0072.558] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.558] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.558] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.559] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.559] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.559] CloseHandle (hObject=0x440) returned 1 [0072.559] GetProcessHeap () returned 0x3a00000 [0072.559] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.559] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0072.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\334__connections_cellular_t-mobile poland (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\334__Connections_Cellular_T-Mobile Poland (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\334__connections_cellular_t-mobile poland (poland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.559] GetProcessHeap () returned 0x3a00000 [0072.559] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.560] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c6a39e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c6a39e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c6a39e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="335__C~1.PRO")) returned 1 [0072.560] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.560] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.560] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.560] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.560] lstrcmpiW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.560] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml") returned 162 [0072.560] StrStrIW (lpFirst="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.560] lstrcmpW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.560] lstrcmpW (lpString1="335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.560] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\335__connections_cellular_optimus (portugal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.571] GetTickCount () returned 0x1152816 [0072.571] GetTickCount () returned 0x1152816 [0072.572] GetTickCount () returned 0x1152816 [0072.572] GetTickCount () returned 0x1152816 [0072.572] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.572] GetProcessHeap () returned 0x3a00000 [0072.572] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.572] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0072.626] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.626] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0072.626] GetProcessHeap () returned 0x3a00000 [0072.626] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.626] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.626] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.626] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.626] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.627] CloseHandle (hObject=0x440) returned 1 [0072.627] GetProcessHeap () returned 0x3a00000 [0072.627] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.627] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0072.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\335__connections_cellular_optimus (portugal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\335__Connections_Cellular_Optimus (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\335__connections_cellular_optimus (portugal)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.628] GetProcessHeap () returned 0x3a00000 [0072.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.628] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="336__C~1.PRO")) returned 1 [0072.628] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.628] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.628] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.628] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.628] lstrcmpiW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.628] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml") returned 158 [0072.628] StrStrIW (lpFirst="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.628] lstrcmpW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.628] lstrcmpW (lpString1="336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.628] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\336__connections_cellular_tmn (portugal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.629] GetTickCount () returned 0x1152854 [0072.629] GetTickCount () returned 0x1152854 [0072.629] GetTickCount () returned 0x1152854 [0072.629] GetTickCount () returned 0x1152854 [0072.629] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.629] GetProcessHeap () returned 0x3a00000 [0072.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.629] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0072.630] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.630] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0072.631] GetProcessHeap () returned 0x3a00000 [0072.631] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.631] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.631] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.631] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.631] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.631] CloseHandle (hObject=0x440) returned 1 [0072.631] GetProcessHeap () returned 0x3a00000 [0072.631] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.631] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0072.631] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\336__connections_cellular_tmn (portugal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\336__Connections_Cellular_TMN (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\336__connections_cellular_tmn (portugal)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.632] GetProcessHeap () returned 0x3a00000 [0072.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.632] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="337__C~1.PRO")) returned 1 [0072.632] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0072.632] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0072.632] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0072.632] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0072.632] lstrcmpiW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0072.632] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0072.632] StrStrIW (lpFirst="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0072.632] lstrcmpW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.632] lstrcmpW (lpString1="337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0072.632] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.632] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\337__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.633] GetTickCount () returned 0x1152854 [0072.633] GetTickCount () returned 0x1152854 [0072.633] GetTickCount () returned 0x1152854 [0072.633] GetTickCount () returned 0x1152854 [0072.633] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.633] GetProcessHeap () returned 0x3a00000 [0072.633] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.633] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0072.634] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.634] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0072.634] GetProcessHeap () returned 0x3a00000 [0072.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.634] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.634] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.635] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.635] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.635] CloseHandle (hObject=0x440) returned 1 [0072.635] GetProcessHeap () returned 0x3a00000 [0072.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.635] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0072.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\337__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\337__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\337__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.636] GetProcessHeap () returned 0x3a00000 [0072.636] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.636] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="338__C~1.PRO")) returned 1 [0072.636] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.636] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.636] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.636] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.636] lstrcmpiW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.636] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.636] StrStrIW (lpFirst="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.636] lstrcmpW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.636] lstrcmpW (lpString1="338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.636] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\338__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.637] GetTickCount () returned 0x1152854 [0072.637] GetTickCount () returned 0x1152854 [0072.637] GetTickCount () returned 0x1152854 [0072.637] GetTickCount () returned 0x1152854 [0072.637] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.637] GetProcessHeap () returned 0x3a00000 [0072.637] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.637] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0072.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0072.638] GetProcessHeap () returned 0x3a00000 [0072.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.639] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.639] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.639] CloseHandle (hObject=0x440) returned 1 [0072.639] GetProcessHeap () returned 0x3a00000 [0072.639] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.639] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\338__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\338__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\338__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.640] GetProcessHeap () returned 0x3a00000 [0072.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.640] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="339__C~1.PRO")) returned 1 [0072.640] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.640] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.640] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.640] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.640] lstrcmpiW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.640] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml") returned 165 [0072.640] StrStrIW (lpFirst="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.640] lstrcmpW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.640] lstrcmpW (lpString1="339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.640] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.640] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\339__connections_cellular_vodafone p (portugal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.641] GetTickCount () returned 0x1152864 [0072.641] GetTickCount () returned 0x1152864 [0072.641] GetTickCount () returned 0x1152864 [0072.641] GetTickCount () returned 0x1152864 [0072.641] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.641] GetProcessHeap () returned 0x3a00000 [0072.641] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.641] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35a, lpOverlapped=0x0) returned 1 [0072.642] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.642] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35a, lpOverlapped=0x0) returned 1 [0072.642] GetProcessHeap () returned 0x3a00000 [0072.642] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.642] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.643] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.643] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.643] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.643] CloseHandle (hObject=0x440) returned 1 [0072.643] GetProcessHeap () returned 0x3a00000 [0072.643] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.643] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.643] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\339__connections_cellular_vodafone p (portugal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\339__Connections_Cellular_vodafone P (Portugal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\339__connections_cellular_vodafone p (portugal)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.644] GetProcessHeap () returned 0x3a00000 [0072.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.644] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="33__CO~1.PRO")) returned 1 [0072.644] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.644] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.644] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.644] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.644] lstrcmpiW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.644] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml") returned 163 [0072.644] StrStrIW (lpFirst="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.644] lstrcmpW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.644] lstrcmpW (lpString1="33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.644] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.644] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\33__connections_cellular_azerfon (azerbaijan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.645] GetTickCount () returned 0x1152864 [0072.645] GetTickCount () returned 0x1152864 [0072.645] GetTickCount () returned 0x1152864 [0072.645] GetTickCount () returned 0x1152864 [0072.645] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.645] GetProcessHeap () returned 0x3a00000 [0072.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.645] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0072.646] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.647] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0072.647] GetProcessHeap () returned 0x3a00000 [0072.647] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.647] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.647] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.647] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.647] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.647] CloseHandle (hObject=0x440) returned 1 [0072.647] GetProcessHeap () returned 0x3a00000 [0072.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.647] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\33__connections_cellular_azerfon (azerbaijan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\33__Connections_Cellular_Azerfon (Azerbaijan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\33__connections_cellular_azerfon (azerbaijan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.648] GetProcessHeap () returned 0x3a00000 [0072.648] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.648] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="340__C~1.PRO")) returned 1 [0072.648] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.648] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.648] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.648] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.648] lstrcmpiW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.648] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.648] StrStrIW (lpFirst="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.648] lstrcmpW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.648] lstrcmpW (lpString1="340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.648] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\340__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.648] GetTickCount () returned 0x1152864 [0072.649] GetTickCount () returned 0x1152864 [0072.649] GetTickCount () returned 0x1152864 [0072.649] GetTickCount () returned 0x1152864 [0072.649] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.649] GetProcessHeap () returned 0x3a00000 [0072.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.649] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.650] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.650] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.650] GetProcessHeap () returned 0x3a00000 [0072.650] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.650] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.650] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.651] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.651] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.651] CloseHandle (hObject=0x440) returned 1 [0072.651] GetProcessHeap () returned 0x3a00000 [0072.651] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.651] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.651] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\340__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\340__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\340__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.651] GetProcessHeap () returned 0x3a00000 [0072.651] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.651] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", cAlternateFileName="341__C~1.PRO")) returned 1 [0072.652] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.652] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.652] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.652] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.652] lstrcmpiW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.652] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml") returned 163 [0072.652] StrStrIW (lpFirst="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.652] lstrcmpW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.652] lstrcmpW (lpString1="341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.652] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.652] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\341__connections_cellular_claro (puerto rico)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.652] GetTickCount () returned 0x1152864 [0072.652] GetTickCount () returned 0x1152864 [0072.652] GetTickCount () returned 0x1152864 [0072.652] GetTickCount () returned 0x1152864 [0072.652] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.652] GetProcessHeap () returned 0x3a00000 [0072.652] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.652] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0072.654] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.654] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0072.654] GetProcessHeap () returned 0x3a00000 [0072.654] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.654] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.654] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.654] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.654] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.654] CloseHandle (hObject=0x440) returned 1 [0072.654] GetProcessHeap () returned 0x3a00000 [0072.654] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.654] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.655] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\341__connections_cellular_claro (puerto rico)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\341__Connections_Cellular_Claro (Puerto Rico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\341__connections_cellular_claro (puerto rico)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.656] GetProcessHeap () returned 0x3a00000 [0072.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.656] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90c9060a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90c9060a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90c9060a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", cAlternateFileName="342__C~1.PRO")) returned 1 [0072.656] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.656] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.656] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.656] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.656] lstrcmpiW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.656] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml") returned 163 [0072.656] StrStrIW (lpFirst="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.656] lstrcmpW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.656] lstrcmpW (lpString1="342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.656] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.656] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\342__connections_cellular_claro (puerto rico)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.656] GetTickCount () returned 0x1152874 [0072.656] GetTickCount () returned 0x1152874 [0072.656] GetTickCount () returned 0x1152874 [0072.656] GetTickCount () returned 0x1152874 [0072.656] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.657] GetProcessHeap () returned 0x3a00000 [0072.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.657] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0072.658] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.658] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0072.658] GetProcessHeap () returned 0x3a00000 [0072.658] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.658] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.658] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.658] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.658] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.658] CloseHandle (hObject=0x440) returned 1 [0072.659] GetProcessHeap () returned 0x3a00000 [0072.659] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.659] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0072.659] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\342__connections_cellular_claro (puerto rico)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\342__Connections_Cellular_Claro (Puerto Rico)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\342__connections_cellular_claro (puerto rico)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.659] GetProcessHeap () returned 0x3a00000 [0072.659] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.659] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", cAlternateFileName="343__C~1.PRO")) returned 1 [0072.659] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.659] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.659] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.659] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.659] lstrcmpiW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.659] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml") returned 157 [0072.659] StrStrIW (lpFirst="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.660] lstrcmpW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.660] lstrcmpW (lpString1="343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.660] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.660] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\343__connections_cellular_q-tel (qatar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.660] GetTickCount () returned 0x1152874 [0072.660] GetTickCount () returned 0x1152874 [0072.660] GetTickCount () returned 0x1152874 [0072.660] GetTickCount () returned 0x1152874 [0072.660] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.660] GetProcessHeap () returned 0x3a00000 [0072.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.660] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x27f, lpOverlapped=0x0) returned 1 [0072.730] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.730] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x27f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x27f, lpOverlapped=0x0) returned 1 [0072.730] GetProcessHeap () returned 0x3a00000 [0072.730] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.730] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.730] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.730] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.730] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.731] CloseHandle (hObject=0x440) returned 1 [0072.731] GetProcessHeap () returned 0x3a00000 [0072.731] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0072.731] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\343__connections_cellular_q-tel (qatar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\343__Connections_Cellular_Q-Tel (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\343__connections_cellular_q-tel (qatar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.732] GetProcessHeap () returned 0x3a00000 [0072.732] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.732] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", cAlternateFileName="344__C~1.PRO")) returned 1 [0072.732] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.732] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.732] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.732] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.732] lstrcmpiW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.732] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml") returned 166 [0072.732] StrStrIW (lpFirst="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.732] lstrcmpW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.732] lstrcmpW (lpString1="344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.732] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\344__connections_cellular_vodafone qatar (qatar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.733] GetTickCount () returned 0x11528c2 [0072.733] GetTickCount () returned 0x11528c2 [0072.733] GetTickCount () returned 0x11528c2 [0072.733] GetTickCount () returned 0x11528c2 [0072.733] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.733] GetProcessHeap () returned 0x3a00000 [0072.733] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.733] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0072.735] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.735] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0072.735] GetProcessHeap () returned 0x3a00000 [0072.735] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.735] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.735] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.735] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.735] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.735] CloseHandle (hObject=0x440) returned 1 [0072.735] GetProcessHeap () returned 0x3a00000 [0072.735] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.735] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\344__connections_cellular_vodafone qatar (qatar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\344__Connections_Cellular_Vodafone Qatar (Qatar)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\344__connections_cellular_vodafone qatar (qatar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.736] GetProcessHeap () returned 0x3a00000 [0072.736] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.736] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", cAlternateFileName="345__C~1.PRO")) returned 1 [0072.736] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.736] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.736] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.736] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.736] lstrcmpiW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.736] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml") returned 166 [0072.736] StrStrIW (lpFirst="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.736] lstrcmpW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.736] lstrcmpW (lpString1="345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.736] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.736] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\345__connections_cellular_vodafone qatar (qatar)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.737] GetTickCount () returned 0x11528c2 [0072.737] GetTickCount () returned 0x11528c2 [0072.737] GetTickCount () returned 0x11528c2 [0072.737] GetTickCount () returned 0x11528c2 [0072.737] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.737] GetProcessHeap () returned 0x3a00000 [0072.737] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.737] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0072.738] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.738] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0072.739] GetProcessHeap () returned 0x3a00000 [0072.739] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.739] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.739] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.739] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.739] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.739] CloseHandle (hObject=0x440) returned 1 [0072.739] GetProcessHeap () returned 0x3a00000 [0072.739] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.739] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\345__connections_cellular_vodafone qatar (qatar)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\345__Connections_Cellular_Vodafone Qatar (Qatar)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\345__connections_cellular_vodafone qatar (qatar)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.740] GetProcessHeap () returned 0x3a00000 [0072.740] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.740] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cb6875, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="346__C~1.PRO")) returned 1 [0072.740] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.740] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.740] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.740] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.740] lstrcmpiW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.740] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.740] StrStrIW (lpFirst="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.740] lstrcmpW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.740] lstrcmpW (lpString1="346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.740] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.740] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\346__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.741] GetTickCount () returned 0x11528c2 [0072.741] GetTickCount () returned 0x11528c2 [0072.741] GetTickCount () returned 0x11528c2 [0072.741] GetTickCount () returned 0x11528c2 [0072.741] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.741] GetProcessHeap () returned 0x3a00000 [0072.741] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.741] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.742] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.742] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.742] GetProcessHeap () returned 0x3a00000 [0072.742] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.742] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.742] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.743] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.743] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.743] CloseHandle (hObject=0x440) returned 1 [0072.743] GetProcessHeap () returned 0x3a00000 [0072.743] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\346__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\346__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\346__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.744] GetProcessHeap () returned 0x3a00000 [0072.744] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.744] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cb6875, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cb6875, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", cAlternateFileName="347__C~1.PRO")) returned 1 [0072.744] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.744] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.744] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.744] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.744] lstrcmpiW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.744] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml") returned 174 [0072.744] StrStrIW (lpFirst="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.744] lstrcmpW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.744] lstrcmpW (lpString1="347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.744] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.744] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\347__connections_cellular_moldcell (republic of moldova)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.745] GetTickCount () returned 0x11528c2 [0072.745] GetTickCount () returned 0x11528c2 [0072.745] GetTickCount () returned 0x11528c2 [0072.745] GetTickCount () returned 0x11528c2 [0072.745] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.745] GetProcessHeap () returned 0x3a00000 [0072.745] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.745] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0072.746] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.746] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0072.746] GetProcessHeap () returned 0x3a00000 [0072.747] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.747] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.747] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.747] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.747] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.747] CloseHandle (hObject=0x440) returned 1 [0072.747] GetProcessHeap () returned 0x3a00000 [0072.747] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0072.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\347__connections_cellular_moldcell (republic of moldova)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\347__Connections_Cellular_MoldCell (Republic of Moldova)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\347__connections_cellular_moldcell (republic of moldova)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.748] GetProcessHeap () returned 0x3a00000 [0072.748] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.748] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="348__C~1.PRO")) returned 1 [0072.750] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.750] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.750] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.750] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.750] lstrcmpiW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.750] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml") returned 166 [0072.750] StrStrIW (lpFirst="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.750] lstrcmpW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.750] lstrcmpW (lpString1="348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.750] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\348__connections_cellular_sfr (réunion) (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.750] GetTickCount () returned 0x11528d1 [0072.750] GetTickCount () returned 0x11528d1 [0072.750] GetTickCount () returned 0x11528d1 [0072.750] GetTickCount () returned 0x11528d1 [0072.750] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.750] GetProcessHeap () returned 0x3a00000 [0072.750] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.750] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0072.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0072.752] GetProcessHeap () returned 0x3a00000 [0072.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.752] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.752] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.753] CloseHandle (hObject=0x440) returned 1 [0072.753] GetProcessHeap () returned 0x3a00000 [0072.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.753] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\348__connections_cellular_sfr (réunion) (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\348__Connections_Cellular_SFR (Réunion) (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\348__connections_cellular_sfr (réunion) (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.753] GetProcessHeap () returned 0x3a00000 [0072.753] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.753] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="349__C~1.PRO")) returned 1 [0072.753] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.753] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.753] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.753] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.754] lstrcmpiW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.754] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml") returned 166 [0072.754] StrStrIW (lpFirst="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.754] lstrcmpW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.754] lstrcmpW (lpString1="349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.754] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.754] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\349__connections_cellular_sfr (réunion) (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.754] GetTickCount () returned 0x11528d1 [0072.754] GetTickCount () returned 0x11528d1 [0072.754] GetTickCount () returned 0x11528d1 [0072.754] GetTickCount () returned 0x11528d1 [0072.754] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.754] GetProcessHeap () returned 0x3a00000 [0072.754] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.754] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0072.756] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.756] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0072.756] GetProcessHeap () returned 0x3a00000 [0072.756] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.756] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.756] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.756] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.756] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.756] CloseHandle (hObject=0x440) returned 1 [0072.756] GetProcessHeap () returned 0x3a00000 [0072.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.756] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\349__connections_cellular_sfr (réunion) (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\349__Connections_Cellular_SFR (Réunion) (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\349__connections_cellular_sfr (réunion) (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.757] GetProcessHeap () returned 0x3a00000 [0072.757] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.757] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901d57cf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="34__CO~1.PRO")) returned 1 [0072.757] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.757] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.757] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.757] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.757] lstrcmpiW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.757] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml") returned 160 [0072.757] StrStrIW (lpFirst="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.757] lstrcmpW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.757] lstrcmpW (lpString1="34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.757] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.757] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\34__connections_cellular_batelco (bahrain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.758] GetTickCount () returned 0x11528d1 [0072.758] GetTickCount () returned 0x11528d1 [0072.758] GetTickCount () returned 0x11528d1 [0072.758] GetTickCount () returned 0x11528d1 [0072.758] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.758] GetProcessHeap () returned 0x3a00000 [0072.758] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.758] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0072.759] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.759] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0072.759] GetProcessHeap () returned 0x3a00000 [0072.759] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.759] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.760] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.760] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.760] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.760] CloseHandle (hObject=0x440) returned 1 [0072.760] GetProcessHeap () returned 0x3a00000 [0072.760] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.760] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.760] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\34__connections_cellular_batelco (bahrain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\34__Connections_Cellular_Batelco (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\34__connections_cellular_batelco (bahrain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.761] GetProcessHeap () returned 0x3a00000 [0072.761] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.761] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="350__C~1.PRO")) returned 1 [0072.761] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.761] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.761] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.761] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.761] lstrcmpiW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.761] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml") returned 166 [0072.761] StrStrIW (lpFirst="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.761] lstrcmpW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.761] lstrcmpW (lpString1="350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.761] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.761] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\350__connections_cellular_sfr (réunion) (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.762] GetTickCount () returned 0x11528d1 [0072.762] GetTickCount () returned 0x11528d1 [0072.762] GetTickCount () returned 0x11528d1 [0072.762] GetTickCount () returned 0x11528d1 [0072.762] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.762] GetProcessHeap () returned 0x3a00000 [0072.762] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.762] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0072.764] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.764] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0072.764] GetProcessHeap () returned 0x3a00000 [0072.764] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.764] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.764] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.765] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.765] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.765] CloseHandle (hObject=0x440) returned 1 [0072.765] GetProcessHeap () returned 0x3a00000 [0072.765] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.765] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.765] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\350__connections_cellular_sfr (réunion) (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\350__Connections_Cellular_SFR (Réunion) (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\350__connections_cellular_sfr (réunion) (france)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.766] GetProcessHeap () returned 0x3a00000 [0072.766] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.766] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90cdcae1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90cdcae1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90cdcae1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="351__C~1.PRO")) returned 1 [0072.766] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.766] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.766] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.766] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.766] lstrcmpiW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.766] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml") returned 166 [0072.766] StrStrIW (lpFirst="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.766] lstrcmpW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.766] lstrcmpW (lpString1="351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.766] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.766] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\351__connections_cellular_sfr (réunion) (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.766] GetTickCount () returned 0x11528e1 [0072.766] GetTickCount () returned 0x11528e1 [0072.766] GetTickCount () returned 0x11528e1 [0072.766] GetTickCount () returned 0x11528e1 [0072.766] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.766] GetProcessHeap () returned 0x3a00000 [0072.766] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.767] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0072.821] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.822] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0072.822] GetProcessHeap () returned 0x3a00000 [0072.822] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.822] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.822] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.822] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.822] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.822] CloseHandle (hObject=0x440) returned 1 [0072.822] GetProcessHeap () returned 0x3a00000 [0072.822] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.822] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0072.822] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\351__connections_cellular_sfr (réunion) (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\351__Connections_Cellular_SFR (Réunion) (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\351__connections_cellular_sfr (réunion) (france)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.823] GetProcessHeap () returned 0x3a00000 [0072.823] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.823] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d02d4c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d02d4c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d02d4c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="352__C~1.PRO")) returned 1 [0072.823] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.824] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.824] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.824] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.824] lstrcmpiW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.824] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml") returned 160 [0072.824] StrStrIW (lpFirst="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.824] lstrcmpW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.824] lstrcmpW (lpString1="352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.824] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.824] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\352__connections_cellular_orange (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.824] GetTickCount () returned 0x1152910 [0072.824] GetTickCount () returned 0x1152910 [0072.824] GetTickCount () returned 0x1152910 [0072.824] GetTickCount () returned 0x1152910 [0072.824] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.824] GetProcessHeap () returned 0x3a00000 [0072.824] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.824] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0072.826] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.826] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0072.826] GetProcessHeap () returned 0x3a00000 [0072.826] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.826] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.826] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.826] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.827] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.827] CloseHandle (hObject=0x440) returned 1 [0072.827] GetProcessHeap () returned 0x3a00000 [0072.827] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.827] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.827] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\352__connections_cellular_orange (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\352__Connections_Cellular_Orange (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\352__connections_cellular_orange (romania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.827] GetProcessHeap () returned 0x3a00000 [0072.828] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.828] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d02d4c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d02d4c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d02d4c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x314, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="353__C~1.PRO")) returned 1 [0072.828] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.828] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.828] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.828] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.828] lstrcmpiW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.828] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml") returned 165 [0072.828] StrStrIW (lpFirst="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.828] lstrcmpW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.828] lstrcmpW (lpString1="353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.828] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.828] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\353__connections_cellular_vodafone ro (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.828] GetTickCount () returned 0x1152920 [0072.828] GetTickCount () returned 0x1152920 [0072.828] GetTickCount () returned 0x1152920 [0072.828] GetTickCount () returned 0x1152920 [0072.828] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.828] GetProcessHeap () returned 0x3a00000 [0072.828] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.828] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x314, lpOverlapped=0x0) returned 1 [0072.830] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.830] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x314, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x314, lpOverlapped=0x0) returned 1 [0072.830] GetProcessHeap () returned 0x3a00000 [0072.830] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.830] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.830] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.830] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.830] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.830] CloseHandle (hObject=0x440) returned 1 [0072.830] GetProcessHeap () returned 0x3a00000 [0072.830] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.831] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\353__connections_cellular_vodafone ro (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\353__Connections_Cellular_Vodafone RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\353__connections_cellular_vodafone ro (romania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.831] GetProcessHeap () returned 0x3a00000 [0072.831] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.831] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d02d4c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d02d4c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d02d4c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", cAlternateFileName="354__C~1.PRO")) returned 1 [0072.831] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.831] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.831] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.832] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.832] lstrcmpiW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.832] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml") returned 165 [0072.832] StrStrIW (lpFirst="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.832] lstrcmpW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.832] lstrcmpW (lpString1="354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.832] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\354__connections_cellular_vodafone ro (romania)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.832] GetTickCount () returned 0x1152920 [0072.832] GetTickCount () returned 0x1152920 [0072.832] GetTickCount () returned 0x1152920 [0072.832] GetTickCount () returned 0x1152920 [0072.832] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.832] GetProcessHeap () returned 0x3a00000 [0072.832] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.832] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x3a6, lpOverlapped=0x0) returned 1 [0072.834] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc5a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.834] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x3a6, lpOverlapped=0x0) returned 1 [0072.834] GetProcessHeap () returned 0x3a00000 [0072.834] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.834] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.834] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.834] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.834] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.834] CloseHandle (hObject=0x440) returned 1 [0072.834] GetProcessHeap () returned 0x3a00000 [0072.834] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.834] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.834] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\354__connections_cellular_vodafone ro (romania)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\354__Connections_Cellular_Vodafone RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\354__connections_cellular_vodafone ro (romania)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.838] GetProcessHeap () returned 0x3a00000 [0072.838] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.838] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x392, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", cAlternateFileName="355__C~1.PRO")) returned 1 [0072.838] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.838] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.838] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.838] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.838] lstrcmpiW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.838] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml") returned 165 [0072.838] StrStrIW (lpFirst="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.839] lstrcmpW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.839] lstrcmpW (lpString1="355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.839] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.839] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\355__connections_cellular_vodafone ro (romania)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.839] GetTickCount () returned 0x1152920 [0072.839] GetTickCount () returned 0x1152920 [0072.839] GetTickCount () returned 0x1152920 [0072.839] GetTickCount () returned 0x1152920 [0072.839] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.839] GetProcessHeap () returned 0x3a00000 [0072.839] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.839] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x392, lpOverlapped=0x0) returned 1 [0072.840] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc6e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.841] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x392, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x392, lpOverlapped=0x0) returned 1 [0072.841] GetProcessHeap () returned 0x3a00000 [0072.841] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.841] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.841] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.841] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.841] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.841] CloseHandle (hObject=0x440) returned 1 [0072.841] GetProcessHeap () returned 0x3a00000 [0072.841] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.841] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0072.841] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\355__connections_cellular_vodafone ro (romania)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\355__Connections_Cellular_Vodafone RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\355__connections_cellular_vodafone ro (romania)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.842] GetProcessHeap () returned 0x3a00000 [0072.842] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.842] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="356__C~1.PRO")) returned 1 [0072.842] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.842] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.842] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.842] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.842] lstrcmpiW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.842] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.842] StrStrIW (lpFirst="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.842] lstrcmpW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.842] lstrcmpW (lpString1="356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.842] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.843] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\356__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.843] GetTickCount () returned 0x115292f [0072.843] GetTickCount () returned 0x115292f [0072.843] GetTickCount () returned 0x115292f [0072.843] GetTickCount () returned 0x115292f [0072.843] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.843] GetProcessHeap () returned 0x3a00000 [0072.843] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.843] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.844] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0072.844] GetProcessHeap () returned 0x3a00000 [0072.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.844] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.845] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.845] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.845] CloseHandle (hObject=0x440) returned 1 [0072.845] GetProcessHeap () returned 0x3a00000 [0072.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.845] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\356__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\356__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\356__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.846] GetProcessHeap () returned 0x3a00000 [0072.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.846] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2fb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="357_CO~1.PRO")) returned 1 [0072.846] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.846] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.846] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.846] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.846] lstrcmpiW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.846] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 203 [0072.846] StrStrIW (lpFirst="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.846] lstrcmpW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.846] lstrcmpW (lpString1="357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.846] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.846] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\357_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.847] GetTickCount () returned 0x115292f [0072.847] GetTickCount () returned 0x115292f [0072.847] GetTickCount () returned 0x115292f [0072.847] GetTickCount () returned 0x115292f [0072.847] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.847] GetProcessHeap () returned 0x3a00000 [0072.847] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.847] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2fb, lpOverlapped=0x0) returned 1 [0072.849] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.849] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2fb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2fb, lpOverlapped=0x0) returned 1 [0072.849] GetProcessHeap () returned 0x3a00000 [0072.849] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.849] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.849] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.849] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.849] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.849] CloseHandle (hObject=0x440) returned 1 [0072.849] GetProcessHeap () returned 0x3a00000 [0072.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.849] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 222 [0072.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\357_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\357_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\357_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.850] GetProcessHeap () returned 0x3a00000 [0072.850] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.850] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2b7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", cAlternateFileName="358_CO~1.PRO")) returned 1 [0072.850] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.850] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.850] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.850] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.850] lstrcmpiW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.850] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml") returned 203 [0072.850] StrStrIW (lpFirst="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.850] lstrcmpW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.850] lstrcmpW (lpString1="358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.850] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.850] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\358_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.851] GetTickCount () returned 0x115292f [0072.851] GetTickCount () returned 0x115292f [0072.851] GetTickCount () returned 0x115292f [0072.851] GetTickCount () returned 0x115292f [0072.851] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.851] GetProcessHeap () returned 0x3a00000 [0072.851] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.851] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2b7, lpOverlapped=0x0) returned 1 [0072.852] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd49, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.852] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2b7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2b7, lpOverlapped=0x0) returned 1 [0072.852] GetProcessHeap () returned 0x3a00000 [0072.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.852] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.853] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.853] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.853] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.853] CloseHandle (hObject=0x440) returned 1 [0072.853] GetProcessHeap () returned 0x3a00000 [0072.853] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.853] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 222 [0072.853] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\358_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\358_Connections_Cellular_Chelyabinsk Cellular Communications LLC (Russian Federation)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\358_connections_cellular_chelyabinsk cellular communications llc (russian federation)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.854] GetProcessHeap () returned 0x3a00000 [0072.854] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.854] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="359__C~1.PRO")) returned 1 [0072.854] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.854] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.854] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.854] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.854] lstrcmpiW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.854] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 175 [0072.854] StrStrIW (lpFirst="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.854] lstrcmpW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.854] lstrcmpW (lpString1="359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.854] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.854] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\359__connections_cellular_dontelecom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.854] GetTickCount () returned 0x115292f [0072.854] GetTickCount () returned 0x115292f [0072.854] GetTickCount () returned 0x115292f [0072.854] GetTickCount () returned 0x115292f [0072.854] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.854] GetProcessHeap () returned 0x3a00000 [0072.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.855] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1f1, lpOverlapped=0x0) returned 1 [0072.894] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe0f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.894] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1f1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1f1, lpOverlapped=0x0) returned 1 [0072.895] GetProcessHeap () returned 0x3a00000 [0072.895] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.895] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.895] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.895] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.895] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.895] CloseHandle (hObject=0x440) returned 1 [0072.895] GetProcessHeap () returned 0x3a00000 [0072.895] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.895] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0072.896] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\359__connections_cellular_dontelecom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\359__Connections_Cellular_DonTeleCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\359__connections_cellular_dontelecom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.896] GetProcessHeap () returned 0x3a00000 [0072.896] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.896] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901fba3a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901fba3a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901fba3a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x347, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="35__CO~1.PRO")) returned 1 [0072.897] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.897] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.897] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.897] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.897] lstrcmpiW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.897] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml") returned 160 [0072.897] StrStrIW (lpFirst="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.897] lstrcmpW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.897] lstrcmpW (lpString1="35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.897] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.897] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\35__connections_cellular_zain bh (bahrain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.897] GetTickCount () returned 0x115295e [0072.897] GetTickCount () returned 0x115295e [0072.897] GetTickCount () returned 0x115295e [0072.897] GetTickCount () returned 0x115295e [0072.897] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.898] GetProcessHeap () returned 0x3a00000 [0072.898] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.898] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x347, lpOverlapped=0x0) returned 1 [0072.899] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.899] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x347, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x347, lpOverlapped=0x0) returned 1 [0072.899] GetProcessHeap () returned 0x3a00000 [0072.899] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.899] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.899] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.899] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.899] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.900] CloseHandle (hObject=0x440) returned 1 [0072.900] GetProcessHeap () returned 0x3a00000 [0072.900] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.900] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0072.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\35__connections_cellular_zain bh (bahrain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\35__Connections_Cellular_Zain BH (Bahrain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\35__connections_cellular_zain bh (bahrain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.900] GetProcessHeap () returned 0x3a00000 [0072.900] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.900] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d28fbc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d28fbc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d28fbc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x297, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="360__C~1.PRO")) returned 1 [0072.901] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.901] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.901] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.901] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.901] lstrcmpiW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.901] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 174 [0072.901] StrStrIW (lpFirst="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.901] lstrcmpW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.901] lstrcmpW (lpString1="360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.901] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\360__connections_cellular_ermak rms (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.901] GetTickCount () returned 0x115295e [0072.901] GetTickCount () returned 0x115295e [0072.901] GetTickCount () returned 0x115295e [0072.901] GetTickCount () returned 0x115295e [0072.901] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.901] GetProcessHeap () returned 0x3a00000 [0072.901] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.901] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x297, lpOverlapped=0x0) returned 1 [0072.903] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd69, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.903] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x297, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x297, lpOverlapped=0x0) returned 1 [0072.903] GetProcessHeap () returned 0x3a00000 [0072.903] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.903] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.903] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.903] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.903] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.903] CloseHandle (hObject=0x440) returned 1 [0072.903] GetProcessHeap () returned 0x3a00000 [0072.903] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.903] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0072.903] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\360__connections_cellular_ermak rms (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\360__Connections_Cellular_Ermak RMS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\360__connections_cellular_ermak rms (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.904] GetProcessHeap () returned 0x3a00000 [0072.904] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.904] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="361__C~1.PRO")) returned 1 [0072.904] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.904] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.904] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.904] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.904] lstrcmpiW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.904] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 172 [0072.904] StrStrIW (lpFirst="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.905] lstrcmpW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.905] lstrcmpW (lpString1="361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.905] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\361__connections_cellular_megafon (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.905] GetTickCount () returned 0x115296e [0072.905] GetTickCount () returned 0x115296e [0072.905] GetTickCount () returned 0x115296e [0072.905] GetTickCount () returned 0x115296e [0072.905] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.906] GetProcessHeap () returned 0x3a00000 [0072.906] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.906] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0072.907] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.907] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0072.907] GetProcessHeap () returned 0x3a00000 [0072.907] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.907] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.907] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.907] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.908] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.908] CloseHandle (hObject=0x440) returned 1 [0072.908] GetProcessHeap () returned 0x3a00000 [0072.908] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.908] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0072.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\361__connections_cellular_megafon (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\361__Connections_Cellular_MegaFon (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\361__connections_cellular_megafon (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.908] GetProcessHeap () returned 0x3a00000 [0072.908] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.908] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="362__C~1.PRO")) returned 1 [0072.912] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.912] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.912] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.912] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.912] lstrcmpiW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.912] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.912] StrStrIW (lpFirst="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.912] lstrcmpW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.912] lstrcmpW (lpString1="362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.912] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.912] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\362__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.912] GetTickCount () returned 0x115296e [0072.912] GetTickCount () returned 0x115296e [0072.912] GetTickCount () returned 0x115296e [0072.912] GetTickCount () returned 0x115296e [0072.912] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.913] GetProcessHeap () returned 0x3a00000 [0072.913] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.913] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0072.913] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.914] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0072.914] GetProcessHeap () returned 0x3a00000 [0072.914] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.914] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.914] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.914] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.914] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.915] CloseHandle (hObject=0x440) returned 1 [0072.915] GetProcessHeap () returned 0x3a00000 [0072.915] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.915] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.915] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\362__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\362__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\362__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.915] GetProcessHeap () returned 0x3a00000 [0072.915] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.915] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="363__C~1.PRO")) returned 1 [0072.915] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.916] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.916] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.916] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.916] lstrcmpiW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.916] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 168 [0072.916] StrStrIW (lpFirst="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.916] lstrcmpW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.916] lstrcmpW (lpString1="363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.916] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.916] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\363__connections_cellular_mts (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.916] GetTickCount () returned 0x115296e [0072.916] GetTickCount () returned 0x115296e [0072.916] GetTickCount () returned 0x115296e [0072.916] GetTickCount () returned 0x115296e [0072.916] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.916] GetProcessHeap () returned 0x3a00000 [0072.916] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.916] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0072.918] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.918] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0072.918] GetProcessHeap () returned 0x3a00000 [0072.918] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.918] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.918] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.918] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.918] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.919] CloseHandle (hObject=0x440) returned 1 [0072.919] GetProcessHeap () returned 0x3a00000 [0072.919] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.919] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0072.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\363__connections_cellular_mts (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\363__Connections_Cellular_MTS (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\363__connections_cellular_mts (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.919] GetProcessHeap () returned 0x3a00000 [0072.919] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.919] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="364__C~1.PRO")) returned 1 [0072.920] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0072.920] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0072.920] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0072.920] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0072.920] lstrcmpiW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0072.920] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0072.920] StrStrIW (lpFirst="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0072.922] lstrcmpW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.922] lstrcmpW (lpString1="364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0072.922] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.922] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\364__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.922] GetTickCount () returned 0x115297d [0072.922] GetTickCount () returned 0x115297d [0072.922] GetTickCount () returned 0x115297d [0072.922] GetTickCount () returned 0x115297d [0072.922] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.922] GetProcessHeap () returned 0x3a00000 [0072.923] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.923] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0072.924] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.924] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0072.924] GetProcessHeap () returned 0x3a00000 [0072.924] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.924] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.924] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.926] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.926] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.926] CloseHandle (hObject=0x440) returned 1 [0072.926] GetProcessHeap () returned 0x3a00000 [0072.926] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.926] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0072.926] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\364__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\364__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\364__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.927] GetProcessHeap () returned 0x3a00000 [0072.927] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.927] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d4f224, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d4f224, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d4f224, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="365__C~1.PRO")) returned 1 [0072.927] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.927] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.927] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.927] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.927] lstrcmpiW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.927] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 168 [0072.927] StrStrIW (lpFirst="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.927] lstrcmpW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.927] lstrcmpW (lpString1="365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.927] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.927] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\365__connections_cellular_ncc (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.928] GetTickCount () returned 0x115297d [0072.928] GetTickCount () returned 0x115297d [0072.928] GetTickCount () returned 0x115297d [0072.928] GetTickCount () returned 0x115297d [0072.928] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.928] GetProcessHeap () returned 0x3a00000 [0072.928] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.928] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0072.929] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.929] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0072.930] GetProcessHeap () returned 0x3a00000 [0072.930] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.930] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.930] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.930] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.930] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.930] CloseHandle (hObject=0x440) returned 1 [0072.930] GetProcessHeap () returned 0x3a00000 [0072.930] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.930] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0072.930] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\365__connections_cellular_ncc (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\365__Connections_Cellular_NCC (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\365__connections_cellular_ncc (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.931] GetProcessHeap () returned 0x3a00000 [0072.931] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.931] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="366__C~1.PRO")) returned 1 [0072.931] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.931] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.931] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.931] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.931] lstrcmpiW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.931] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 187 [0072.931] StrStrIW (lpFirst="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.931] lstrcmpW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.931] lstrcmpW (lpString1="366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.931] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.931] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\366__connections_cellular_ntc (new telephone co) (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.931] GetTickCount () returned 0x115297d [0072.931] GetTickCount () returned 0x115297d [0072.931] GetTickCount () returned 0x115297d [0072.931] GetTickCount () returned 0x115297d [0072.932] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.932] GetProcessHeap () returned 0x3a00000 [0072.932] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.932] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2a1, lpOverlapped=0x0) returned 1 [0072.958] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd5f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.958] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2a1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2a1, lpOverlapped=0x0) returned 1 [0072.959] GetProcessHeap () returned 0x3a00000 [0072.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.959] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.959] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.959] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.959] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.959] CloseHandle (hObject=0x440) returned 1 [0072.959] GetProcessHeap () returned 0x3a00000 [0072.959] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.959] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 206 [0072.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\366__connections_cellular_ntc (new telephone co) (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\366__Connections_Cellular_NTC (New Telephone Co) (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\366__connections_cellular_ntc (new telephone co) (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.960] GetProcessHeap () returned 0x3a00000 [0072.960] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.960] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="367__C~1.PRO")) returned 1 [0072.960] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.960] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.960] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.961] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.961] lstrcmpiW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.961] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 182 [0072.961] StrStrIW (lpFirst="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.961] lstrcmpW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.961] lstrcmpW (lpString1="367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.961] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.961] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\367__connections_cellular_ojsc sibirtelecom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.961] GetTickCount () returned 0x115299d [0072.961] GetTickCount () returned 0x115299d [0072.961] GetTickCount () returned 0x115299d [0072.961] GetTickCount () returned 0x115299d [0072.961] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.961] GetProcessHeap () returned 0x3a00000 [0072.961] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.961] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1f8, lpOverlapped=0x0) returned 1 [0072.963] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe08, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.963] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1f8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1f8, lpOverlapped=0x0) returned 1 [0072.964] GetProcessHeap () returned 0x3a00000 [0072.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.964] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.964] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.964] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.964] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.964] CloseHandle (hObject=0x440) returned 1 [0072.964] GetProcessHeap () returned 0x3a00000 [0072.964] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.964] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 201 [0072.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\367__connections_cellular_ojsc sibirtelecom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\367__Connections_Cellular_OJSC Sibirtelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\367__connections_cellular_ojsc sibirtelecom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.965] GetProcessHeap () returned 0x3a00000 [0072.965] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.965] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="368__C~1.PRO")) returned 1 [0072.965] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.965] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.965] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.965] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.965] lstrcmpiW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.965] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 179 [0072.965] StrStrIW (lpFirst="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.966] lstrcmpW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.966] lstrcmpW (lpString1="368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.966] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.966] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\368__connections_cellular_ojsc vimpelcom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.966] GetTickCount () returned 0x115299d [0072.966] GetTickCount () returned 0x115299d [0072.966] GetTickCount () returned 0x115299d [0072.966] GetTickCount () returned 0x115299d [0072.966] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.966] GetProcessHeap () returned 0x3a00000 [0072.966] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.966] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e2, lpOverlapped=0x0) returned 1 [0072.968] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.968] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e2, lpOverlapped=0x0) returned 1 [0072.968] GetProcessHeap () returned 0x3a00000 [0072.968] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.968] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.968] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.968] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.969] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.969] CloseHandle (hObject=0x440) returned 1 [0072.969] GetProcessHeap () returned 0x3a00000 [0072.969] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.969] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0072.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\368__connections_cellular_ojsc vimpelcom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\368__Connections_Cellular_OJSC VimpelCom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\368__connections_cellular_ojsc vimpelcom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.969] GetProcessHeap () returned 0x3a00000 [0072.970] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.970] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d7548b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d7548b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d7548b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="369__C~1.PRO")) returned 1 [0072.970] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.970] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.970] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.970] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.970] lstrcmpiW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.970] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 172 [0072.970] StrStrIW (lpFirst="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.970] lstrcmpW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.970] lstrcmpW (lpString1="369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.970] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.970] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\369__connections_cellular_primtel (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.970] GetTickCount () returned 0x11529ac [0072.970] GetTickCount () returned 0x11529ac [0072.970] GetTickCount () returned 0x11529ac [0072.970] GetTickCount () returned 0x11529ac [0072.970] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.970] GetProcessHeap () returned 0x3a00000 [0072.970] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.971] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0072.972] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.972] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0072.972] GetProcessHeap () returned 0x3a00000 [0072.972] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.972] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.972] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.972] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.973] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.973] CloseHandle (hObject=0x440) returned 1 [0072.973] GetProcessHeap () returned 0x3a00000 [0072.973] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.973] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0072.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\369__connections_cellular_primtel (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\369__Connections_Cellular_PrimTel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\369__connections_cellular_primtel (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.973] GetProcessHeap () returned 0x3a00000 [0072.973] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.974] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901fba3a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901fba3a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901fba3a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", cAlternateFileName="36__CO~1.PRO")) returned 1 [0072.974] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.974] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.974] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.974] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.974] lstrcmpiW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.974] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml") returned 169 [0072.974] StrStrIW (lpFirst="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.974] lstrcmpW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.974] lstrcmpW (lpString1="36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.974] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.974] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\36__connections_cellular_grameen phone (bangladesh)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.974] GetTickCount () returned 0x11529ac [0072.974] GetTickCount () returned 0x11529ac [0072.974] GetTickCount () returned 0x11529ac [0072.974] GetTickCount () returned 0x11529ac [0072.974] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.974] GetProcessHeap () returned 0x3a00000 [0072.974] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.974] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0072.976] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.976] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0072.976] GetProcessHeap () returned 0x3a00000 [0072.976] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.976] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.976] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.976] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.977] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.977] CloseHandle (hObject=0x440) returned 1 [0072.977] GetProcessHeap () returned 0x3a00000 [0072.977] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.977] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0072.977] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\36__connections_cellular_grameen phone (bangladesh)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\36__Connections_Cellular_Grameen Phone (Bangladesh)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\36__connections_cellular_grameen phone (bangladesh)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.977] GetProcessHeap () returned 0x3a00000 [0072.977] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.977] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x315, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="370__C~1.PRO")) returned 1 [0072.977] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.978] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.978] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.978] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.978] lstrcmpiW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.978] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 172 [0072.978] StrStrIW (lpFirst="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.978] lstrcmpW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.978] lstrcmpW (lpString1="370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.978] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.978] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\370__connections_cellular_uraltel (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.978] GetTickCount () returned 0x11529ac [0072.978] GetTickCount () returned 0x11529ac [0072.978] GetTickCount () returned 0x11529ac [0072.978] GetTickCount () returned 0x11529ac [0072.978] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.978] GetProcessHeap () returned 0x3a00000 [0072.978] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.978] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x315, lpOverlapped=0x0) returned 1 [0072.980] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffceb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0072.980] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x315, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x315, lpOverlapped=0x0) returned 1 [0072.980] GetProcessHeap () returned 0x3a00000 [0072.980] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0072.980] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.980] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0072.980] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0072.980] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0072.980] CloseHandle (hObject=0x440) returned 1 [0072.980] GetProcessHeap () returned 0x3a00000 [0072.980] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0072.980] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0072.981] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\370__connections_cellular_uraltel (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\370__Connections_Cellular_Uraltel (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\370__connections_cellular_uraltel (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0072.981] GetProcessHeap () returned 0x3a00000 [0072.981] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0072.981] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", cAlternateFileName="371__C~1.PRO")) returned 1 [0072.981] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0072.981] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0072.981] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0072.981] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0072.981] lstrcmpiW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0072.981] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml") returned 179 [0072.981] StrStrIW (lpFirst="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0072.981] lstrcmpW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0072.981] lstrcmpW (lpString1="371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0072.982] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0072.982] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\371__connections_cellular_yeniseytelecom (russian federation)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0072.982] GetTickCount () returned 0x11529ac [0072.982] GetTickCount () returned 0x11529ac [0072.982] GetTickCount () returned 0x11529ac [0072.982] GetTickCount () returned 0x11529ac [0072.982] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0072.982] GetProcessHeap () returned 0x3a00000 [0072.982] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0072.982] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0073.022] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.022] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2de, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2de, lpOverlapped=0x0) returned 1 [0073.022] GetProcessHeap () returned 0x3a00000 [0073.022] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.022] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.022] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.023] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.023] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.023] CloseHandle (hObject=0x440) returned 1 [0073.023] GetProcessHeap () returned 0x3a00000 [0073.023] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.023] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0073.023] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\371__connections_cellular_yeniseytelecom (russian federation)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\371__Connections_Cellular_Yeniseytelecom (Russian Federation)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\371__connections_cellular_yeniseytelecom (russian federation)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.024] GetProcessHeap () returned 0x3a00000 [0073.024] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.024] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="372__C~1.PRO")) returned 1 [0073.024] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.024] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.024] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.024] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.024] lstrcmpiW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.024] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml") returned 165 [0073.024] StrStrIW (lpFirst="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.024] lstrcmpW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.024] lstrcmpW (lpString1="372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.024] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.024] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\372__connections_cellular_mobily (saudi arabia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.025] GetTickCount () returned 0x11529db [0073.025] GetTickCount () returned 0x11529db [0073.025] GetTickCount () returned 0x11529db [0073.025] GetTickCount () returned 0x11529db [0073.026] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.026] GetProcessHeap () returned 0x3a00000 [0073.026] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.026] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.027] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.027] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.027] GetProcessHeap () returned 0x3a00000 [0073.027] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.027] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.027] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.028] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.028] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.028] CloseHandle (hObject=0x440) returned 1 [0073.028] GetProcessHeap () returned 0x3a00000 [0073.028] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.028] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\372__connections_cellular_mobily (saudi arabia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\372__Connections_Cellular_Mobily (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\372__connections_cellular_mobily (saudi arabia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.029] GetProcessHeap () returned 0x3a00000 [0073.029] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.029] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="373__C~1.PRO")) returned 1 [0073.029] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.029] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.029] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.029] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.029] lstrcmpiW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.029] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml") returned 165 [0073.029] StrStrIW (lpFirst="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.029] lstrcmpW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.029] lstrcmpW (lpString1="373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.029] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.029] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\373__connections_cellular_mobily (saudi arabia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.029] GetTickCount () returned 0x11529db [0073.030] GetTickCount () returned 0x11529eb [0073.030] GetTickCount () returned 0x11529eb [0073.030] GetTickCount () returned 0x11529eb [0073.030] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.030] GetProcessHeap () returned 0x3a00000 [0073.030] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.030] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.031] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.031] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.031] GetProcessHeap () returned 0x3a00000 [0073.031] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.031] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.032] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.032] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.032] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.032] CloseHandle (hObject=0x440) returned 1 [0073.032] GetProcessHeap () returned 0x3a00000 [0073.032] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.032] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\373__connections_cellular_mobily (saudi arabia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\373__Connections_Cellular_Mobily (Saudi Arabia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\373__connections_cellular_mobily (saudi arabia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.033] GetProcessHeap () returned 0x3a00000 [0073.033] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.033] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90d9b6fb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90d9b6fb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90d9b6fb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="374__C~1.PRO")) returned 1 [0073.033] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.033] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.033] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.033] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.033] lstrcmpiW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.033] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.033] StrStrIW (lpFirst="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.033] lstrcmpW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.033] lstrcmpW (lpString1="374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.033] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.033] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\374__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.033] GetTickCount () returned 0x11529eb [0073.033] GetTickCount () returned 0x11529eb [0073.033] GetTickCount () returned 0x11529eb [0073.033] GetTickCount () returned 0x11529eb [0073.033] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.033] GetProcessHeap () returned 0x3a00000 [0073.033] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.033] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cf, lpOverlapped=0x0) returned 1 [0073.039] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.039] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cf, lpOverlapped=0x0) returned 1 [0073.039] GetProcessHeap () returned 0x3a00000 [0073.039] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.039] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.039] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.040] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.040] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.040] CloseHandle (hObject=0x440) returned 1 [0073.040] GetProcessHeap () returned 0x3a00000 [0073.040] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.040] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.040] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\374__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\374__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\374__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.041] GetProcessHeap () returned 0x3a00000 [0073.041] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.041] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90dc1962, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90dc1962, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90dc1962, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="375__C~1.PRO")) returned 1 [0073.041] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.041] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.041] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.041] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.041] lstrcmpiW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.041] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml") returned 175 [0073.041] StrStrIW (lpFirst="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.041] lstrcmpW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.041] lstrcmpW (lpString1="375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.041] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.041] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\375__connections_cellular_mtc saudi arabia (saudi arabia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.042] GetTickCount () returned 0x11529eb [0073.042] GetTickCount () returned 0x11529eb [0073.042] GetTickCount () returned 0x11529eb [0073.042] GetTickCount () returned 0x11529eb [0073.042] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.042] GetProcessHeap () returned 0x3a00000 [0073.042] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.042] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0073.043] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.043] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0073.043] GetProcessHeap () returned 0x3a00000 [0073.043] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.043] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.043] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.044] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.044] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.044] CloseHandle (hObject=0x440) returned 1 [0073.044] GetProcessHeap () returned 0x3a00000 [0073.044] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.044] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0073.044] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\375__connections_cellular_mtc saudi arabia (saudi arabia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\375__Connections_Cellular_MTC Saudi Arabia (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\375__connections_cellular_mtc saudi arabia (saudi arabia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.045] GetProcessHeap () returned 0x3a00000 [0073.045] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.045] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90dc1962, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90dc1962, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90dc1962, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="376__C~1.PRO")) returned 1 [0073.045] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.045] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.045] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.045] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.045] lstrcmpiW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.045] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml") returned 162 [0073.045] StrStrIW (lpFirst="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.045] lstrcmpW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.045] lstrcmpW (lpString1="376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.045] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.045] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\376__connections_cellular_stc (saudi arabia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.045] GetTickCount () returned 0x11529fa [0073.045] GetTickCount () returned 0x11529fa [0073.045] GetTickCount () returned 0x11529fa [0073.045] GetTickCount () returned 0x11529fa [0073.045] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.045] GetProcessHeap () returned 0x3a00000 [0073.045] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.046] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0073.047] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.047] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0073.047] GetProcessHeap () returned 0x3a00000 [0073.047] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.047] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.047] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.047] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.047] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.047] CloseHandle (hObject=0x440) returned 1 [0073.047] GetProcessHeap () returned 0x3a00000 [0073.048] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.048] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.048] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\376__connections_cellular_stc (saudi arabia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\376__Connections_Cellular_STC (Saudi Arabia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\376__connections_cellular_stc (saudi arabia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.048] GetProcessHeap () returned 0x3a00000 [0073.048] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.048] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90dc1962, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90dc1962, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90dc1962, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", cAlternateFileName="377__C~1.PRO")) returned 1 [0073.050] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.050] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.050] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.050] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.050] lstrcmpiW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.050] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml") returned 195 [0073.050] StrStrIW (lpFirst="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.050] lstrcmpW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.050] lstrcmpW (lpString1="377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.050] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.050] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\377__connections_cellular_mobilna telefonija srbije rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.050] GetTickCount () returned 0x11529fa [0073.050] GetTickCount () returned 0x11529fa [0073.050] GetTickCount () returned 0x11529fa [0073.050] GetTickCount () returned 0x11529fa [0073.050] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.051] GetProcessHeap () returned 0x3a00000 [0073.051] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.051] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e7, lpOverlapped=0x0) returned 1 [0073.052] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd19, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.052] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e7, lpOverlapped=0x0) returned 1 [0073.052] GetProcessHeap () returned 0x3a00000 [0073.052] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.052] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.052] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.053] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.053] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.053] CloseHandle (hObject=0x440) returned 1 [0073.053] GetProcessHeap () returned 0x3a00000 [0073.053] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.053] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 214 [0073.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\377__connections_cellular_mobilna telefonija srbije rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\377__Connections_Cellular_Mobilna telefonija Srbije RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\377__connections_cellular_mobilna telefonija srbije rs (serbia (republic of))_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.054] GetProcessHeap () returned 0x3a00000 [0073.054] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.054] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x386, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="378__C~1.PRO")) returned 1 [0073.054] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.054] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.054] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.054] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.054] lstrcmpiW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.054] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml") returned 160 [0073.054] StrStrIW (lpFirst="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.054] lstrcmpW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.054] lstrcmpW (lpString1="378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.054] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.054] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\378__connections_cellular_telenor (serbia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.054] GetTickCount () returned 0x11529fa [0073.054] GetTickCount () returned 0x11529fa [0073.054] GetTickCount () returned 0x11529fa [0073.054] GetTickCount () returned 0x11529fa [0073.054] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.055] GetProcessHeap () returned 0x3a00000 [0073.055] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.055] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x386, lpOverlapped=0x0) returned 1 [0073.056] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.056] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x386, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x386, lpOverlapped=0x0) returned 1 [0073.056] GetProcessHeap () returned 0x3a00000 [0073.056] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.056] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.056] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.056] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.056] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.056] CloseHandle (hObject=0x440) returned 1 [0073.056] GetProcessHeap () returned 0x3a00000 [0073.056] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.056] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\378__connections_cellular_telenor (serbia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\378__Connections_Cellular_Telenor (Serbia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\378__connections_cellular_telenor (serbia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.057] GetProcessHeap () returned 0x3a00000 [0073.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.057] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="379__C~1.PRO")) returned 1 [0073.057] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.057] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.057] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.057] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.057] lstrcmpiW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.057] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml") returned 160 [0073.057] StrStrIW (lpFirst="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.057] lstrcmpW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.057] lstrcmpW (lpString1="379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.057] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.058] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\379__connections_cellular_telenor (serbia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.058] GetTickCount () returned 0x11529fa [0073.058] GetTickCount () returned 0x11529fa [0073.058] GetTickCount () returned 0x11529fa [0073.058] GetTickCount () returned 0x11529fa [0073.058] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.058] GetProcessHeap () returned 0x3a00000 [0073.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.058] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x37c, lpOverlapped=0x0) returned 1 [0073.059] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.059] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x37c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x37c, lpOverlapped=0x0) returned 1 [0073.060] GetProcessHeap () returned 0x3a00000 [0073.060] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.060] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.060] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.060] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.060] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.060] CloseHandle (hObject=0x440) returned 1 [0073.060] GetProcessHeap () returned 0x3a00000 [0073.060] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.060] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.060] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\379__connections_cellular_telenor (serbia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\379__Connections_Cellular_Telenor (Serbia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\379__connections_cellular_telenor (serbia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.160] GetProcessHeap () returned 0x3a00000 [0073.160] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.160] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901fba3a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901fba3a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x901fba3a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="37__CO~1.PRO")) returned 1 [0073.160] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.160] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.160] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.161] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.161] lstrcmpiW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.161] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml") returned 157 [0073.161] StrStrIW (lpFirst="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.161] lstrcmpW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.161] lstrcmpW (lpString1="37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.161] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.161] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\37__connections_cellular_best (belarus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.162] GetTickCount () returned 0x1152a68 [0073.162] GetTickCount () returned 0x1152a68 [0073.162] GetTickCount () returned 0x1152a68 [0073.162] GetTickCount () returned 0x1152a68 [0073.163] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.163] GetProcessHeap () returned 0x3a00000 [0073.163] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.163] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.166] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.166] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.166] GetProcessHeap () returned 0x3a00000 [0073.166] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.166] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.167] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.167] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.167] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.167] CloseHandle (hObject=0x440) returned 1 [0073.167] GetProcessHeap () returned 0x3a00000 [0073.167] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.167] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0073.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\37__connections_cellular_best (belarus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\37__Connections_Cellular_BeST (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\37__connections_cellular_best (belarus)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.169] GetProcessHeap () returned 0x3a00000 [0073.169] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.169] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="380__C~1.PRO")) returned 1 [0073.169] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.169] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.169] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.169] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.169] lstrcmpiW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.169] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.169] StrStrIW (lpFirst="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.169] lstrcmpW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.169] lstrcmpW (lpString1="380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.169] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.169] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\380__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.170] GetTickCount () returned 0x1152a68 [0073.170] GetTickCount () returned 0x1152a68 [0073.170] GetTickCount () returned 0x1152a68 [0073.170] GetTickCount () returned 0x1152a68 [0073.170] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.170] GetProcessHeap () returned 0x3a00000 [0073.170] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.170] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cd, lpOverlapped=0x0) returned 1 [0073.173] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.173] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cd, lpOverlapped=0x0) returned 1 [0073.173] GetProcessHeap () returned 0x3a00000 [0073.173] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.173] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.173] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.175] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.175] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.175] CloseHandle (hObject=0x440) returned 1 [0073.175] GetProcessHeap () returned 0x3a00000 [0073.175] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.175] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\380__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\380__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\380__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.176] GetProcessHeap () returned 0x3a00000 [0073.176] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.176] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x31e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", cAlternateFileName="381__C~1.PRO")) returned 1 [0073.176] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.176] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.176] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.176] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.176] lstrcmpiW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.176] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml") returned 180 [0073.176] StrStrIW (lpFirst="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.176] lstrcmpW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.176] lstrcmpW (lpString1="381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.176] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.176] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\381__connections_cellular_vip mobile rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.177] GetTickCount () returned 0x1152a77 [0073.177] GetTickCount () returned 0x1152a77 [0073.177] GetTickCount () returned 0x1152a77 [0073.177] GetTickCount () returned 0x1152a77 [0073.177] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.177] GetProcessHeap () returned 0x3a00000 [0073.177] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.177] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x31e, lpOverlapped=0x0) returned 1 [0073.212] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffce2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.212] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x31e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x31e, lpOverlapped=0x0) returned 1 [0073.212] GetProcessHeap () returned 0x3a00000 [0073.212] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.212] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.213] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.213] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.213] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.213] CloseHandle (hObject=0x440) returned 1 [0073.213] GetProcessHeap () returned 0x3a00000 [0073.213] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.213] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0073.213] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\381__connections_cellular_vip mobile rs (serbia (republic of))_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\381__Connections_Cellular_Vip Mobile RS (Serbia (Republic of))_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\381__connections_cellular_vip mobile rs (serbia (republic of))_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.218] GetProcessHeap () returned 0x3a00000 [0073.218] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.218] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90de7bce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90de7bce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90de7bce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", cAlternateFileName="382__C~1.PRO")) returned 1 [0073.218] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.218] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.219] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.219] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.219] lstrcmpiW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.219] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml") returned 165 [0073.219] StrStrIW (lpFirst="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.219] lstrcmpW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.219] lstrcmpW (lpString1="382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.219] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\382__connections_cellular_mobileone (singapore)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.219] GetTickCount () returned 0x1152aa6 [0073.219] GetTickCount () returned 0x1152aa6 [0073.219] GetTickCount () returned 0x1152aa6 [0073.219] GetTickCount () returned 0x1152aa6 [0073.219] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.219] GetProcessHeap () returned 0x3a00000 [0073.219] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.219] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0073.222] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.222] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0073.222] GetProcessHeap () returned 0x3a00000 [0073.222] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.222] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.222] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.222] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.222] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.222] CloseHandle (hObject=0x440) returned 1 [0073.222] GetProcessHeap () returned 0x3a00000 [0073.222] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.222] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.222] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\382__connections_cellular_mobileone (singapore)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\382__Connections_Cellular_MobileOne (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\382__connections_cellular_mobileone (singapore)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.223] GetProcessHeap () returned 0x3a00000 [0073.223] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.223] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", cAlternateFileName="383__C~1.PRO")) returned 1 [0073.223] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.223] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.223] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.223] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.223] lstrcmpiW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.223] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml") returned 165 [0073.223] StrStrIW (lpFirst="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.223] lstrcmpW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.223] lstrcmpW (lpString1="383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.223] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\383__connections_cellular_mobileone (singapore)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.224] GetTickCount () returned 0x1152aa6 [0073.224] GetTickCount () returned 0x1152aa6 [0073.224] GetTickCount () returned 0x1152aa6 [0073.224] GetTickCount () returned 0x1152aa6 [0073.224] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.225] GetProcessHeap () returned 0x3a00000 [0073.225] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.225] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0073.226] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.226] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0073.226] GetProcessHeap () returned 0x3a00000 [0073.226] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.226] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.226] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.226] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.226] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.227] CloseHandle (hObject=0x440) returned 1 [0073.227] GetProcessHeap () returned 0x3a00000 [0073.227] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.227] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.227] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\383__connections_cellular_mobileone (singapore)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\383__Connections_Cellular_MobileOne (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\383__connections_cellular_mobileone (singapore)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.227] GetProcessHeap () returned 0x3a00000 [0073.227] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.227] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", cAlternateFileName="384__C~1.PRO")) returned 1 [0073.227] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.227] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.228] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.228] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.228] lstrcmpiW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.228] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml") returned 163 [0073.228] StrStrIW (lpFirst="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.228] lstrcmpW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.228] lstrcmpW (lpString1="384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.228] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.228] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\384__connections_cellular_singtel (singapore)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.228] GetTickCount () returned 0x1152aa6 [0073.228] GetTickCount () returned 0x1152aa6 [0073.228] GetTickCount () returned 0x1152aa6 [0073.228] GetTickCount () returned 0x1152aa6 [0073.228] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.228] GetProcessHeap () returned 0x3a00000 [0073.228] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.228] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.230] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.230] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.230] GetProcessHeap () returned 0x3a00000 [0073.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.230] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.230] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.230] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.230] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.230] CloseHandle (hObject=0x440) returned 1 [0073.230] GetProcessHeap () returned 0x3a00000 [0073.230] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.230] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.230] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\384__connections_cellular_singtel (singapore)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\384__Connections_Cellular_Singtel (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\384__connections_cellular_singtel (singapore)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.231] GetProcessHeap () returned 0x3a00000 [0073.231] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.231] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", cAlternateFileName="385__C~1.PRO")) returned 1 [0073.231] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.231] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.231] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.231] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.231] lstrcmpiW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.231] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml") returned 163 [0073.231] StrStrIW (lpFirst="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.231] lstrcmpW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.231] lstrcmpW (lpString1="385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.231] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.231] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\385__connections_cellular_singtel (singapore)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.232] GetTickCount () returned 0x1152aa6 [0073.232] GetTickCount () returned 0x1152aa6 [0073.232] GetTickCount () returned 0x1152aa6 [0073.232] GetTickCount () returned 0x1152aa6 [0073.232] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.232] GetProcessHeap () returned 0x3a00000 [0073.232] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.232] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.233] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.233] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.234] GetProcessHeap () returned 0x3a00000 [0073.234] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.234] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.234] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.234] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.234] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.234] CloseHandle (hObject=0x440) returned 1 [0073.234] GetProcessHeap () returned 0x3a00000 [0073.234] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.234] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.234] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\385__connections_cellular_singtel (singapore)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\385__Connections_Cellular_Singtel (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\385__connections_cellular_singtel (singapore)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.235] GetProcessHeap () returned 0x3a00000 [0073.235] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.235] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", cAlternateFileName="386__C~1.PRO")) returned 1 [0073.235] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.235] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.235] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.235] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.235] lstrcmpiW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.235] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml") returned 163 [0073.235] StrStrIW (lpFirst="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.235] lstrcmpW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.235] lstrcmpW (lpString1="386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.235] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.235] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\386__connections_cellular_singtel (singapore)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.235] GetTickCount () returned 0x1152ab6 [0073.236] GetTickCount () returned 0x1152ab6 [0073.236] GetTickCount () returned 0x1152ab6 [0073.236] GetTickCount () returned 0x1152ab6 [0073.236] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.236] GetProcessHeap () returned 0x3a00000 [0073.236] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.236] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.237] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.237] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.237] GetProcessHeap () returned 0x3a00000 [0073.237] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.237] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.237] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.238] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.238] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.238] CloseHandle (hObject=0x440) returned 1 [0073.238] GetProcessHeap () returned 0x3a00000 [0073.238] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.238] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\386__connections_cellular_singtel (singapore)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\386__Connections_Cellular_Singtel (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\386__connections_cellular_singtel (singapore)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.239] GetProcessHeap () returned 0x3a00000 [0073.239] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.239] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e0de39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e0de39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e0de39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", cAlternateFileName="387__C~1.PRO")) returned 1 [0073.239] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.239] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.239] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.239] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.239] lstrcmpiW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.239] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml") returned 163 [0073.239] StrStrIW (lpFirst="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.239] lstrcmpW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.239] lstrcmpW (lpString1="387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.239] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\387__connections_cellular_singtel (singapore)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.239] GetTickCount () returned 0x1152ab6 [0073.239] GetTickCount () returned 0x1152ab6 [0073.239] GetTickCount () returned 0x1152ab6 [0073.239] GetTickCount () returned 0x1152ab6 [0073.239] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.240] GetProcessHeap () returned 0x3a00000 [0073.240] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.240] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0073.241] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.241] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0073.241] GetProcessHeap () returned 0x3a00000 [0073.241] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.241] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.241] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.241] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.241] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.242] CloseHandle (hObject=0x440) returned 1 [0073.242] GetProcessHeap () returned 0x3a00000 [0073.242] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.242] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.242] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\387__connections_cellular_singtel (singapore)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\387__Connections_Cellular_Singtel (Singapore)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\387__connections_cellular_singtel (singapore)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.242] GetProcessHeap () returned 0x3a00000 [0073.242] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.242] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e340a5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e340a5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e340a5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", cAlternateFileName="388__C~1.PRO")) returned 1 [0073.242] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.243] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.243] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.243] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.243] lstrcmpiW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.243] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml") returned 163 [0073.243] StrStrIW (lpFirst="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.243] lstrcmpW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.243] lstrcmpW (lpString1="388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.243] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\388__connections_cellular_starhub (singapore)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.243] GetTickCount () returned 0x1152ab6 [0073.243] GetTickCount () returned 0x1152ab6 [0073.243] GetTickCount () returned 0x1152ab6 [0073.243] GetTickCount () returned 0x1152ab6 [0073.243] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.243] GetProcessHeap () returned 0x3a00000 [0073.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.243] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0073.245] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0073.245] GetProcessHeap () returned 0x3a00000 [0073.245] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.245] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.245] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.245] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.245] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.245] CloseHandle (hObject=0x440) returned 1 [0073.245] GetProcessHeap () returned 0x3a00000 [0073.245] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.245] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.246] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\388__connections_cellular_starhub (singapore)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\388__Connections_Cellular_Starhub (Singapore)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\388__connections_cellular_starhub (singapore)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.246] GetProcessHeap () returned 0x3a00000 [0073.246] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.246] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e340a5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e340a5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e340a5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", cAlternateFileName="389__C~1.PRO")) returned 1 [0073.246] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.246] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.246] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.246] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.246] lstrcmpiW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.246] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml") returned 163 [0073.246] StrStrIW (lpFirst="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.246] lstrcmpW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.246] lstrcmpW (lpString1="389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.247] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.247] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\389__connections_cellular_starhub (singapore)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.247] GetTickCount () returned 0x1152ab6 [0073.247] GetTickCount () returned 0x1152ab6 [0073.247] GetTickCount () returned 0x1152ab6 [0073.247] GetTickCount () returned 0x1152ab6 [0073.247] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.247] GetProcessHeap () returned 0x3a00000 [0073.247] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.247] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0073.255] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.255] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0073.255] GetProcessHeap () returned 0x3a00000 [0073.255] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.255] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.255] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.255] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.255] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.255] CloseHandle (hObject=0x440) returned 1 [0073.256] GetProcessHeap () returned 0x3a00000 [0073.256] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.256] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.256] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\389__connections_cellular_starhub (singapore)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\389__Connections_Cellular_Starhub (Singapore)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\389__connections_cellular_starhub (singapore)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.256] GetProcessHeap () returned 0x3a00000 [0073.256] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.256] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x319, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="38__CO~1.PRO")) returned 1 [0073.256] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.256] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.256] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.256] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.257] lstrcmpiW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.257] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml") returned 176 [0073.257] StrStrIW (lpFirst="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.257] lstrcmpW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.257] lstrcmpW (lpString1="38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.257] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.257] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\38__connections_cellular_jllc mobile telesystems (belarus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.257] GetTickCount () returned 0x1152ac5 [0073.257] GetTickCount () returned 0x1152ac5 [0073.257] GetTickCount () returned 0x1152ac5 [0073.257] GetTickCount () returned 0x1152ac5 [0073.257] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.257] GetProcessHeap () returned 0x3a00000 [0073.257] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.257] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x319, lpOverlapped=0x0) returned 1 [0073.259] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffce7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.259] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x319, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x319, lpOverlapped=0x0) returned 1 [0073.259] GetProcessHeap () returned 0x3a00000 [0073.259] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.259] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.259] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.259] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.260] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.260] CloseHandle (hObject=0x440) returned 1 [0073.260] GetProcessHeap () returned 0x3a00000 [0073.260] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.260] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0073.260] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\38__connections_cellular_jllc mobile telesystems (belarus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\38__Connections_Cellular_JLLC Mobile TeleSystems (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\38__connections_cellular_jllc mobile telesystems (belarus)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.260] GetProcessHeap () returned 0x3a00000 [0073.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.260] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e340a5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e340a5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e340a5, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", cAlternateFileName="390__C~1.PRO")) returned 1 [0073.260] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.261] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.261] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.261] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.261] lstrcmpiW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.261] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml") returned 163 [0073.261] StrStrIW (lpFirst="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.261] lstrcmpW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.261] lstrcmpW (lpString1="390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.261] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.261] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\390__connections_cellular_starhub (singapore)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.262] GetTickCount () returned 0x1152ac5 [0073.262] GetTickCount () returned 0x1152ac5 [0073.262] GetTickCount () returned 0x1152ac5 [0073.262] GetTickCount () returned 0x1152ac5 [0073.262] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.262] GetProcessHeap () returned 0x3a00000 [0073.262] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.262] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0073.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0073.263] GetProcessHeap () returned 0x3a00000 [0073.263] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.263] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.264] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.264] CloseHandle (hObject=0x440) returned 1 [0073.277] GetProcessHeap () returned 0x3a00000 [0073.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.277] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\390__connections_cellular_starhub (singapore)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\390__Connections_Cellular_Starhub (Singapore)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\390__connections_cellular_starhub (singapore)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.278] GetProcessHeap () returned 0x3a00000 [0073.278] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.278] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e5a314, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="391__C~1.PRO")) returned 1 [0073.278] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.278] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.278] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.278] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.278] lstrcmpiW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.278] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml") returned 157 [0073.278] StrStrIW (lpFirst="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.278] lstrcmpW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.278] lstrcmpW (lpString1="391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.278] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\391__connections_cellular_o2 (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.278] GetTickCount () returned 0x1152ad5 [0073.278] GetTickCount () returned 0x1152ad5 [0073.278] GetTickCount () returned 0x1152ad5 [0073.278] GetTickCount () returned 0x1152ad5 [0073.278] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.279] GetProcessHeap () returned 0x3a00000 [0073.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.279] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x281, lpOverlapped=0x0) returned 1 [0073.290] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.290] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x281, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x281, lpOverlapped=0x0) returned 1 [0073.290] GetProcessHeap () returned 0x3a00000 [0073.290] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.290] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.290] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.290] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.290] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.290] CloseHandle (hObject=0x440) returned 1 [0073.290] GetProcessHeap () returned 0x3a00000 [0073.290] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.291] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0073.291] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\391__connections_cellular_o2 (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\391__Connections_Cellular_O2 (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\391__connections_cellular_o2 (slovakia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.292] GetProcessHeap () returned 0x3a00000 [0073.292] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.292] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e5a314, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="392__C~1.PRO")) returned 1 [0073.294] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.294] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.294] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.294] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.294] lstrcmpiW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.294] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml") returned 161 [0073.294] StrStrIW (lpFirst="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.294] lstrcmpW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.294] lstrcmpW (lpString1="392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.294] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.294] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\392__connections_cellular_orange (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.294] GetTickCount () returned 0x1152af4 [0073.295] GetTickCount () returned 0x1152af4 [0073.295] GetTickCount () returned 0x1152af4 [0073.295] GetTickCount () returned 0x1152af4 [0073.295] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.295] GetProcessHeap () returned 0x3a00000 [0073.295] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.295] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.296] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.296] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.296] GetProcessHeap () returned 0x3a00000 [0073.296] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.296] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.297] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.297] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.297] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.297] CloseHandle (hObject=0x440) returned 1 [0073.297] GetProcessHeap () returned 0x3a00000 [0073.297] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.297] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.297] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\392__connections_cellular_orange (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\392__Connections_Cellular_Orange (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\392__connections_cellular_orange (slovakia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.298] GetProcessHeap () returned 0x3a00000 [0073.298] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.298] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e5a314, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="393__C~1.PRO")) returned 1 [0073.298] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.298] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.298] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.298] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.298] lstrcmpiW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.298] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml") returned 169 [0073.298] StrStrIW (lpFirst="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.298] lstrcmpW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.298] lstrcmpW (lpString1="393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.298] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.298] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\393__connections_cellular_slovak telekom (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.298] GetTickCount () returned 0x1152af4 [0073.298] GetTickCount () returned 0x1152af4 [0073.298] GetTickCount () returned 0x1152af4 [0073.298] GetTickCount () returned 0x1152af4 [0073.298] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.299] GetProcessHeap () returned 0x3a00000 [0073.299] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.299] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0073.300] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.300] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0073.300] GetProcessHeap () returned 0x3a00000 [0073.300] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.300] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.300] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.300] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.300] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.301] CloseHandle (hObject=0x440) returned 1 [0073.301] GetProcessHeap () returned 0x3a00000 [0073.301] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.301] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0073.301] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\393__connections_cellular_slovak telekom (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\393__Connections_Cellular_Slovak Telekom (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\393__connections_cellular_slovak telekom (slovakia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.301] GetProcessHeap () returned 0x3a00000 [0073.301] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.301] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e5a314, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e5a314, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="394__C~1.PRO")) returned 1 [0073.301] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.301] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.302] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.302] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.302] lstrcmpiW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.302] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml") returned 163 [0073.302] StrStrIW (lpFirst="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.302] lstrcmpW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.302] lstrcmpW (lpString1="394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.302] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.302] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\394__connections_cellular_t-mobile (slovakia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.302] GetTickCount () returned 0x1152af4 [0073.302] GetTickCount () returned 0x1152af4 [0073.302] GetTickCount () returned 0x1152af4 [0073.303] GetTickCount () returned 0x1152af4 [0073.303] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.303] GetProcessHeap () returned 0x3a00000 [0073.303] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.303] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0073.326] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.327] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0073.327] GetProcessHeap () returned 0x3a00000 [0073.327] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.327] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.327] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.327] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.327] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.327] CloseHandle (hObject=0x440) returned 1 [0073.328] GetProcessHeap () returned 0x3a00000 [0073.328] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.328] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.328] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\394__connections_cellular_t-mobile (slovakia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\394__Connections_Cellular_T-Mobile (Slovakia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\394__connections_cellular_t-mobile (slovakia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.329] GetProcessHeap () returned 0x3a00000 [0073.329] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.329] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="395__C~1.PRO")) returned 1 [0073.329] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.329] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.329] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.329] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.329] lstrcmpiW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.329] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml") returned 162 [0073.329] StrStrIW (lpFirst="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.329] lstrcmpW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.329] lstrcmpW (lpString1="395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.329] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\395__connections_cellular_mobitel (slovenia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.329] GetTickCount () returned 0x1152b14 [0073.329] GetTickCount () returned 0x1152b14 [0073.329] GetTickCount () returned 0x1152b14 [0073.330] GetTickCount () returned 0x1152b14 [0073.330] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.330] GetProcessHeap () returned 0x3a00000 [0073.330] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.330] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0073.331] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.331] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0073.331] GetProcessHeap () returned 0x3a00000 [0073.331] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.331] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.331] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.332] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.332] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.332] CloseHandle (hObject=0x440) returned 1 [0073.332] GetProcessHeap () returned 0x3a00000 [0073.332] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.332] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\395__connections_cellular_mobitel (slovenia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\395__Connections_Cellular_Mobitel (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\395__connections_cellular_mobitel (slovenia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.333] GetProcessHeap () returned 0x3a00000 [0073.333] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.333] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="396__C~1.PRO")) returned 1 [0073.333] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.333] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.333] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.333] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.333] lstrcmpiW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.333] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml") returned 163 [0073.333] StrStrIW (lpFirst="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.333] lstrcmpW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.333] lstrcmpW (lpString1="396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.333] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\396__connections_cellular_si.mobil (slovenia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.333] GetTickCount () returned 0x1152b14 [0073.333] GetTickCount () returned 0x1152b14 [0073.333] GetTickCount () returned 0x1152b14 [0073.333] GetTickCount () returned 0x1152b14 [0073.333] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.334] GetProcessHeap () returned 0x3a00000 [0073.334] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.334] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.335] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.335] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.335] GetProcessHeap () returned 0x3a00000 [0073.335] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.335] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.336] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.336] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.336] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.336] CloseHandle (hObject=0x440) returned 1 [0073.336] GetProcessHeap () returned 0x3a00000 [0073.336] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.336] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\396__connections_cellular_si.mobil (slovenia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\396__Connections_Cellular_Si.mobil (Slovenia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\396__connections_cellular_si.mobil (slovenia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.337] GetProcessHeap () returned 0x3a00000 [0073.337] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.337] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="397__C~1.PRO")) returned 1 [0073.337] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.337] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.337] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.337] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.337] lstrcmpiW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.337] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.337] StrStrIW (lpFirst="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.337] lstrcmpW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.337] lstrcmpW (lpString1="397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.337] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.337] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\397__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.337] GetTickCount () returned 0x1152b14 [0073.337] GetTickCount () returned 0x1152b14 [0073.337] GetTickCount () returned 0x1152b14 [0073.337] GetTickCount () returned 0x1152b14 [0073.337] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.338] GetProcessHeap () returned 0x3a00000 [0073.338] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.338] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0073.339] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.339] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0073.339] GetProcessHeap () returned 0x3a00000 [0073.339] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.339] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.339] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.340] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.340] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.340] CloseHandle (hObject=0x440) returned 1 [0073.340] GetProcessHeap () returned 0x3a00000 [0073.340] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.340] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\397__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\397__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\397__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.341] GetProcessHeap () returned 0x3a00000 [0073.341] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.341] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90e80580, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90e80580, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90e80580, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", cAlternateFileName="398__C~1.PRO")) returned 1 [0073.341] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.341] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.341] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.341] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.341] lstrcmpiW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.341] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml") returned 165 [0073.341] StrStrIW (lpFirst="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.341] lstrcmpW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.341] lstrcmpW (lpString1="398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.341] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.341] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\398__connections_cellular_cell-c (south africa)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.342] GetTickCount () returned 0x1152b14 [0073.342] GetTickCount () returned 0x1152b14 [0073.342] GetTickCount () returned 0x1152b14 [0073.342] GetTickCount () returned 0x1152b14 [0073.342] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.342] GetProcessHeap () returned 0x3a00000 [0073.342] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.342] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.343] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.344] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.344] GetProcessHeap () returned 0x3a00000 [0073.344] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.344] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.344] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.344] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.344] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.344] CloseHandle (hObject=0x440) returned 1 [0073.344] GetProcessHeap () returned 0x3a00000 [0073.344] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.344] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\398__connections_cellular_cell-c (south africa)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\398__Connections_Cellular_Cell-C (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\398__connections_cellular_cell-c (south africa)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.345] GetProcessHeap () returned 0x3a00000 [0073.345] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.345] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", cAlternateFileName="399__C~1.PRO")) returned 1 [0073.345] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.345] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.345] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.345] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.345] lstrcmpiW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.345] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml") returned 175 [0073.345] StrStrIW (lpFirst="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.345] lstrcmpW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.345] lstrcmpW (lpString1="399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.345] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\399__connections_cellular_mtn south africa (south africa)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.346] GetTickCount () returned 0x1152b23 [0073.346] GetTickCount () returned 0x1152b23 [0073.346] GetTickCount () returned 0x1152b23 [0073.346] GetTickCount () returned 0x1152b23 [0073.346] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.346] GetProcessHeap () returned 0x3a00000 [0073.346] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.346] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0073.347] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.347] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0073.347] GetProcessHeap () returned 0x3a00000 [0073.347] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.347] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.348] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.348] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.348] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.348] CloseHandle (hObject=0x440) returned 1 [0073.348] GetProcessHeap () returned 0x3a00000 [0073.348] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.348] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0073.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\399__connections_cellular_mtn south africa (south africa)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\399__Connections_Cellular_MTN South Africa (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\399__connections_cellular_mtn south africa (south africa)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.349] GetProcessHeap () returned 0x3a00000 [0073.349] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.349] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="39__CO~1.PRO")) returned 1 [0073.349] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.349] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.349] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.349] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.349] lstrcmpiW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.349] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml") returned 159 [0073.349] StrStrIW (lpFirst="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.349] lstrcmpW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.349] lstrcmpW (lpString1="39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.349] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.349] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\39__connections_cellular_velcom (belarus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.349] GetTickCount () returned 0x1152b23 [0073.349] GetTickCount () returned 0x1152b23 [0073.349] GetTickCount () returned 0x1152b23 [0073.349] GetTickCount () returned 0x1152b23 [0073.349] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.350] GetProcessHeap () returned 0x3a00000 [0073.350] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.350] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.351] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.351] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.351] GetProcessHeap () returned 0x3a00000 [0073.351] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.351] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.351] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.351] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.351] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.351] CloseHandle (hObject=0x440) returned 1 [0073.352] GetProcessHeap () returned 0x3a00000 [0073.352] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.352] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\39__connections_cellular_velcom (belarus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\39__Connections_Cellular_VELCOM (Belarus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\39__connections_cellular_velcom (belarus)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.352] GetProcessHeap () returned 0x3a00000 [0073.352] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.352] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900ca6de, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="3__CON~1.PRO")) returned 1 [0073.352] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.352] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.352] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.352] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.352] lstrcmpiW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.352] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml") returned 160 [0073.353] StrStrIW (lpFirst="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.353] lstrcmpW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.353] lstrcmpW (lpString1="3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.353] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.353] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\3__connections_cellular_wataniya (algeria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.353] GetTickCount () returned 0x1152b23 [0073.353] GetTickCount () returned 0x1152b23 [0073.353] GetTickCount () returned 0x1152b23 [0073.353] GetTickCount () returned 0x1152b23 [0073.353] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.353] GetProcessHeap () returned 0x3a00000 [0073.353] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.353] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.355] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.355] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0073.355] GetProcessHeap () returned 0x3a00000 [0073.355] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.355] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.355] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.355] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.355] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.355] CloseHandle (hObject=0x440) returned 1 [0073.355] GetProcessHeap () returned 0x3a00000 [0073.355] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.355] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\3__connections_cellular_wataniya (algeria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\3__Connections_Cellular_Wataniya (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\3__connections_cellular_wataniya (algeria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.356] GetProcessHeap () returned 0x3a00000 [0073.356] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.356] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", cAlternateFileName="400__C~1.PRO")) returned 1 [0073.356] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.356] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.356] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.356] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.356] lstrcmpiW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.356] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml") returned 169 [0073.356] StrStrIW (lpFirst="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.356] lstrcmpW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.356] lstrcmpW (lpString1="400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.356] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.356] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\400__connections_cellular_vodacom sa (south africa)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.357] GetTickCount () returned 0x1152b23 [0073.357] GetTickCount () returned 0x1152b23 [0073.357] GetTickCount () returned 0x1152b23 [0073.357] GetTickCount () returned 0x1152b23 [0073.357] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.357] GetProcessHeap () returned 0x3a00000 [0073.357] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.357] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0073.359] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.359] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0073.359] GetProcessHeap () returned 0x3a00000 [0073.359] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.359] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.359] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.359] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.359] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.359] CloseHandle (hObject=0x440) returned 1 [0073.359] GetProcessHeap () returned 0x3a00000 [0073.359] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.359] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0073.359] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\400__connections_cellular_vodacom sa (south africa)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\400__Connections_Cellular_Vodacom SA (South Africa)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\400__connections_cellular_vodacom sa (south africa)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.360] GetProcessHeap () returned 0x3a00000 [0073.360] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.360] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", cAlternateFileName="401__C~1.PRO")) returned 1 [0073.360] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.360] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.360] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.360] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.360] lstrcmpiW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.360] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml") returned 169 [0073.360] StrStrIW (lpFirst="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.360] lstrcmpW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.360] lstrcmpW (lpString1="401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.360] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\401__connections_cellular_vodacom sa (south africa)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.361] GetTickCount () returned 0x1152b33 [0073.361] GetTickCount () returned 0x1152b33 [0073.361] GetTickCount () returned 0x1152b33 [0073.361] GetTickCount () returned 0x1152b33 [0073.361] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.361] GetProcessHeap () returned 0x3a00000 [0073.361] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.361] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.380] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.380] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.380] GetProcessHeap () returned 0x3a00000 [0073.380] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.380] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.380] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.380] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.380] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.381] CloseHandle (hObject=0x440) returned 1 [0073.381] GetProcessHeap () returned 0x3a00000 [0073.381] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.381] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0073.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\401__connections_cellular_vodacom sa (south africa)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\401__Connections_Cellular_Vodacom SA (South Africa)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\401__connections_cellular_vodacom sa (south africa)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.382] GetProcessHeap () returned 0x3a00000 [0073.382] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.382] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ea67ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ea67ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ea67ef, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="402__C~1.PRO")) returned 1 [0073.382] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.382] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.382] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.382] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.382] lstrcmpiW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.382] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml") returned 160 [0073.382] StrStrIW (lpFirst="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.382] lstrcmpW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.382] lstrcmpW (lpString1="402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.382] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\402__connections_cellular_movistar (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.383] GetTickCount () returned 0x1152b42 [0073.383] GetTickCount () returned 0x1152b42 [0073.383] GetTickCount () returned 0x1152b42 [0073.383] GetTickCount () returned 0x1152b42 [0073.383] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.383] GetProcessHeap () returned 0x3a00000 [0073.383] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.383] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.385] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.385] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.385] GetProcessHeap () returned 0x3a00000 [0073.385] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.385] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.385] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.385] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.385] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.385] CloseHandle (hObject=0x440) returned 1 [0073.385] GetProcessHeap () returned 0x3a00000 [0073.385] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.386] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.386] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\402__connections_cellular_movistar (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\402__Connections_Cellular_Movistar (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\402__connections_cellular_movistar (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.386] GetProcessHeap () returned 0x3a00000 [0073.386] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.386] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", cAlternateFileName="403__C~1.PRO")) returned 1 [0073.386] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.386] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.386] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.386] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.386] lstrcmpiW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.386] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml") returned 160 [0073.386] StrStrIW (lpFirst="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.386] lstrcmpW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.387] lstrcmpW (lpString1="403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.387] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.387] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\403__connections_cellular_movistar (spain)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.387] GetTickCount () returned 0x1152b42 [0073.387] GetTickCount () returned 0x1152b42 [0073.387] GetTickCount () returned 0x1152b42 [0073.387] GetTickCount () returned 0x1152b42 [0073.387] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.387] GetProcessHeap () returned 0x3a00000 [0073.387] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.387] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35a, lpOverlapped=0x0) returned 1 [0073.388] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.388] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35a, lpOverlapped=0x0) returned 1 [0073.389] GetProcessHeap () returned 0x3a00000 [0073.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.389] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.389] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.389] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.389] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.389] CloseHandle (hObject=0x440) returned 1 [0073.389] GetProcessHeap () returned 0x3a00000 [0073.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.389] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.390] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\403__connections_cellular_movistar (spain)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\403__Connections_Cellular_Movistar (Spain)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\403__connections_cellular_movistar (spain)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.390] GetProcessHeap () returned 0x3a00000 [0073.390] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.390] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x201, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="404__C~1.PRO")) returned 1 [0073.390] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0073.390] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0073.390] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0073.390] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0073.390] lstrcmpiW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0073.390] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0073.390] StrStrIW (lpFirst="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0073.390] lstrcmpW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.391] lstrcmpW (lpString1="404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0073.391] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.391] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\404__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.391] GetTickCount () returned 0x1152b52 [0073.391] GetTickCount () returned 0x1152b52 [0073.391] GetTickCount () returned 0x1152b52 [0073.391] GetTickCount () returned 0x1152b52 [0073.391] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.392] GetProcessHeap () returned 0x3a00000 [0073.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.392] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x201, lpOverlapped=0x0) returned 1 [0073.393] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffdff, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.393] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x201, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x201, lpOverlapped=0x0) returned 1 [0073.393] GetProcessHeap () returned 0x3a00000 [0073.393] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.393] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.393] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.393] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.393] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.394] CloseHandle (hObject=0x440) returned 1 [0073.394] GetProcessHeap () returned 0x3a00000 [0073.394] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.394] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.394] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\404__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\404__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\404__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.394] GetProcessHeap () returned 0x3a00000 [0073.394] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.394] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="405__C~1.PRO")) returned 1 [0073.395] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.395] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.395] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.395] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.395] lstrcmpiW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.395] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.395] StrStrIW (lpFirst="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.395] lstrcmpW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.395] lstrcmpW (lpString1="405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.395] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.395] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\405__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.395] GetTickCount () returned 0x1152b52 [0073.395] GetTickCount () returned 0x1152b52 [0073.395] GetTickCount () returned 0x1152b52 [0073.395] GetTickCount () returned 0x1152b52 [0073.395] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.395] GetProcessHeap () returned 0x3a00000 [0073.395] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.395] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1dc, lpOverlapped=0x0) returned 1 [0073.396] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.396] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1dc, lpOverlapped=0x0) returned 1 [0073.397] GetProcessHeap () returned 0x3a00000 [0073.397] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.397] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.397] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.399] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.399] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.399] CloseHandle (hObject=0x440) returned 1 [0073.399] GetProcessHeap () returned 0x3a00000 [0073.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.399] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.399] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\405__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\405__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\405__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.400] GetProcessHeap () returned 0x3a00000 [0073.400] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.400] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x348, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="406__C~1.PRO")) returned 1 [0073.400] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.400] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.400] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.400] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.400] lstrcmpiW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.400] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml") returned 158 [0073.400] StrStrIW (lpFirst="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.400] lstrcmpW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.400] lstrcmpW (lpString1="406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.400] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.400] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\406__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.401] GetTickCount () returned 0x1152b52 [0073.401] GetTickCount () returned 0x1152b52 [0073.401] GetTickCount () returned 0x1152b52 [0073.401] GetTickCount () returned 0x1152b52 [0073.401] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.401] GetProcessHeap () returned 0x3a00000 [0073.401] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.401] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x348, lpOverlapped=0x0) returned 1 [0073.404] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.405] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x348, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x348, lpOverlapped=0x0) returned 1 [0073.405] GetProcessHeap () returned 0x3a00000 [0073.405] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.405] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.406] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.406] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.406] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.406] CloseHandle (hObject=0x440) returned 1 [0073.406] GetProcessHeap () returned 0x3a00000 [0073.406] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.406] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0073.406] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\406__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\406__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\406__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.407] GetProcessHeap () returned 0x3a00000 [0073.407] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.407] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ecca53, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ecca53, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ecca53, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="407__C~1.PRO")) returned 1 [0073.413] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.413] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.413] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.413] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.413] lstrcmpiW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.413] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml") returned 162 [0073.413] StrStrIW (lpFirst="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.413] lstrcmpW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.413] lstrcmpW (lpString1="407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.413] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.413] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\407__connections_cellular_telefonica (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.414] GetTickCount () returned 0x1152b62 [0073.414] GetTickCount () returned 0x1152b62 [0073.414] GetTickCount () returned 0x1152b62 [0073.414] GetTickCount () returned 0x1152b62 [0073.414] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.414] GetProcessHeap () returned 0x3a00000 [0073.414] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.414] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0073.415] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.415] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0073.415] GetProcessHeap () returned 0x3a00000 [0073.415] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.415] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.416] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.416] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.416] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.416] CloseHandle (hObject=0x440) returned 1 [0073.416] GetProcessHeap () returned 0x3a00000 [0073.416] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.416] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.416] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\407__connections_cellular_telefonica (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\407__Connections_Cellular_Telefonica (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\407__connections_cellular_telefonica (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.417] GetProcessHeap () returned 0x3a00000 [0073.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.417] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="408__C~1.PRO")) returned 1 [0073.417] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.417] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.417] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.417] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.417] lstrcmpiW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.417] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml") returned 163 [0073.417] StrStrIW (lpFirst="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.417] lstrcmpW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.417] lstrcmpW (lpString1="408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.417] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.417] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\408__connections_cellular_vodafone es (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.417] GetTickCount () returned 0x1152b62 [0073.417] GetTickCount () returned 0x1152b62 [0073.417] GetTickCount () returned 0x1152b62 [0073.417] GetTickCount () returned 0x1152b62 [0073.417] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.418] GetProcessHeap () returned 0x3a00000 [0073.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.418] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0073.419] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.419] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0073.419] GetProcessHeap () returned 0x3a00000 [0073.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.419] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.419] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.419] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.420] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.420] CloseHandle (hObject=0x440) returned 1 [0073.420] GetProcessHeap () returned 0x3a00000 [0073.420] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.420] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.420] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\408__connections_cellular_vodafone es (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\408__Connections_Cellular_vodafone ES (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\408__connections_cellular_vodafone es (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.421] GetProcessHeap () returned 0x3a00000 [0073.421] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.421] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", cAlternateFileName="409__C~1.PRO")) returned 1 [0073.421] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.421] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.421] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.421] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.421] lstrcmpiW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.421] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml") returned 163 [0073.421] StrStrIW (lpFirst="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.421] lstrcmpW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.421] lstrcmpW (lpString1="409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.421] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\409__connections_cellular_vodafone es (spain)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.421] GetTickCount () returned 0x1152b71 [0073.421] GetTickCount () returned 0x1152b71 [0073.422] GetTickCount () returned 0x1152b71 [0073.422] GetTickCount () returned 0x1152b71 [0073.422] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.422] GetProcessHeap () returned 0x3a00000 [0073.422] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.422] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0073.423] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.423] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0073.423] GetProcessHeap () returned 0x3a00000 [0073.423] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.423] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.423] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.424] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.424] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.424] CloseHandle (hObject=0x440) returned 1 [0073.424] GetProcessHeap () returned 0x3a00000 [0073.424] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.424] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.424] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\409__connections_cellular_vodafone es (spain)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\409__Connections_Cellular_vodafone ES (Spain)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\409__connections_cellular_vodafone es (spain)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.428] GetProcessHeap () returned 0x3a00000 [0073.428] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.428] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", cAlternateFileName="40__CO~1.PRO")) returned 1 [0073.428] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.428] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.428] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.428] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.428] lstrcmpiW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.428] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml") returned 159 [0073.428] StrStrIW (lpFirst="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.428] lstrcmpW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.428] lstrcmpW (lpString1="40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.428] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.428] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\40__connections_cellular_velcom (belarus)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.429] GetTickCount () returned 0x1152b71 [0073.429] GetTickCount () returned 0x1152b71 [0073.429] GetTickCount () returned 0x1152b71 [0073.429] GetTickCount () returned 0x1152b71 [0073.429] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.429] GetProcessHeap () returned 0x3a00000 [0073.429] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.429] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.440] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.440] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.440] GetProcessHeap () returned 0x3a00000 [0073.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.440] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.440] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.440] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.440] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.440] CloseHandle (hObject=0x440) returned 1 [0073.440] GetProcessHeap () returned 0x3a00000 [0073.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.440] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\40__connections_cellular_velcom (belarus)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\40__Connections_Cellular_VELCOM (Belarus)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\40__connections_cellular_velcom (belarus)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.441] GetProcessHeap () returned 0x3a00000 [0073.441] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.441] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", cAlternateFileName="410__C~1.PRO")) returned 1 [0073.441] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.441] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.441] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.441] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.441] lstrcmpiW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.441] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml") returned 163 [0073.441] StrStrIW (lpFirst="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.441] lstrcmpW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.441] lstrcmpW (lpString1="410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.442] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.442] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\410__connections_cellular_vodafone es (spain)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.442] GetTickCount () returned 0x1152b81 [0073.442] GetTickCount () returned 0x1152b81 [0073.442] GetTickCount () returned 0x1152b81 [0073.442] GetTickCount () returned 0x1152b81 [0073.442] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.442] GetProcessHeap () returned 0x3a00000 [0073.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.442] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0073.444] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.444] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0073.444] GetProcessHeap () returned 0x3a00000 [0073.444] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.444] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.444] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.444] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.444] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.444] CloseHandle (hObject=0x440) returned 1 [0073.444] GetProcessHeap () returned 0x3a00000 [0073.444] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.444] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\410__connections_cellular_vodafone es (spain)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\410__Connections_Cellular_vodafone ES (Spain)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\410__connections_cellular_vodafone es (spain)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.445] GetProcessHeap () returned 0x3a00000 [0073.445] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.445] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ef2cc3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ef2cc3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ef2cc3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="411__C~1.PRO")) returned 1 [0073.445] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.445] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.445] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.445] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.445] lstrcmpiW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.445] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.445] StrStrIW (lpFirst="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.445] lstrcmpW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.445] lstrcmpW (lpString1="411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.445] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\411__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.446] GetTickCount () returned 0x1152b81 [0073.446] GetTickCount () returned 0x1152b81 [0073.446] GetTickCount () returned 0x1152b81 [0073.446] GetTickCount () returned 0x1152b81 [0073.446] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.446] GetProcessHeap () returned 0x3a00000 [0073.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.446] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.447] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.447] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.447] GetProcessHeap () returned 0x3a00000 [0073.447] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.447] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.447] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.448] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.448] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.448] CloseHandle (hObject=0x440) returned 1 [0073.448] GetProcessHeap () returned 0x3a00000 [0073.448] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.448] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\411__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\411__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\411__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.449] GetProcessHeap () returned 0x3a00000 [0073.449] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.449] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="412__C~1.PRO")) returned 1 [0073.449] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.449] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.449] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.449] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.449] lstrcmpiW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.449] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml") returned 157 [0073.449] StrStrIW (lpFirst="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.449] lstrcmpW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.449] lstrcmpW (lpString1="412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.449] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\412__connections_cellular_yoigo (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.450] GetTickCount () returned 0x1152b81 [0073.450] GetTickCount () returned 0x1152b81 [0073.450] GetTickCount () returned 0x1152b81 [0073.450] GetTickCount () returned 0x1152b81 [0073.450] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.450] GetProcessHeap () returned 0x3a00000 [0073.450] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.450] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0073.451] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.451] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0073.452] GetProcessHeap () returned 0x3a00000 [0073.452] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.452] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.452] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.452] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.452] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.452] CloseHandle (hObject=0x440) returned 1 [0073.452] GetProcessHeap () returned 0x3a00000 [0073.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.452] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0073.452] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\412__connections_cellular_yoigo (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\412__Connections_Cellular_Yoigo (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\412__connections_cellular_yoigo (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.453] GetProcessHeap () returned 0x3a00000 [0073.453] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.453] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", cAlternateFileName="413__C~1.PRO")) returned 1 [0073.453] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.453] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.453] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.453] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.453] lstrcmpiW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.453] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml") returned 162 [0073.453] StrStrIW (lpFirst="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.453] lstrcmpW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.453] lstrcmpW (lpString1="413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.453] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.453] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\413__connections_cellular_dialog (sri lanka)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.453] GetTickCount () returned 0x1152b91 [0073.453] GetTickCount () returned 0x1152b91 [0073.453] GetTickCount () returned 0x1152b91 [0073.453] GetTickCount () returned 0x1152b91 [0073.453] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.454] GetProcessHeap () returned 0x3a00000 [0073.454] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.454] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0073.455] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.455] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0073.455] GetProcessHeap () returned 0x3a00000 [0073.455] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.455] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.455] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.455] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.456] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.456] CloseHandle (hObject=0x440) returned 1 [0073.456] GetProcessHeap () returned 0x3a00000 [0073.456] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.456] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.456] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\413__connections_cellular_dialog (sri lanka)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\413__Connections_Cellular_DIALOG (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\413__connections_cellular_dialog (sri lanka)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.457] GetProcessHeap () returned 0x3a00000 [0073.457] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.457] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", cAlternateFileName="414__C~1.PRO")) returned 1 [0073.457] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.457] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.457] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.457] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.457] lstrcmpiW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.457] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml") returned 162 [0073.457] StrStrIW (lpFirst="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.457] lstrcmpW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.457] lstrcmpW (lpString1="414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.457] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.457] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\414__connections_cellular_dialog (sri lanka)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.457] GetTickCount () returned 0x1152b91 [0073.457] GetTickCount () returned 0x1152b91 [0073.457] GetTickCount () returned 0x1152b91 [0073.457] GetTickCount () returned 0x1152b91 [0073.457] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.457] GetProcessHeap () returned 0x3a00000 [0073.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.457] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0073.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0073.459] GetProcessHeap () returned 0x3a00000 [0073.459] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.459] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.459] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.459] CloseHandle (hObject=0x440) returned 1 [0073.459] GetProcessHeap () returned 0x3a00000 [0073.460] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.460] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\414__connections_cellular_dialog (sri lanka)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\414__Connections_Cellular_DIALOG (Sri Lanka)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\414__connections_cellular_dialog (sri lanka)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.460] GetProcessHeap () returned 0x3a00000 [0073.460] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.460] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x280, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", cAlternateFileName="415__C~1.PRO")) returned 1 [0073.460] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.460] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.460] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.460] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.460] lstrcmpiW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.460] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml") returned 163 [0073.460] StrStrIW (lpFirst="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.460] lstrcmpW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.461] lstrcmpW (lpString1="415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.461] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\415__connections_cellular_mobitel (sri lanka)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.461] GetTickCount () returned 0x1152b91 [0073.461] GetTickCount () returned 0x1152b91 [0073.461] GetTickCount () returned 0x1152b91 [0073.461] GetTickCount () returned 0x1152b91 [0073.461] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.462] GetProcessHeap () returned 0x3a00000 [0073.462] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.462] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0073.463] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.463] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x280, lpOverlapped=0x0) returned 1 [0073.463] GetProcessHeap () returned 0x3a00000 [0073.463] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.463] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.463] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.463] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.463] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.464] CloseHandle (hObject=0x440) returned 1 [0073.464] GetProcessHeap () returned 0x3a00000 [0073.464] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.464] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\415__connections_cellular_mobitel (sri lanka)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\415__Connections_Cellular_Mobitel (Sri Lanka)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\415__connections_cellular_mobitel (sri lanka)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.464] GetProcessHeap () returned 0x3a00000 [0073.464] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.464] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f18f32, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f18f32, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f18f32, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="416__C~1.PRO")) returned 1 [0073.465] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.465] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.465] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.465] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.465] lstrcmpiW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.465] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml") returned 156 [0073.465] StrStrIW (lpFirst="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.465] lstrcmpW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.465] lstrcmpW (lpString1="416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.465] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\416__connections_cellular_zain (sudan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.465] GetTickCount () returned 0x1152b91 [0073.465] GetTickCount () returned 0x1152b91 [0073.465] GetTickCount () returned 0x1152b91 [0073.465] GetTickCount () returned 0x1152b91 [0073.465] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.465] GetProcessHeap () returned 0x3a00000 [0073.465] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.465] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x27e, lpOverlapped=0x0) returned 1 [0073.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x27e, lpOverlapped=0x0) returned 1 [0073.484] GetProcessHeap () returned 0x3a00000 [0073.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.484] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.484] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.484] CloseHandle (hObject=0x440) returned 1 [0073.484] GetProcessHeap () returned 0x3a00000 [0073.484] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.484] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0073.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\416__connections_cellular_zain (sudan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\416__Connections_Cellular_Zain (Sudan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\416__connections_cellular_zain (sudan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.485] GetProcessHeap () returned 0x3a00000 [0073.485] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.485] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="417__C~1.PRO")) returned 1 [0073.485] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.485] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.485] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.486] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.486] lstrcmpiW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.486] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml") returned 160 [0073.486] StrStrIW (lpFirst="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.486] lstrcmpW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.486] lstrcmpW (lpString1="417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.486] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.486] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\417__connections_cellular_halebop (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.486] GetTickCount () returned 0x1152bb0 [0073.486] GetTickCount () returned 0x1152bb0 [0073.486] GetTickCount () returned 0x1152bb0 [0073.486] GetTickCount () returned 0x1152bb0 [0073.486] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.486] GetProcessHeap () returned 0x3a00000 [0073.486] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.486] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0073.488] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.488] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0073.488] GetProcessHeap () returned 0x3a00000 [0073.488] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.488] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.488] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.488] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.488] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.488] CloseHandle (hObject=0x440) returned 1 [0073.489] GetProcessHeap () returned 0x3a00000 [0073.489] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.489] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.489] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\417__connections_cellular_halebop (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\417__Connections_Cellular_Halebop (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\417__connections_cellular_halebop (sweden)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.489] GetProcessHeap () returned 0x3a00000 [0073.489] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.489] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="418__C~1.PRO")) returned 1 [0073.489] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.489] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.489] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.489] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.489] lstrcmpiW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.489] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml") returned 154 [0073.489] StrStrIW (lpFirst="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.490] lstrcmpW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.490] lstrcmpW (lpString1="418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.490] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.490] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\418__connections_cellular_3 (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.490] GetTickCount () returned 0x1152bb0 [0073.490] GetTickCount () returned 0x1152bb0 [0073.490] GetTickCount () returned 0x1152bb0 [0073.490] GetTickCount () returned 0x1152bb0 [0073.490] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.490] GetProcessHeap () returned 0x3a00000 [0073.490] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.490] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0073.502] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.502] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0073.502] GetProcessHeap () returned 0x3a00000 [0073.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.503] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.503] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.503] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.503] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.503] CloseHandle (hObject=0x440) returned 1 [0073.503] GetProcessHeap () returned 0x3a00000 [0073.503] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.503] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0073.503] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\418__connections_cellular_3 (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\418__Connections_Cellular_3 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\418__connections_cellular_3 (sweden)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.504] GetProcessHeap () returned 0x3a00000 [0073.504] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.504] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", cAlternateFileName="419__C~1.PRO")) returned 1 [0073.504] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.504] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.504] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.504] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.504] lstrcmpiW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.504] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml") returned 154 [0073.504] StrStrIW (lpFirst="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.504] lstrcmpW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.504] lstrcmpW (lpString1="419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.504] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.504] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\419__connections_cellular_3 (sweden)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.505] GetTickCount () returned 0x1152bbf [0073.505] GetTickCount () returned 0x1152bbf [0073.505] GetTickCount () returned 0x1152bbf [0073.505] GetTickCount () returned 0x1152bbf [0073.505] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.505] GetProcessHeap () returned 0x3a00000 [0073.505] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.505] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0073.506] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.506] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0073.507] GetProcessHeap () returned 0x3a00000 [0073.507] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.507] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.507] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.507] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.507] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.507] CloseHandle (hObject=0x440) returned 1 [0073.507] GetProcessHeap () returned 0x3a00000 [0073.507] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.507] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0073.507] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\419__connections_cellular_3 (sweden)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\419__Connections_Cellular_3 (Sweden)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\419__connections_cellular_3 (sweden)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.508] GetProcessHeap () returned 0x3a00000 [0073.508] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.508] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90221ca6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90221ca6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90221ca6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", cAlternateFileName="41__CO~1.PRO")) returned 1 [0073.508] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.508] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.508] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.508] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.508] lstrcmpiW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.508] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml") returned 159 [0073.508] StrStrIW (lpFirst="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.508] lstrcmpW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.508] lstrcmpW (lpString1="41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.508] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.508] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\41__connections_cellular_velcom (belarus)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.509] GetTickCount () returned 0x1152bbf [0073.509] GetTickCount () returned 0x1152bbf [0073.509] GetTickCount () returned 0x1152bbf [0073.509] GetTickCount () returned 0x1152bbf [0073.509] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.509] GetProcessHeap () returned 0x3a00000 [0073.509] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.509] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.510] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.510] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.510] GetProcessHeap () returned 0x3a00000 [0073.510] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.510] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.510] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.511] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.511] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.511] CloseHandle (hObject=0x440) returned 1 [0073.511] GetProcessHeap () returned 0x3a00000 [0073.511] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.511] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\41__connections_cellular_velcom (belarus)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\41__Connections_Cellular_VELCOM (Belarus)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\41__connections_cellular_velcom (belarus)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.512] GetProcessHeap () returned 0x3a00000 [0073.512] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.512] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="420__C~1.PRO")) returned 1 [0073.512] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0073.512] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0073.512] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0073.512] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0073.512] lstrcmpiW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0073.512] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0073.512] StrStrIW (lpFirst="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0073.512] lstrcmpW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.512] lstrcmpW (lpString1="420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0073.512] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.512] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\420__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.512] GetTickCount () returned 0x1152bbf [0073.512] GetTickCount () returned 0x1152bbf [0073.512] GetTickCount () returned 0x1152bbf [0073.512] GetTickCount () returned 0x1152bbf [0073.513] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.513] GetProcessHeap () returned 0x3a00000 [0073.513] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.513] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1de, lpOverlapped=0x0) returned 1 [0073.514] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe22, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.514] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1de, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1de, lpOverlapped=0x0) returned 1 [0073.514] GetProcessHeap () returned 0x3a00000 [0073.514] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.514] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.514] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.515] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.515] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.515] CloseHandle (hObject=0x440) returned 1 [0073.515] GetProcessHeap () returned 0x3a00000 [0073.515] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.515] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\420__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\420__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\420__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.516] GetProcessHeap () returned 0x3a00000 [0073.516] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.516] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f3f19a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f3f19a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f3f19a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="421__C~1.PRO")) returned 1 [0073.516] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.516] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.516] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.517] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.517] lstrcmpiW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.517] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml") returned 163 [0073.517] StrStrIW (lpFirst="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.517] lstrcmpW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.517] lstrcmpW (lpString1="421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.517] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\421__connections_cellular_tdc sweden (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.517] GetTickCount () returned 0x1152bcf [0073.517] GetTickCount () returned 0x1152bcf [0073.517] GetTickCount () returned 0x1152bcf [0073.517] GetTickCount () returned 0x1152bcf [0073.517] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.517] GetProcessHeap () returned 0x3a00000 [0073.517] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.517] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.519] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.519] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.519] GetProcessHeap () returned 0x3a00000 [0073.519] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.519] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.519] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.519] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.519] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.519] CloseHandle (hObject=0x440) returned 1 [0073.519] GetProcessHeap () returned 0x3a00000 [0073.519] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.519] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\421__connections_cellular_tdc sweden (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\421__Connections_Cellular_TDC Sweden (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\421__connections_cellular_tdc sweden (sweden)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.520] GetProcessHeap () returned 0x3a00000 [0073.520] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.520] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f65464, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f65464, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f65464, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="422__C~1.PRO")) returned 1 [0073.520] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.520] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.520] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.520] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.520] lstrcmpiW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.520] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml") returned 158 [0073.520] StrStrIW (lpFirst="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.520] lstrcmpW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.520] lstrcmpW (lpString1="422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\422__connections_cellular_tele2 (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.521] GetTickCount () returned 0x1152bcf [0073.521] GetTickCount () returned 0x1152bcf [0073.521] GetTickCount () returned 0x1152bcf [0073.521] GetTickCount () returned 0x1152bcf [0073.522] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.522] GetProcessHeap () returned 0x3a00000 [0073.522] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.522] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.523] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.523] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.524] GetProcessHeap () returned 0x3a00000 [0073.524] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.524] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.524] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.524] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.524] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.524] CloseHandle (hObject=0x440) returned 1 [0073.524] GetProcessHeap () returned 0x3a00000 [0073.524] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.524] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0073.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\422__connections_cellular_tele2 (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\422__Connections_Cellular_Tele2 (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\422__connections_cellular_tele2 (sweden)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.525] GetProcessHeap () returned 0x3a00000 [0073.525] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.525] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f65464, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f65464, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f65464, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="423__C~1.PRO")) returned 1 [0073.528] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.528] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.528] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.528] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.528] lstrcmpiW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.528] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml") returned 160 [0073.528] StrStrIW (lpFirst="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.528] lstrcmpW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.528] lstrcmpW (lpString1="423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.528] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.528] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\423__connections_cellular_telenor (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.528] GetTickCount () returned 0x1152bcf [0073.528] GetTickCount () returned 0x1152bcf [0073.528] GetTickCount () returned 0x1152bcf [0073.528] GetTickCount () returned 0x1152bcf [0073.529] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.529] GetProcessHeap () returned 0x3a00000 [0073.529] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.529] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28d, lpOverlapped=0x0) returned 1 [0073.530] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd73, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.530] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28d, lpOverlapped=0x0) returned 1 [0073.531] GetProcessHeap () returned 0x3a00000 [0073.531] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.531] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.531] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.531] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.531] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.531] CloseHandle (hObject=0x440) returned 1 [0073.531] GetProcessHeap () returned 0x3a00000 [0073.531] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.531] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.531] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\423__connections_cellular_telenor (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\423__Connections_Cellular_Telenor (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\423__connections_cellular_telenor (sweden)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.533] GetProcessHeap () returned 0x3a00000 [0073.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.533] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f65464, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f65464, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f65464, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", cAlternateFileName="424__C~1.PRO")) returned 1 [0073.533] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.533] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.533] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.533] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.534] lstrcmpiW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.534] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml") returned 158 [0073.534] StrStrIW (lpFirst="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.534] lstrcmpW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.534] lstrcmpW (lpString1="424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.534] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.534] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\424__connections_cellular_telia (sweden)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.534] GetTickCount () returned 0x1152bee [0073.534] GetTickCount () returned 0x1152bee [0073.534] GetTickCount () returned 0x1152bee [0073.534] GetTickCount () returned 0x1152bee [0073.534] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.534] GetProcessHeap () returned 0x3a00000 [0073.534] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.534] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.536] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.536] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.536] GetProcessHeap () returned 0x3a00000 [0073.536] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.536] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.536] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.536] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.536] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.537] CloseHandle (hObject=0x440) returned 1 [0073.537] GetProcessHeap () returned 0x3a00000 [0073.537] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.537] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0073.537] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\424__connections_cellular_telia (sweden)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\424__Connections_Cellular_Telia (Sweden)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\424__connections_cellular_telia (sweden)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.538] GetProcessHeap () returned 0x3a00000 [0073.538] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.538] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="425__C~1.PRO")) returned 1 [0073.538] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.538] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.538] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.538] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.538] lstrcmpiW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.538] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml") returned 164 [0073.538] StrStrIW (lpFirst="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.538] lstrcmpW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.538] lstrcmpW (lpString1="425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.538] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\425__connections_cellular_orange (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.538] GetTickCount () returned 0x1152bee [0073.538] GetTickCount () returned 0x1152bee [0073.538] GetTickCount () returned 0x1152bee [0073.538] GetTickCount () returned 0x1152bee [0073.538] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.539] GetProcessHeap () returned 0x3a00000 [0073.539] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.539] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.540] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.540] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.540] GetProcessHeap () returned 0x3a00000 [0073.540] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.540] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.540] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.540] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.560] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.560] CloseHandle (hObject=0x440) returned 1 [0073.561] GetProcessHeap () returned 0x3a00000 [0073.561] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.561] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0073.561] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\425__connections_cellular_orange (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\425__Connections_Cellular_Orange (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\425__connections_cellular_orange (switzerland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.562] GetProcessHeap () returned 0x3a00000 [0073.562] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.562] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="426__C~1.PRO")) returned 1 [0073.562] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.562] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.562] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.562] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.562] lstrcmpiW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.562] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml") returned 164 [0073.562] StrStrIW (lpFirst="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.562] lstrcmpW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.562] lstrcmpW (lpString1="426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.562] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.562] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\426__connections_cellular_orange (switzerland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.563] GetTickCount () returned 0x1152bfe [0073.563] GetTickCount () returned 0x1152bfe [0073.563] GetTickCount () returned 0x1152bfe [0073.563] GetTickCount () returned 0x1152bfe [0073.563] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.563] GetProcessHeap () returned 0x3a00000 [0073.563] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.563] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.564] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.564] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0073.564] GetProcessHeap () returned 0x3a00000 [0073.564] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.564] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.565] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.565] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.565] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.565] CloseHandle (hObject=0x440) returned 1 [0073.565] GetProcessHeap () returned 0x3a00000 [0073.565] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.565] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0073.565] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\426__connections_cellular_orange (switzerland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\426__Connections_Cellular_Orange (Switzerland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\426__connections_cellular_orange (switzerland)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.566] GetProcessHeap () returned 0x3a00000 [0073.566] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.566] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="427__C~1.PRO")) returned 1 [0073.566] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.566] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.566] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.566] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.566] lstrcmpiW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml") returned 165 [0073.566] StrStrIW (lpFirst="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.566] lstrcmpW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.566] lstrcmpW (lpString1="427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.566] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\427__connections_cellular_sunrise (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.566] GetTickCount () returned 0x1152bfe [0073.566] GetTickCount () returned 0x1152bfe [0073.567] GetTickCount () returned 0x1152bfe [0073.567] GetTickCount () returned 0x1152bfe [0073.567] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.567] GetProcessHeap () returned 0x3a00000 [0073.567] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.567] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.568] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.568] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.568] GetProcessHeap () returned 0x3a00000 [0073.568] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.568] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.568] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.569] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.569] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.569] CloseHandle (hObject=0x440) returned 1 [0073.569] GetProcessHeap () returned 0x3a00000 [0073.569] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.569] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\427__connections_cellular_sunrise (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\427__Connections_Cellular_Sunrise (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\427__connections_cellular_sunrise (switzerland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.570] GetProcessHeap () returned 0x3a00000 [0073.570] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.570] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="428__C~1.PRO")) returned 1 [0073.570] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.570] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.570] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.570] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.570] lstrcmpiW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.570] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml") returned 166 [0073.570] StrStrIW (lpFirst="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.570] lstrcmpW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.570] lstrcmpW (lpString1="428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.570] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.570] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\428__connections_cellular_swisscom (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.570] GetTickCount () returned 0x1152bfe [0073.570] GetTickCount () returned 0x1152bfe [0073.570] GetTickCount () returned 0x1152bfe [0073.570] GetTickCount () returned 0x1152bfe [0073.570] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.571] GetProcessHeap () returned 0x3a00000 [0073.571] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.571] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0073.572] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.572] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0073.572] GetProcessHeap () returned 0x3a00000 [0073.572] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.572] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.572] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.572] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.572] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.573] CloseHandle (hObject=0x440) returned 1 [0073.573] GetProcessHeap () returned 0x3a00000 [0073.573] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.573] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0073.573] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\428__connections_cellular_swisscom (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\428__Connections_Cellular_Swisscom (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\428__connections_cellular_swisscom (switzerland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.574] GetProcessHeap () returned 0x3a00000 [0073.574] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.574] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90f8b671, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90f8b671, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90f8b671, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="429__C~1.PRO")) returned 1 [0073.574] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.574] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.574] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.574] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.574] lstrcmpiW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.574] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml") returned 163 [0073.574] StrStrIW (lpFirst="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.574] lstrcmpW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.574] lstrcmpW (lpString1="429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.574] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.574] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\429__connections_cellular_tele2 (switzerland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.574] GetTickCount () returned 0x1152bfe [0073.574] GetTickCount () returned 0x1152bfe [0073.574] GetTickCount () returned 0x1152bfe [0073.574] GetTickCount () returned 0x1152bfe [0073.574] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.574] GetProcessHeap () returned 0x3a00000 [0073.574] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.575] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0073.576] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.576] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0073.576] GetProcessHeap () returned 0x3a00000 [0073.576] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.576] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.576] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.577] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.577] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.577] CloseHandle (hObject=0x440) returned 1 [0073.577] GetProcessHeap () returned 0x3a00000 [0073.577] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.577] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\429__connections_cellular_tele2 (switzerland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\429__Connections_Cellular_Tele2 (Switzerland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\429__connections_cellular_tele2 (switzerland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.577] GetProcessHeap () returned 0x3a00000 [0073.577] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.578] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90247f0e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90247f0e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90247f0e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", cAlternateFileName="42__CO~1.PRO")) returned 1 [0073.578] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.578] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.578] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.578] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.578] lstrcmpiW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.578] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml") returned 159 [0073.578] StrStrIW (lpFirst="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.578] lstrcmpW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.578] lstrcmpW (lpString1="42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.578] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.578] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\42__connections_cellular_velcom (belarus)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.578] GetTickCount () returned 0x1152c0e [0073.578] GetTickCount () returned 0x1152c0e [0073.578] GetTickCount () returned 0x1152c0e [0073.578] GetTickCount () returned 0x1152c0e [0073.578] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.578] GetProcessHeap () returned 0x3a00000 [0073.578] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.578] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0073.580] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.580] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0073.580] GetProcessHeap () returned 0x3a00000 [0073.580] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.580] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.580] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.580] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.581] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.581] CloseHandle (hObject=0x440) returned 1 [0073.581] GetProcessHeap () returned 0x3a00000 [0073.581] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.581] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.581] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\42__connections_cellular_velcom (belarus)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\42__Connections_Cellular_VELCOM (Belarus)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\42__connections_cellular_velcom (belarus)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.581] GetProcessHeap () returned 0x3a00000 [0073.581] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.581] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="430__C~1.PRO")) returned 1 [0073.582] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.582] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.582] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.582] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.582] lstrcmpiW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.582] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml") returned 155 [0073.582] StrStrIW (lpFirst="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.582] lstrcmpW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.582] lstrcmpW (lpString1="430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.582] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.582] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\430__connections_cellular_mtn (syria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.582] GetTickCount () returned 0x1152c0e [0073.582] GetTickCount () returned 0x1152c0e [0073.582] GetTickCount () returned 0x1152c0e [0073.582] GetTickCount () returned 0x1152c0e [0073.582] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.582] GetProcessHeap () returned 0x3a00000 [0073.582] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.582] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x27d, lpOverlapped=0x0) returned 1 [0073.584] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.584] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x27d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x27d, lpOverlapped=0x0) returned 1 [0073.584] GetProcessHeap () returned 0x3a00000 [0073.584] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.584] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.584] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.584] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.584] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.584] CloseHandle (hObject=0x440) returned 1 [0073.584] GetProcessHeap () returned 0x3a00000 [0073.584] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.584] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0073.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\430__connections_cellular_mtn (syria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\430__Connections_Cellular_MTN (Syria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\430__connections_cellular_mtn (syria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.585] GetProcessHeap () returned 0x3a00000 [0073.585] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.585] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="431__C~1.PRO")) returned 1 [0073.585] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.585] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.585] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.585] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.585] lstrcmpiW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.585] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml") returned 160 [0073.585] StrStrIW (lpFirst="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.586] lstrcmpW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.586] lstrcmpW (lpString1="431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.586] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.586] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\431__connections_cellular_syriatel (syria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.586] GetTickCount () returned 0x1152c0e [0073.586] GetTickCount () returned 0x1152c0e [0073.586] GetTickCount () returned 0x1152c0e [0073.586] GetTickCount () returned 0x1152c0e [0073.586] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.586] GetProcessHeap () returned 0x3a00000 [0073.586] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.586] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0073.587] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.587] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0073.588] GetProcessHeap () returned 0x3a00000 [0073.588] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.588] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.588] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.588] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.588] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.588] CloseHandle (hObject=0x440) returned 1 [0073.588] GetProcessHeap () returned 0x3a00000 [0073.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.588] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\431__connections_cellular_syriatel (syria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\431__Connections_Cellular_SyriaTel (Syria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\431__connections_cellular_syriatel (syria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.589] GetProcessHeap () returned 0x3a00000 [0073.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.589] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="432__C~1.PRO")) returned 1 [0073.589] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.589] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.589] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.589] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.589] lstrcmpiW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.589] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml") returned 161 [0073.589] StrStrIW (lpFirst="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.589] lstrcmpW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.589] lstrcmpW (lpString1="432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.589] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\432__connections_cellular_chunghwa (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.590] GetTickCount () returned 0x1152c0e [0073.590] GetTickCount () returned 0x1152c0e [0073.590] GetTickCount () returned 0x1152c0e [0073.590] GetTickCount () returned 0x1152c0e [0073.590] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.590] GetProcessHeap () returned 0x3a00000 [0073.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.590] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.592] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.592] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.592] GetProcessHeap () returned 0x3a00000 [0073.592] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.592] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.592] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.592] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.592] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.592] CloseHandle (hObject=0x440) returned 1 [0073.592] GetProcessHeap () returned 0x3a00000 [0073.592] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.592] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\432__connections_cellular_chunghwa (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\432__Connections_Cellular_Chunghwa (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\432__connections_cellular_chunghwa (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.593] GetProcessHeap () returned 0x3a00000 [0073.593] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.593] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fb18e0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fb18e0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fb18e0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x344, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="433__C~1.PRO")) returned 1 [0073.593] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.593] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.593] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.593] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.593] lstrcmpiW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.593] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml") returned 161 [0073.593] StrStrIW (lpFirst="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.593] lstrcmpW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.593] lstrcmpW (lpString1="433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\433__connections_cellular_chunghwa (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.594] GetTickCount () returned 0x1152c1d [0073.594] GetTickCount () returned 0x1152c1d [0073.594] GetTickCount () returned 0x1152c1d [0073.594] GetTickCount () returned 0x1152c1d [0073.594] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.594] GetProcessHeap () returned 0x3a00000 [0073.594] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.594] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x344, lpOverlapped=0x0) returned 1 [0073.605] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcbc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.605] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x344, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x344, lpOverlapped=0x0) returned 1 [0073.606] GetProcessHeap () returned 0x3a00000 [0073.606] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.606] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.606] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.606] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.606] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.606] CloseHandle (hObject=0x440) returned 1 [0073.607] GetProcessHeap () returned 0x3a00000 [0073.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.607] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.607] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\433__connections_cellular_chunghwa (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\433__Connections_Cellular_Chunghwa (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\433__connections_cellular_chunghwa (taiwan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.608] GetProcessHeap () returned 0x3a00000 [0073.608] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.608] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="434__C~1.PRO")) returned 1 [0073.608] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.608] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.608] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.608] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.608] lstrcmpiW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.608] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml") returned 160 [0073.608] StrStrIW (lpFirst="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.608] lstrcmpW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.608] lstrcmpW (lpString1="434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.608] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.608] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\434__connections_cellular_mobitai (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.608] GetTickCount () returned 0x1152c2d [0073.608] GetTickCount () returned 0x1152c2d [0073.608] GetTickCount () returned 0x1152c2d [0073.608] GetTickCount () returned 0x1152c2d [0073.608] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.609] GetProcessHeap () returned 0x3a00000 [0073.609] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.609] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x27f, lpOverlapped=0x0) returned 1 [0073.610] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd81, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.610] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x27f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x27f, lpOverlapped=0x0) returned 1 [0073.610] GetProcessHeap () returned 0x3a00000 [0073.610] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.610] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.610] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.610] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.610] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.611] CloseHandle (hObject=0x440) returned 1 [0073.611] GetProcessHeap () returned 0x3a00000 [0073.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.611] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.611] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\434__connections_cellular_mobitai (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\434__Connections_Cellular_MoBiTai (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\434__connections_cellular_mobitai (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.611] GetProcessHeap () returned 0x3a00000 [0073.611] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="435__C~1.PRO")) returned 1 [0073.611] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.612] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.612] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.612] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.612] lstrcmpiW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.612] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml") returned 166 [0073.612] StrStrIW (lpFirst="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.612] lstrcmpW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.612] lstrcmpW (lpString1="435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.612] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\435__connections_cellular_taiwan mobile (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.612] GetTickCount () returned 0x1152c2d [0073.612] GetTickCount () returned 0x1152c2d [0073.612] GetTickCount () returned 0x1152c2d [0073.612] GetTickCount () returned 0x1152c2d [0073.612] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.612] GetProcessHeap () returned 0x3a00000 [0073.612] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.612] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.614] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.614] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.614] GetProcessHeap () returned 0x3a00000 [0073.614] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.614] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.614] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.614] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.614] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.614] CloseHandle (hObject=0x440) returned 1 [0073.614] GetProcessHeap () returned 0x3a00000 [0073.614] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.614] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0073.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\435__connections_cellular_taiwan mobile (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\435__Connections_Cellular_Taiwan Mobile (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\435__connections_cellular_taiwan mobile (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.615] GetProcessHeap () returned 0x3a00000 [0073.615] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.615] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="436__C~1.PRO")) returned 1 [0073.615] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0073.615] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0073.615] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0073.615] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0073.615] lstrcmpiW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0073.615] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0073.615] StrStrIW (lpFirst="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0073.615] lstrcmpW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.616] lstrcmpW (lpString1="436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0073.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\436__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.616] GetTickCount () returned 0x1152c2d [0073.616] GetTickCount () returned 0x1152c2d [0073.616] GetTickCount () returned 0x1152c2d [0073.616] GetTickCount () returned 0x1152c2d [0073.616] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.616] GetProcessHeap () returned 0x3a00000 [0073.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.616] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1f2, lpOverlapped=0x0) returned 1 [0073.617] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe0e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.618] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1f2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1f2, lpOverlapped=0x0) returned 1 [0073.618] GetProcessHeap () returned 0x3a00000 [0073.618] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.618] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.618] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.618] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.618] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.618] CloseHandle (hObject=0x440) returned 1 [0073.618] GetProcessHeap () returned 0x3a00000 [0073.618] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.618] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.618] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\436__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\436__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\436__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.619] GetProcessHeap () returned 0x3a00000 [0073.619] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.619] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90fd7b44, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90fd7b44, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90fd7b44, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x284, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="437__C~1.PRO")) returned 1 [0073.619] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.619] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.619] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.619] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.619] lstrcmpiW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.619] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml") returned 162 [0073.619] StrStrIW (lpFirst="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.619] lstrcmpW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.619] lstrcmpW (lpString1="437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.619] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.619] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\437__connections_cellular_transasia (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.620] GetTickCount () returned 0x1152c2d [0073.620] GetTickCount () returned 0x1152c2d [0073.620] GetTickCount () returned 0x1152c2d [0073.620] GetTickCount () returned 0x1152c2d [0073.620] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.620] GetProcessHeap () returned 0x3a00000 [0073.620] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.620] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x284, lpOverlapped=0x0) returned 1 [0073.621] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.621] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x284, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x284, lpOverlapped=0x0) returned 1 [0073.622] GetProcessHeap () returned 0x3a00000 [0073.622] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.622] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.623] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.623] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.623] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.623] CloseHandle (hObject=0x440) returned 1 [0073.623] GetProcessHeap () returned 0x3a00000 [0073.623] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.623] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\437__connections_cellular_transasia (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\437__Connections_Cellular_TransAsia (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\437__connections_cellular_transasia (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.627] GetProcessHeap () returned 0x3a00000 [0073.627] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.627] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="438__C~1.PRO")) returned 1 [0073.627] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.627] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.627] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.627] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.627] lstrcmpiW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.627] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml") returned 165 [0073.627] StrStrIW (lpFirst="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.627] lstrcmpW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.627] lstrcmpW (lpString1="438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.627] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.627] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\438__connections_cellular_vibo telecom (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.628] GetTickCount () returned 0x1152c3c [0073.628] GetTickCount () returned 0x1152c3c [0073.628] GetTickCount () returned 0x1152c3c [0073.628] GetTickCount () returned 0x1152c3c [0073.628] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.628] GetProcessHeap () returned 0x3a00000 [0073.628] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.628] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.629] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.629] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.629] GetProcessHeap () returned 0x3a00000 [0073.629] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.629] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.629] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.630] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.630] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.630] CloseHandle (hObject=0x440) returned 1 [0073.630] GetProcessHeap () returned 0x3a00000 [0073.630] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.630] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.630] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\438__connections_cellular_vibo telecom (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\438__Connections_Cellular_VIBO Telecom (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\438__connections_cellular_vibo telecom (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.631] GetProcessHeap () returned 0x3a00000 [0073.631] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.631] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="439__C~1.PRO")) returned 1 [0073.632] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.632] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.632] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.632] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.632] lstrcmpiW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.632] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml") returned 165 [0073.632] StrStrIW (lpFirst="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.632] lstrcmpW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.632] lstrcmpW (lpString1="439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.632] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.632] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\439__connections_cellular_vibo telecom (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.633] GetTickCount () returned 0x1152c3c [0073.633] GetTickCount () returned 0x1152c3c [0073.633] GetTickCount () returned 0x1152c3c [0073.633] GetTickCount () returned 0x1152c3c [0073.633] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.633] GetProcessHeap () returned 0x3a00000 [0073.633] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.633] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0073.634] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.634] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0073.634] GetProcessHeap () returned 0x3a00000 [0073.635] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.635] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.635] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.635] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.635] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.635] CloseHandle (hObject=0x440) returned 1 [0073.635] GetProcessHeap () returned 0x3a00000 [0073.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.635] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.635] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\439__connections_cellular_vibo telecom (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\439__Connections_Cellular_VIBO Telecom (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\439__connections_cellular_vibo telecom (taiwan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.636] GetProcessHeap () returned 0x3a00000 [0073.636] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.636] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90247f0e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90247f0e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90247f0e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", cAlternateFileName="43__CO~1.PRO")) returned 1 [0073.636] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.636] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.636] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.636] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.636] lstrcmpiW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.636] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml") returned 159 [0073.636] StrStrIW (lpFirst="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.636] lstrcmpW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.636] lstrcmpW (lpString1="43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.636] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\43__connections_cellular_velcom (belarus)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.636] GetTickCount () returned 0x1152c3c [0073.636] GetTickCount () returned 0x1152c3c [0073.636] GetTickCount () returned 0x1152c3c [0073.636] GetTickCount () returned 0x1152c3c [0073.637] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.637] GetProcessHeap () returned 0x3a00000 [0073.637] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.637] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.638] GetProcessHeap () returned 0x3a00000 [0073.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.638] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.638] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.639] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.639] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.639] CloseHandle (hObject=0x440) returned 1 [0073.639] GetProcessHeap () returned 0x3a00000 [0073.639] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.639] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.639] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\43__connections_cellular_velcom (belarus)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\43__Connections_Cellular_VELCOM (Belarus)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\43__connections_cellular_velcom (belarus)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.640] GetProcessHeap () returned 0x3a00000 [0073.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.640] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", cAlternateFileName="440__C~1.PRO")) returned 1 [0073.640] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.640] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.640] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.640] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.640] lstrcmpiW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.640] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml") returned 165 [0073.640] StrStrIW (lpFirst="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.640] lstrcmpW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.640] lstrcmpW (lpString1="440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.640] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.640] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\440__connections_cellular_vibo telecom (taiwan)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.640] GetTickCount () returned 0x1152c4c [0073.640] GetTickCount () returned 0x1152c4c [0073.640] GetTickCount () returned 0x1152c4c [0073.640] GetTickCount () returned 0x1152c4c [0073.640] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.640] GetProcessHeap () returned 0x3a00000 [0073.640] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.641] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0073.647] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.647] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0073.647] GetProcessHeap () returned 0x3a00000 [0073.647] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.647] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.647] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.647] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.647] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.647] CloseHandle (hObject=0x440) returned 1 [0073.648] GetProcessHeap () returned 0x3a00000 [0073.648] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.648] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0073.648] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\440__connections_cellular_vibo telecom (taiwan)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\440__Connections_Cellular_VIBO Telecom (Taiwan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\440__connections_cellular_vibo telecom (taiwan)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.648] GetProcessHeap () returned 0x3a00000 [0073.648] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.648] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="441__C~1.PRO")) returned 1 [0073.649] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0073.649] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0073.649] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0073.649] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0073.649] lstrcmpiW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0073.649] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0073.649] StrStrIW (lpFirst="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0073.649] lstrcmpW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.649] lstrcmpW (lpString1="441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0073.649] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.649] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\441__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.649] GetTickCount () returned 0x1152c4c [0073.649] GetTickCount () returned 0x1152c4c [0073.649] GetTickCount () returned 0x1152c4c [0073.649] GetTickCount () returned 0x1152c4c [0073.649] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.649] GetProcessHeap () returned 0x3a00000 [0073.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.649] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cc, lpOverlapped=0x0) returned 1 [0073.650] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.650] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cc, lpOverlapped=0x0) returned 1 [0073.651] GetProcessHeap () returned 0x3a00000 [0073.651] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.651] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.651] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.651] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.651] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.651] CloseHandle (hObject=0x440) returned 1 [0073.652] GetProcessHeap () returned 0x3a00000 [0073.652] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.652] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\441__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\441__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\441__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.652] GetProcessHeap () returned 0x3a00000 [0073.652] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.652] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="442__C~1.PRO")) returned 1 [0073.652] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.653] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.653] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.653] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.653] lstrcmpiW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.653] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml") returned 171 [0073.653] StrStrIW (lpFirst="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.653] lstrcmpW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.653] lstrcmpW (lpString1="442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.653] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.653] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\442__connections_cellular_vodacom tanzania (tanzania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.653] GetTickCount () returned 0x1152c5c [0073.653] GetTickCount () returned 0x1152c5c [0073.653] GetTickCount () returned 0x1152c5c [0073.653] GetTickCount () returned 0x1152c5c [0073.654] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.654] GetProcessHeap () returned 0x3a00000 [0073.654] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.654] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0073.655] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.655] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0073.655] GetProcessHeap () returned 0x3a00000 [0073.655] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.655] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.655] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.655] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.656] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.656] CloseHandle (hObject=0x440) returned 1 [0073.656] GetProcessHeap () returned 0x3a00000 [0073.656] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.656] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0073.656] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\442__connections_cellular_vodacom tanzania (tanzania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\442__Connections_Cellular_Vodacom Tanzania (Tanzania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\442__connections_cellular_vodacom tanzania (tanzania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.657] GetProcessHeap () returned 0x3a00000 [0073.657] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.657] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ffddb3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ffddb3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90ffddb3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="443__C~1.PRO")) returned 1 [0073.657] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.657] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.657] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.657] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.657] lstrcmpiW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.657] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.657] StrStrIW (lpFirst="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.657] lstrcmpW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.657] lstrcmpW (lpString1="443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.657] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.657] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\443__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.657] GetTickCount () returned 0x1152c5c [0073.657] GetTickCount () returned 0x1152c5c [0073.657] GetTickCount () returned 0x1152c5c [0073.657] GetTickCount () returned 0x1152c5c [0073.657] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.657] GetProcessHeap () returned 0x3a00000 [0073.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.658] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.659] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.659] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.659] GetProcessHeap () returned 0x3a00000 [0073.659] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.659] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.659] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.660] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.660] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.660] CloseHandle (hObject=0x440) returned 1 [0073.660] GetProcessHeap () returned 0x3a00000 [0073.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.660] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\443__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\443__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\443__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.661] GetProcessHeap () returned 0x3a00000 [0073.661] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.661] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="444__C~1.PRO")) returned 1 [0073.661] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.661] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.661] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.661] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.661] lstrcmpiW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.661] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml") returned 158 [0073.661] StrStrIW (lpFirst="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.661] lstrcmpW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.661] lstrcmpW (lpString1="444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.661] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.661] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\444__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.662] GetTickCount () returned 0x1152c5c [0073.662] GetTickCount () returned 0x1152c5c [0073.662] GetTickCount () returned 0x1152c5c [0073.662] GetTickCount () returned 0x1152c5c [0073.662] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.662] GetProcessHeap () returned 0x3a00000 [0073.662] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.662] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0073.664] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.664] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0073.664] GetProcessHeap () returned 0x3a00000 [0073.664] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.664] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.664] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.664] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.664] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.664] CloseHandle (hObject=0x440) returned 1 [0073.664] GetProcessHeap () returned 0x3a00000 [0073.664] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.665] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0073.665] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\444__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\444__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\444__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.665] GetProcessHeap () returned 0x3a00000 [0073.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.665] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="445__C~1.PRO")) returned 1 [0073.665] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.665] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.665] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.665] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.665] lstrcmpiW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.665] StrStrIW (lpFirst="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.666] lstrcmpW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.666] lstrcmpW (lpString1="445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.666] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.666] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\445__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.666] GetTickCount () returned 0x1152c5c [0073.666] GetTickCount () returned 0x1152c5c [0073.666] GetTickCount () returned 0x1152c5c [0073.666] GetTickCount () returned 0x1152c5c [0073.666] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.666] GetProcessHeap () returned 0x3a00000 [0073.666] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.666] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d9, lpOverlapped=0x0) returned 1 [0073.667] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.667] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d9, lpOverlapped=0x0) returned 1 [0073.667] GetProcessHeap () returned 0x3a00000 [0073.667] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.667] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.667] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.668] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.668] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.668] CloseHandle (hObject=0x440) returned 1 [0073.668] GetProcessHeap () returned 0x3a00000 [0073.668] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.668] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.668] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\445__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\445__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\445__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.669] GetProcessHeap () returned 0x3a00000 [0073.669] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.669] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="446__C~1.PRO")) returned 1 [0073.669] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.669] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.669] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.669] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.669] lstrcmpiW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.669] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml") returned 159 [0073.670] StrStrIW (lpFirst="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.670] lstrcmpW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.670] lstrcmpW (lpString1="446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.670] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\446__connections_cellular_dtac (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.670] GetTickCount () returned 0x1152c6b [0073.670] GetTickCount () returned 0x1152c6b [0073.670] GetTickCount () returned 0x1152c6b [0073.670] GetTickCount () returned 0x1152c6b [0073.670] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.670] GetProcessHeap () returned 0x3a00000 [0073.670] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.670] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.671] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.671] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.672] GetProcessHeap () returned 0x3a00000 [0073.672] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.672] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.672] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.672] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.672] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.672] CloseHandle (hObject=0x440) returned 1 [0073.672] GetProcessHeap () returned 0x3a00000 [0073.672] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.672] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\446__connections_cellular_dtac (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\446__Connections_Cellular_DTAC (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\446__connections_cellular_dtac (thailand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.673] GetProcessHeap () returned 0x3a00000 [0073.673] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.673] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="447__C~1.PRO")) returned 1 [0073.673] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.673] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.673] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.673] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.673] lstrcmpiW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.673] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml") returned 161 [0073.673] StrStrIW (lpFirst="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.673] lstrcmpW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.673] lstrcmpW (lpString1="447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.673] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.673] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\447__connections_cellular_orange (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.673] GetTickCount () returned 0x1152c6b [0073.674] GetTickCount () returned 0x1152c6b [0073.674] GetTickCount () returned 0x1152c6b [0073.674] GetTickCount () returned 0x1152c6b [0073.674] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.674] GetProcessHeap () returned 0x3a00000 [0073.674] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.674] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0073.675] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.675] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0073.675] GetProcessHeap () returned 0x3a00000 [0073.675] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.675] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.675] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.675] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.676] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.676] CloseHandle (hObject=0x440) returned 1 [0073.676] GetProcessHeap () returned 0x3a00000 [0073.676] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.676] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.676] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\447__connections_cellular_orange (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\447__Connections_Cellular_Orange (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\447__connections_cellular_orange (thailand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.677] GetProcessHeap () returned 0x3a00000 [0073.677] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.677] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9102401b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9102401b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9102401b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x313, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="448__C~1.PRO")) returned 1 [0073.677] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.677] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.677] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.677] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.677] lstrcmpiW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.677] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml") returned 161 [0073.677] StrStrIW (lpFirst="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.677] lstrcmpW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.677] lstrcmpW (lpString1="448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.677] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.677] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\448__connections_cellular_orascom (tunisia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.677] GetTickCount () returned 0x1152c6b [0073.677] GetTickCount () returned 0x1152c6b [0073.677] GetTickCount () returned 0x1152c6b [0073.677] GetTickCount () returned 0x1152c6b [0073.677] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.677] GetProcessHeap () returned 0x3a00000 [0073.677] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.677] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x313, lpOverlapped=0x0) returned 1 [0073.679] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffced, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.679] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x313, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x313, lpOverlapped=0x0) returned 1 [0073.679] GetProcessHeap () returned 0x3a00000 [0073.679] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.679] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.679] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.679] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.679] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.679] CloseHandle (hObject=0x440) returned 1 [0073.679] GetProcessHeap () returned 0x3a00000 [0073.680] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.680] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.680] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\448__connections_cellular_orascom (tunisia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\448__Connections_Cellular_Orascom (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\448__connections_cellular_orascom (tunisia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.680] GetProcessHeap () returned 0x3a00000 [0073.680] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.680] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="449__C~1.PRO")) returned 1 [0073.680] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.680] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.681] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.681] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.681] lstrcmpiW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.681] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml") returned 157 [0073.681] StrStrIW (lpFirst="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.681] lstrcmpW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.681] lstrcmpW (lpString1="449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.681] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.681] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\449__connections_cellular_avea (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.681] GetTickCount () returned 0x1152c6b [0073.681] GetTickCount () returned 0x1152c6b [0073.681] GetTickCount () returned 0x1152c6b [0073.681] GetTickCount () returned 0x1152c6b [0073.681] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.681] GetProcessHeap () returned 0x3a00000 [0073.681] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.681] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0073.693] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.693] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0073.694] GetProcessHeap () returned 0x3a00000 [0073.694] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.694] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.694] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.694] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.694] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.694] CloseHandle (hObject=0x440) returned 1 [0073.694] GetProcessHeap () returned 0x3a00000 [0073.694] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.694] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0073.694] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\449__connections_cellular_avea (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\449__Connections_Cellular_Avea (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\449__connections_cellular_avea (turkey)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.695] GetProcessHeap () returned 0x3a00000 [0073.695] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.695] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90247f0e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90247f0e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90247f0e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="44__CO~1.PRO")) returned 1 [0073.695] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.695] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.695] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.695] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.695] lstrcmpiW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.695] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml") returned 163 [0073.695] StrStrIW (lpFirst="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.695] lstrcmpW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.695] lstrcmpW (lpString1="44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.695] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.695] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\44__connections_cellular_base nv-sa (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.696] GetTickCount () returned 0x1152c7b [0073.696] GetTickCount () returned 0x1152c7b [0073.696] GetTickCount () returned 0x1152c7b [0073.696] GetTickCount () returned 0x1152c7b [0073.696] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.696] GetProcessHeap () returned 0x3a00000 [0073.696] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.696] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x309, lpOverlapped=0x0) returned 1 [0073.697] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.697] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x309, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x309, lpOverlapped=0x0) returned 1 [0073.698] GetProcessHeap () returned 0x3a00000 [0073.698] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.698] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.698] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.698] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.698] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.698] CloseHandle (hObject=0x440) returned 1 [0073.698] GetProcessHeap () returned 0x3a00000 [0073.698] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.698] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\44__connections_cellular_base nv-sa (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\44__Connections_Cellular_BASE NV-SA (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\44__connections_cellular_base nv-sa (belgium)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.699] GetProcessHeap () returned 0x3a00000 [0073.699] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.699] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="450__C~1.PRO")) returned 1 [0073.699] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.699] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.699] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.699] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.699] lstrcmpiW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.699] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml") returned 160 [0073.699] StrStrIW (lpFirst="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.699] lstrcmpW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.699] lstrcmpW (lpString1="450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.699] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\450__connections_cellular_kktcell (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.700] GetTickCount () returned 0x1152c7b [0073.700] GetTickCount () returned 0x1152c7b [0073.700] GetTickCount () returned 0x1152c7b [0073.700] GetTickCount () returned 0x1152c7b [0073.700] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.700] GetProcessHeap () returned 0x3a00000 [0073.700] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.700] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0073.702] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.702] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0073.702] GetProcessHeap () returned 0x3a00000 [0073.702] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.702] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.702] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.702] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.702] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.703] CloseHandle (hObject=0x440) returned 1 [0073.703] GetProcessHeap () returned 0x3a00000 [0073.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.703] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0073.703] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\450__connections_cellular_kktcell (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\450__Connections_Cellular_KKTCELL (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\450__connections_cellular_kktcell (turkey)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.703] GetProcessHeap () returned 0x3a00000 [0073.703] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.704] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="451__C~1.PRO")) returned 1 [0073.704] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.704] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.704] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.704] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.704] lstrcmpiW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.704] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml") returned 161 [0073.704] StrStrIW (lpFirst="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.704] lstrcmpW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.704] lstrcmpW (lpString1="451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.704] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\451__connections_cellular_turkcell (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.705] GetTickCount () returned 0x1152c8b [0073.705] GetTickCount () returned 0x1152c8b [0073.705] GetTickCount () returned 0x1152c8b [0073.705] GetTickCount () returned 0x1152c8b [0073.705] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.705] GetProcessHeap () returned 0x3a00000 [0073.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.705] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0073.706] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.706] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0073.706] GetProcessHeap () returned 0x3a00000 [0073.706] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.706] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.706] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.707] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.707] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.707] CloseHandle (hObject=0x440) returned 1 [0073.707] GetProcessHeap () returned 0x3a00000 [0073.707] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.707] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.707] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\451__connections_cellular_turkcell (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\451__Connections_Cellular_Turkcell (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\451__connections_cellular_turkcell (turkey)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.708] GetProcessHeap () returned 0x3a00000 [0073.708] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.708] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9104a28e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9104a28e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9104a28e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", cAlternateFileName="452__C~1.PRO")) returned 1 [0073.708] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.708] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.708] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.708] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.708] lstrcmpiW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.708] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml") returned 161 [0073.708] StrStrIW (lpFirst="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.708] lstrcmpW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.708] lstrcmpW (lpString1="452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.708] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.708] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\452__connections_cellular_turkcell (turkey)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.708] GetTickCount () returned 0x1152c8b [0073.708] GetTickCount () returned 0x1152c8b [0073.708] GetTickCount () returned 0x1152c8b [0073.708] GetTickCount () returned 0x1152c8b [0073.708] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.709] GetProcessHeap () returned 0x3a00000 [0073.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.709] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.710] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.710] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.710] GetProcessHeap () returned 0x3a00000 [0073.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.710] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.711] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.711] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.711] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.711] CloseHandle (hObject=0x440) returned 1 [0073.711] GetProcessHeap () returned 0x3a00000 [0073.711] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.711] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.711] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\452__connections_cellular_turkcell (turkey)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\452__Connections_Cellular_Turkcell (Turkey)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\452__connections_cellular_turkcell (turkey)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.712] GetProcessHeap () returned 0x3a00000 [0073.712] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.712] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", cAlternateFileName="453__C~1.PRO")) returned 1 [0073.712] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.712] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.712] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.712] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.712] lstrcmpiW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.712] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml") returned 161 [0073.712] StrStrIW (lpFirst="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.712] lstrcmpW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.712] lstrcmpW (lpString1="453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.712] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.712] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\453__connections_cellular_turkcell (turkey)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.712] GetTickCount () returned 0x1152c8b [0073.712] GetTickCount () returned 0x1152c8b [0073.712] GetTickCount () returned 0x1152c8b [0073.713] GetTickCount () returned 0x1152c8b [0073.713] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.713] GetProcessHeap () returned 0x3a00000 [0073.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.713] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.714] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.714] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.714] GetProcessHeap () returned 0x3a00000 [0073.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.714] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.714] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.714] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.714] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.715] CloseHandle (hObject=0x440) returned 1 [0073.715] GetProcessHeap () returned 0x3a00000 [0073.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\453__connections_cellular_turkcell (turkey)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\453__Connections_Cellular_Turkcell (Turkey)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\453__connections_cellular_turkcell (turkey)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.715] GetProcessHeap () returned 0x3a00000 [0073.715] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.715] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", cAlternateFileName="454__C~1.PRO")) returned 1 [0073.718] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.718] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.718] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.718] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.718] lstrcmpiW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.718] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml") returned 164 [0073.718] StrStrIW (lpFirst="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.718] lstrcmpW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.718] lstrcmpW (lpString1="454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.718] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.718] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\454__connections_cellular_vodafone tr (turkey)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.718] GetTickCount () returned 0x1152c9a [0073.718] GetTickCount () returned 0x1152c9a [0073.718] GetTickCount () returned 0x1152c9a [0073.719] GetTickCount () returned 0x1152c9a [0073.719] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.719] GetProcessHeap () returned 0x3a00000 [0073.719] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.719] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0073.720] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.720] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0073.720] GetProcessHeap () returned 0x3a00000 [0073.720] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.720] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.720] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.721] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.721] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.721] CloseHandle (hObject=0x440) returned 1 [0073.721] GetProcessHeap () returned 0x3a00000 [0073.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.721] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0073.721] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\454__connections_cellular_vodafone tr (turkey)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\454__Connections_Cellular_Vodafone TR (Turkey)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\454__connections_cellular_vodafone tr (turkey)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.722] GetProcessHeap () returned 0x3a00000 [0073.722] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.722] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="455__C~1.PRO")) returned 1 [0073.722] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.722] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.722] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.722] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.722] lstrcmpiW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.722] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.722] StrStrIW (lpFirst="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.722] lstrcmpW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.722] lstrcmpW (lpString1="455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.722] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.722] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\455__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.722] GetTickCount () returned 0x1152c9a [0073.722] GetTickCount () returned 0x1152c9a [0073.722] GetTickCount () returned 0x1152c9a [0073.722] GetTickCount () returned 0x1152c9a [0073.722] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.723] GetProcessHeap () returned 0x3a00000 [0073.723] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.723] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.723] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.724] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.724] GetProcessHeap () returned 0x3a00000 [0073.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.724] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.724] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.724] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.725] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.725] CloseHandle (hObject=0x440) returned 1 [0073.725] GetProcessHeap () returned 0x3a00000 [0073.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.725] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\455__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\455__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\455__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.725] GetProcessHeap () returned 0x3a00000 [0073.725] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.725] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="456__C~1.PRO")) returned 1 [0073.726] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.726] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.726] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.726] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.726] lstrcmpiW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.726] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml") returned 167 [0073.726] StrStrIW (lpFirst="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.726] lstrcmpW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.726] lstrcmpW (lpString1="456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.726] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\456__connections_cellular_vf kktc telsim (cyprus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.726] GetTickCount () returned 0x1152c9a [0073.726] GetTickCount () returned 0x1152c9a [0073.726] GetTickCount () returned 0x1152c9a [0073.726] GetTickCount () returned 0x1152c9a [0073.726] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.726] GetProcessHeap () returned 0x3a00000 [0073.726] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.726] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0073.728] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.728] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0073.728] GetProcessHeap () returned 0x3a00000 [0073.728] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.728] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.728] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.728] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.728] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.728] CloseHandle (hObject=0x440) returned 1 [0073.728] GetProcessHeap () returned 0x3a00000 [0073.728] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0073.728] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\456__connections_cellular_vf kktc telsim (cyprus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\456__Connections_Cellular_VF KKTC Telsim (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\456__connections_cellular_vf kktc telsim (cyprus)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.729] GetProcessHeap () returned 0x3a00000 [0073.729] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.729] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910704f6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910704f6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910704f6, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="457__C~1.PRO")) returned 1 [0073.729] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.729] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.729] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.729] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.729] lstrcmpiW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.729] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.729] StrStrIW (lpFirst="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.729] lstrcmpW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.729] lstrcmpW (lpString1="457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.729] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\457__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.730] GetTickCount () returned 0x1152c9a [0073.730] GetTickCount () returned 0x1152c9a [0073.730] GetTickCount () returned 0x1152c9a [0073.730] GetTickCount () returned 0x1152c9a [0073.730] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.730] GetProcessHeap () returned 0x3a00000 [0073.730] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.730] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.741] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.741] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.742] GetProcessHeap () returned 0x3a00000 [0073.742] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.742] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.742] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.742] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.742] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.742] CloseHandle (hObject=0x440) returned 1 [0073.743] GetProcessHeap () returned 0x3a00000 [0073.743] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.743] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\457__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\457__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\457__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.743] GetProcessHeap () returned 0x3a00000 [0073.743] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.744] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="458__C~1.PRO")) returned 1 [0073.744] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.744] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.744] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.744] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.744] lstrcmpiW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.744] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml") returned 162 [0073.744] StrStrIW (lpFirst="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.744] lstrcmpW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.744] lstrcmpW (lpString1="458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.744] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.744] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\458__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.744] GetTickCount () returned 0x1152caa [0073.744] GetTickCount () returned 0x1152caa [0073.744] GetTickCount () returned 0x1152caa [0073.744] GetTickCount () returned 0x1152caa [0073.744] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.744] GetProcessHeap () returned 0x3a00000 [0073.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.744] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0073.746] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.746] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0073.746] GetProcessHeap () returned 0x3a00000 [0073.746] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.746] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.746] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.747] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.747] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.747] CloseHandle (hObject=0x440) returned 1 [0073.747] GetProcessHeap () returned 0x3a00000 [0073.747] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.747] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\458__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\458__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\458__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.748] GetProcessHeap () returned 0x3a00000 [0073.748] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.748] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", cAlternateFileName="459__C~1.PRO")) returned 1 [0073.748] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.748] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.748] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.748] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.748] lstrcmpiW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.748] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml") returned 162 [0073.748] StrStrIW (lpFirst="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.748] lstrcmpW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.748] lstrcmpW (lpString1="459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.748] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.748] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\459__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.749] GetTickCount () returned 0x1152cb9 [0073.749] GetTickCount () returned 0x1152cb9 [0073.749] GetTickCount () returned 0x1152cb9 [0073.749] GetTickCount () returned 0x1152cb9 [0073.749] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.749] GetProcessHeap () returned 0x3a00000 [0073.749] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.749] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0073.750] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.750] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0073.750] GetProcessHeap () returned 0x3a00000 [0073.750] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.750] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.751] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.751] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.751] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.751] CloseHandle (hObject=0x440) returned 1 [0073.751] GetProcessHeap () returned 0x3a00000 [0073.751] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.751] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\459__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\459__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\459__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.752] GetProcessHeap () returned 0x3a00000 [0073.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.752] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="45__CO~1.PRO")) returned 1 [0073.752] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.752] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.752] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.752] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.752] lstrcmpiW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.752] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml") returned 159 [0073.752] StrStrIW (lpFirst="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.752] lstrcmpW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.752] lstrcmpW (lpString1="45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.752] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\45__connections_cellular_orange (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.752] GetTickCount () returned 0x1152cb9 [0073.752] GetTickCount () returned 0x1152cb9 [0073.752] GetTickCount () returned 0x1152cb9 [0073.752] GetTickCount () returned 0x1152cb9 [0073.753] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.753] GetProcessHeap () returned 0x3a00000 [0073.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.753] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0073.754] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.754] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0073.754] GetProcessHeap () returned 0x3a00000 [0073.754] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.754] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.754] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.755] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.755] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.755] CloseHandle (hObject=0x440) returned 1 [0073.755] GetProcessHeap () returned 0x3a00000 [0073.755] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.755] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.755] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\45__connections_cellular_orange (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\45__Connections_Cellular_ORANGE (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\45__connections_cellular_orange (belgium)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.756] GetProcessHeap () returned 0x3a00000 [0073.756] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.756] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", cAlternateFileName="460__C~1.PRO")) returned 1 [0073.756] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.756] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.756] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.756] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.756] lstrcmpiW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.756] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml") returned 162 [0073.756] StrStrIW (lpFirst="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.756] lstrcmpW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.756] lstrcmpW (lpString1="460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.756] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.756] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\460__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.756] GetTickCount () returned 0x1152cb9 [0073.756] GetTickCount () returned 0x1152cb9 [0073.756] GetTickCount () returned 0x1152cb9 [0073.756] GetTickCount () returned 0x1152cb9 [0073.757] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.757] GetProcessHeap () returned 0x3a00000 [0073.757] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.757] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0073.758] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.758] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0073.759] GetProcessHeap () returned 0x3a00000 [0073.759] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.759] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.759] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.759] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.759] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.759] CloseHandle (hObject=0x440) returned 1 [0073.759] GetProcessHeap () returned 0x3a00000 [0073.759] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.759] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.759] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\460__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\460__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\460__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.760] GetProcessHeap () returned 0x3a00000 [0073.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.760] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", cAlternateFileName="461__C~1.PRO")) returned 1 [0073.760] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.760] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.760] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.760] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.760] lstrcmpiW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.760] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml") returned 162 [0073.760] StrStrIW (lpFirst="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.760] lstrcmpW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.760] lstrcmpW (lpString1="461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.760] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.760] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\461__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.761] GetTickCount () returned 0x1152cb9 [0073.761] GetTickCount () returned 0x1152cb9 [0073.761] GetTickCount () returned 0x1152cb9 [0073.761] GetTickCount () returned 0x1152cb9 [0073.761] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.761] GetProcessHeap () returned 0x3a00000 [0073.761] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.761] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0073.762] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.762] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0073.763] GetProcessHeap () returned 0x3a00000 [0073.763] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.763] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.763] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.763] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.763] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.763] CloseHandle (hObject=0x440) returned 1 [0073.763] GetProcessHeap () returned 0x3a00000 [0073.763] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.763] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.763] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\461__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\461__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\461__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.764] GetProcessHeap () returned 0x3a00000 [0073.764] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.764] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91096761, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91096761, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91096761, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", cAlternateFileName="462__C~1.PRO")) returned 1 [0073.764] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.764] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.764] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.764] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.764] lstrcmpiW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.764] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml") returned 162 [0073.764] StrStrIW (lpFirst="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.764] lstrcmpW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.764] lstrcmpW (lpString1="462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.764] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.765] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\462__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.766] GetTickCount () returned 0x1152cc9 [0073.766] GetTickCount () returned 0x1152cc9 [0073.766] GetTickCount () returned 0x1152cc9 [0073.766] GetTickCount () returned 0x1152cc9 [0073.766] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.766] GetProcessHeap () returned 0x3a00000 [0073.766] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.766] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0073.767] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.767] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0073.767] GetProcessHeap () returned 0x3a00000 [0073.768] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.768] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.768] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.768] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.768] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.768] CloseHandle (hObject=0x440) returned 1 [0073.768] GetProcessHeap () returned 0x3a00000 [0073.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.768] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.768] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\462__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\462__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\462__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.769] GetProcessHeap () returned 0x3a00000 [0073.769] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.769] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="463__C~1.PRO")) returned 1 [0073.769] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.769] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.769] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.769] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.769] lstrcmpiW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.769] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml") returned 161 [0073.769] StrStrIW (lpFirst="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.769] lstrcmpW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.769] lstrcmpW (lpString1="463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.769] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.769] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\463__connections_cellular_astelit (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.770] GetTickCount () returned 0x1152cc9 [0073.770] GetTickCount () returned 0x1152cc9 [0073.770] GetTickCount () returned 0x1152cc9 [0073.770] GetTickCount () returned 0x1152cc9 [0073.770] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.770] GetProcessHeap () returned 0x3a00000 [0073.770] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.770] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0073.771] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.771] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0073.771] GetProcessHeap () returned 0x3a00000 [0073.771] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.771] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.771] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.771] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.772] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.772] CloseHandle (hObject=0x440) returned 1 [0073.772] GetProcessHeap () returned 0x3a00000 [0073.772] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.772] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.772] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\463__connections_cellular_astelit (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\463__Connections_Cellular_Astelit (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\463__connections_cellular_astelit (ukraine)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.773] GetProcessHeap () returned 0x3a00000 [0073.773] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.773] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x281, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="464__C~1.PRO")) returned 1 [0073.773] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.773] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.773] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.773] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.773] lstrcmpiW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.773] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml") returned 157 [0073.773] StrStrIW (lpFirst="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.773] lstrcmpW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.773] lstrcmpW (lpString1="464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.773] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.773] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\464__connections_cellular_umc (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.773] GetTickCount () returned 0x1152cc9 [0073.773] GetTickCount () returned 0x1152cc9 [0073.773] GetTickCount () returned 0x1152cc9 [0073.773] GetTickCount () returned 0x1152cc9 [0073.773] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.774] GetProcessHeap () returned 0x3a00000 [0073.774] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.774] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x281, lpOverlapped=0x0) returned 1 [0073.775] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.775] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x281, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x281, lpOverlapped=0x0) returned 1 [0073.775] GetProcessHeap () returned 0x3a00000 [0073.775] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.775] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.775] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.775] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.775] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.775] CloseHandle (hObject=0x440) returned 1 [0073.776] GetProcessHeap () returned 0x3a00000 [0073.776] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.776] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0073.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\464__connections_cellular_umc (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\464__Connections_Cellular_UMC (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\464__connections_cellular_umc (ukraine)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.776] GetProcessHeap () returned 0x3a00000 [0073.776] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.776] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="465__C~1.PRO")) returned 1 [0073.776] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.776] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.776] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.776] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.777] lstrcmpiW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.777] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml") returned 163 [0073.777] StrStrIW (lpFirst="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.777] lstrcmpW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.777] lstrcmpW (lpString1="465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.777] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.777] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\465__connections_cellular_utel inet (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.777] GetTickCount () returned 0x1152cc9 [0073.777] GetTickCount () returned 0x1152cc9 [0073.777] GetTickCount () returned 0x1152cc9 [0073.777] GetTickCount () returned 0x1152cc9 [0073.777] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.777] GetProcessHeap () returned 0x3a00000 [0073.777] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.777] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.810] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.810] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0073.810] GetProcessHeap () returned 0x3a00000 [0073.810] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.810] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.810] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.810] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.810] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.811] CloseHandle (hObject=0x440) returned 1 [0073.811] GetProcessHeap () returned 0x3a00000 [0073.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.811] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\465__connections_cellular_utel inet (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\465__Connections_Cellular_Utel INET (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\465__connections_cellular_utel inet (ukraine)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.812] GetProcessHeap () returned 0x3a00000 [0073.812] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.812] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910bc9cd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910bc9cd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910bc9cd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", cAlternateFileName="466__C~1.PRO")) returned 1 [0073.812] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.812] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.812] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.812] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.812] lstrcmpiW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.812] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml") returned 169 [0073.812] StrStrIW (lpFirst="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.812] lstrcmpW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.812] lstrcmpW (lpString1="466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.812] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\466__connections_cellular_du (united arab emirates)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.813] GetTickCount () returned 0x1152cf8 [0073.813] GetTickCount () returned 0x1152cf8 [0073.813] GetTickCount () returned 0x1152cf8 [0073.813] GetTickCount () returned 0x1152cf8 [0073.813] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.813] GetProcessHeap () returned 0x3a00000 [0073.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.813] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0073.814] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.814] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0073.815] GetProcessHeap () returned 0x3a00000 [0073.815] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.815] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.815] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.815] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.815] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.815] CloseHandle (hObject=0x440) returned 1 [0073.815] GetProcessHeap () returned 0x3a00000 [0073.815] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.815] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0073.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\466__connections_cellular_du (united arab emirates)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\466__Connections_Cellular_du (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\466__connections_cellular_du (united arab emirates)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.816] GetProcessHeap () returned 0x3a00000 [0073.816] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.816] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", cAlternateFileName="467__C~1.PRO")) returned 1 [0073.816] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.816] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.816] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.816] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.816] lstrcmpiW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.816] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml") returned 174 [0073.816] StrStrIW (lpFirst="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.816] lstrcmpW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.816] lstrcmpW (lpString1="467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.816] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.816] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\467__connections_cellular_du eitc (united arab emirates)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.817] GetTickCount () returned 0x1152cf8 [0073.817] GetTickCount () returned 0x1152cf8 [0073.817] GetTickCount () returned 0x1152cf8 [0073.817] GetTickCount () returned 0x1152cf8 [0073.817] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.817] GetProcessHeap () returned 0x3a00000 [0073.817] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.817] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0073.819] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd76, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.819] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28a, lpOverlapped=0x0) returned 1 [0073.819] GetProcessHeap () returned 0x3a00000 [0073.819] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.819] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.819] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.819] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.819] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.819] CloseHandle (hObject=0x440) returned 1 [0073.820] GetProcessHeap () returned 0x3a00000 [0073.820] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.820] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0073.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\467__connections_cellular_du eitc (united arab emirates)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\467__Connections_Cellular_du EITC (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\467__connections_cellular_du eitc (united arab emirates)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.821] GetProcessHeap () returned 0x3a00000 [0073.821] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.821] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", cAlternateFileName="468__C~1.PRO")) returned 1 [0073.821] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.821] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.821] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.821] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.821] lstrcmpiW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.821] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml") returned 175 [0073.821] StrStrIW (lpFirst="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.821] lstrcmpW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.821] lstrcmpW (lpString1="468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.821] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.821] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\468__connections_cellular_etisalat (united arab emirates)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.822] GetTickCount () returned 0x1152cf8 [0073.822] GetTickCount () returned 0x1152cf8 [0073.822] GetTickCount () returned 0x1152cf8 [0073.822] GetTickCount () returned 0x1152cf8 [0073.822] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.822] GetProcessHeap () returned 0x3a00000 [0073.822] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.822] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0073.824] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.824] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0073.824] GetProcessHeap () returned 0x3a00000 [0073.824] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.824] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.824] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.825] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.825] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.825] CloseHandle (hObject=0x440) returned 1 [0073.825] GetProcessHeap () returned 0x3a00000 [0073.825] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.825] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0073.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\468__connections_cellular_etisalat (united arab emirates)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\468__Connections_Cellular_Etisalat (United Arab Emirates)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\468__connections_cellular_etisalat (united arab emirates)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.826] GetProcessHeap () returned 0x3a00000 [0073.826] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.826] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="469__C~1.PRO")) returned 1 [0073.827] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.827] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.827] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.827] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.827] lstrcmpiW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.827] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 190 [0073.827] StrStrIW (lpFirst="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.827] lstrcmpW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.827] lstrcmpW (lpString1="469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.827] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.827] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\469__connections_cellular_cable & wireless guernsey ltd (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.827] GetTickCount () returned 0x1152d08 [0073.827] GetTickCount () returned 0x1152d08 [0073.827] GetTickCount () returned 0x1152d08 [0073.827] GetTickCount () returned 0x1152d08 [0073.828] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.828] GetProcessHeap () returned 0x3a00000 [0073.828] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.828] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x29f, lpOverlapped=0x0) returned 1 [0073.829] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.829] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x29f, lpOverlapped=0x0) returned 1 [0073.830] GetProcessHeap () returned 0x3a00000 [0073.830] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.830] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.830] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.830] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.830] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.830] CloseHandle (hObject=0x440) returned 1 [0073.830] GetProcessHeap () returned 0x3a00000 [0073.831] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.831] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 209 [0073.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\469__connections_cellular_cable & wireless guernsey ltd (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\469__Connections_Cellular_Cable & Wireless Guernsey Ltd (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\469__connections_cellular_cable & wireless guernsey ltd (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.832] GetProcessHeap () returned 0x3a00000 [0073.832] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.832] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", cAlternateFileName="46__CO~1.PRO")) returned 1 [0073.834] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.835] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.835] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.835] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.835] lstrcmpiW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.835] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml") returned 159 [0073.835] StrStrIW (lpFirst="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.835] lstrcmpW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.835] lstrcmpW (lpString1="46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.835] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.835] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\46__connections_cellular_orange (belgium)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.835] GetTickCount () returned 0x1152d08 [0073.835] GetTickCount () returned 0x1152d08 [0073.835] GetTickCount () returned 0x1152d08 [0073.836] GetTickCount () returned 0x1152d08 [0073.836] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.836] GetProcessHeap () returned 0x3a00000 [0073.836] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.836] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.838] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.838] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0073.838] GetProcessHeap () returned 0x3a00000 [0073.838] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.838] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.838] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.838] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.838] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.839] CloseHandle (hObject=0x440) returned 1 [0073.839] GetProcessHeap () returned 0x3a00000 [0073.839] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.839] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\46__connections_cellular_orange (belgium)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\46__Connections_Cellular_ORANGE (Belgium)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\46__connections_cellular_orange (belgium)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.840] GetProcessHeap () returned 0x3a00000 [0073.840] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.840] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x910e2c39, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x910e2c39, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x910e2c39, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="470__C~1.PRO")) returned 1 [0073.840] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.840] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.840] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.840] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.840] lstrcmpiW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.840] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 186 [0073.840] StrStrIW (lpFirst="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.840] lstrcmpW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.840] lstrcmpW (lpString1="470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.840] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.840] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\470__connections_cellular_manx telecom (pronto gsm) (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.841] GetTickCount () returned 0x1152d17 [0073.841] GetTickCount () returned 0x1152d17 [0073.841] GetTickCount () returned 0x1152d17 [0073.841] GetTickCount () returned 0x1152d17 [0073.841] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.841] GetProcessHeap () returned 0x3a00000 [0073.842] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.842] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e5, lpOverlapped=0x0) returned 1 [0073.843] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.843] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e5, lpOverlapped=0x0) returned 1 [0073.844] GetProcessHeap () returned 0x3a00000 [0073.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.844] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.844] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.844] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.844] CloseHandle (hObject=0x440) returned 1 [0073.844] GetProcessHeap () returned 0x3a00000 [0073.844] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.844] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 205 [0073.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\470__connections_cellular_manx telecom (pronto gsm) (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\470__Connections_Cellular_Manx Telecom (Pronto GSM) (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\470__connections_cellular_manx telecom (pronto gsm) (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.845] GetProcessHeap () returned 0x3a00000 [0073.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.846] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91108ea4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="471__C~1.PRO")) returned 1 [0073.846] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.846] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.846] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.846] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.846] lstrcmpiW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.846] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 168 [0073.846] StrStrIW (lpFirst="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.846] lstrcmpW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.846] lstrcmpW (lpString1="471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.846] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.846] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\471__connections_cellular_o2 - uk (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.846] GetTickCount () returned 0x1152d17 [0073.846] GetTickCount () returned 0x1152d17 [0073.846] GetTickCount () returned 0x1152d17 [0073.846] GetTickCount () returned 0x1152d17 [0073.847] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.847] GetProcessHeap () returned 0x3a00000 [0073.847] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.847] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x368, lpOverlapped=0x0) returned 1 [0073.851] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc98, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.851] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x368, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x368, lpOverlapped=0x0) returned 1 [0073.852] GetProcessHeap () returned 0x3a00000 [0073.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.852] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.852] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.852] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.852] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.852] CloseHandle (hObject=0x440) returned 1 [0073.852] GetProcessHeap () returned 0x3a00000 [0073.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.852] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0073.852] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\471__connections_cellular_o2 - uk (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\471__Connections_Cellular_O2 - UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\471__connections_cellular_o2 - uk (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.853] GetProcessHeap () returned 0x3a00000 [0073.853] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.853] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91108ea4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x359, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="472__C~1.PRO")) returned 1 [0073.853] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.853] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.853] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.853] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.853] lstrcmpiW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.854] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 168 [0073.854] StrStrIW (lpFirst="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.854] lstrcmpW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.854] lstrcmpW (lpString1="472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.854] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.854] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\472__connections_cellular_o2 - uk (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.854] GetTickCount () returned 0x1152d17 [0073.854] GetTickCount () returned 0x1152d17 [0073.854] GetTickCount () returned 0x1152d17 [0073.854] GetTickCount () returned 0x1152d17 [0073.854] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.855] GetProcessHeap () returned 0x3a00000 [0073.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.855] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x359, lpOverlapped=0x0) returned 1 [0073.857] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.857] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x359, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x359, lpOverlapped=0x0) returned 1 [0073.857] GetProcessHeap () returned 0x3a00000 [0073.857] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.857] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.857] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.857] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.857] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.858] CloseHandle (hObject=0x440) returned 1 [0073.858] GetProcessHeap () returned 0x3a00000 [0073.858] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.858] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0073.858] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\472__connections_cellular_o2 - uk (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\472__Connections_Cellular_O2 - UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\472__connections_cellular_o2 - uk (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.859] GetProcessHeap () returned 0x3a00000 [0073.859] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.859] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91108ea4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", cAlternateFileName="473__C~1.PRO")) returned 1 [0073.859] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.859] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.859] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.859] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.859] lstrcmpiW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.859] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml") returned 168 [0073.859] StrStrIW (lpFirst="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.859] lstrcmpW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.859] lstrcmpW (lpString1="473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.859] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.859] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\473__connections_cellular_o2 - uk (united kingdom)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.860] GetTickCount () returned 0x1152d27 [0073.860] GetTickCount () returned 0x1152d27 [0073.860] GetTickCount () returned 0x1152d27 [0073.860] GetTickCount () returned 0x1152d27 [0073.860] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.861] GetProcessHeap () returned 0x3a00000 [0073.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.861] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.862] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.862] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.862] GetProcessHeap () returned 0x3a00000 [0073.862] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.862] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.863] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.863] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.863] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.863] CloseHandle (hObject=0x440) returned 1 [0073.863] GetProcessHeap () returned 0x3a00000 [0073.863] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.863] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0073.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\473__connections_cellular_o2 - uk (united kingdom)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\473__Connections_Cellular_O2 - UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\473__connections_cellular_o2 - uk (united kingdom)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.864] GetProcessHeap () returned 0x3a00000 [0073.864] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.864] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91108ea4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91108ea4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", cAlternateFileName="474__C~1.PRO")) returned 1 [0073.864] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.864] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.864] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.864] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.864] lstrcmpiW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.864] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml") returned 168 [0073.865] StrStrIW (lpFirst="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.865] lstrcmpW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.865] lstrcmpW (lpString1="474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.865] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\474__connections_cellular_o2 - uk (united kingdom)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.865] GetTickCount () returned 0x1152d27 [0073.865] GetTickCount () returned 0x1152d27 [0073.865] GetTickCount () returned 0x1152d27 [0073.865] GetTickCount () returned 0x1152d27 [0073.865] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.865] GetProcessHeap () returned 0x3a00000 [0073.866] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.866] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0073.867] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.867] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0073.867] GetProcessHeap () returned 0x3a00000 [0073.867] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.867] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.867] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.868] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.868] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.868] CloseHandle (hObject=0x440) returned 1 [0073.868] GetProcessHeap () returned 0x3a00000 [0073.868] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.868] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0073.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\474__connections_cellular_o2 - uk (united kingdom)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\474__Connections_Cellular_O2 - UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\474__connections_cellular_o2 - uk (united kingdom)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.869] GetProcessHeap () returned 0x3a00000 [0073.869] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.869] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9112f110, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9112f110, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", cAlternateFileName="475__C~1.PRO")) returned 1 [0073.869] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.869] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.869] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.869] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.869] lstrcmpiW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.869] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml") returned 168 [0073.869] StrStrIW (lpFirst="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.869] lstrcmpW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.869] lstrcmpW (lpString1="475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.869] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.869] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\475__connections_cellular_o2 - uk (united kingdom)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.869] GetTickCount () returned 0x1152d27 [0073.869] GetTickCount () returned 0x1152d27 [0073.869] GetTickCount () returned 0x1152d27 [0073.869] GetTickCount () returned 0x1152d27 [0073.869] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.870] GetProcessHeap () returned 0x3a00000 [0073.870] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.870] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.871] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.871] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0073.871] GetProcessHeap () returned 0x3a00000 [0073.871] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.871] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.871] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.871] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.871] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.871] CloseHandle (hObject=0x440) returned 1 [0073.871] GetProcessHeap () returned 0x3a00000 [0073.872] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.872] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0073.872] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\475__connections_cellular_o2 - uk (united kingdom)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\475__Connections_Cellular_O2 - UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\475__connections_cellular_o2 - uk (united kingdom)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.873] GetProcessHeap () returned 0x3a00000 [0073.873] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.873] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9112f110, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9112f110, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="476__C~1.PRO")) returned 1 [0073.873] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0073.873] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0073.873] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0073.873] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0073.873] lstrcmpiW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0073.873] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0073.873] StrStrIW (lpFirst="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0073.873] lstrcmpW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.873] lstrcmpW (lpString1="476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0073.873] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.873] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\476__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.873] GetTickCount () returned 0x1152d36 [0073.873] GetTickCount () returned 0x1152d36 [0073.873] GetTickCount () returned 0x1152d36 [0073.873] GetTickCount () returned 0x1152d36 [0073.873] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.874] GetProcessHeap () returned 0x3a00000 [0073.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.874] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c7, lpOverlapped=0x0) returned 1 [0073.874] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.874] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c7, lpOverlapped=0x0) returned 1 [0073.875] GetProcessHeap () returned 0x3a00000 [0073.875] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.875] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.875] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.875] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.876] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.876] CloseHandle (hObject=0x440) returned 1 [0073.876] GetProcessHeap () returned 0x3a00000 [0073.876] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.876] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\476__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\476__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\476__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.876] GetProcessHeap () returned 0x3a00000 [0073.876] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.876] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9112f110, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9112f110, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9112f110, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="477__C~1.PRO")) returned 1 [0073.877] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.877] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.877] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.877] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.877] lstrcmpiW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.877] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 163 [0073.877] StrStrIW (lpFirst="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.877] lstrcmpW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.877] lstrcmpW (lpString1="477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.877] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.877] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\477__connections_cellular_ee (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.877] GetTickCount () returned 0x1152d36 [0073.877] GetTickCount () returned 0x1152d36 [0073.877] GetTickCount () returned 0x1152d36 [0073.877] GetTickCount () returned 0x1152d36 [0073.877] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.877] GetProcessHeap () returned 0x3a00000 [0073.877] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.877] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34a, lpOverlapped=0x0) returned 1 [0073.879] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.879] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34a, lpOverlapped=0x0) returned 1 [0073.879] GetProcessHeap () returned 0x3a00000 [0073.879] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.879] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.879] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.879] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.880] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.880] CloseHandle (hObject=0x440) returned 1 [0073.880] GetProcessHeap () returned 0x3a00000 [0073.880] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.880] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0073.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\477__connections_cellular_ee (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\477__Connections_Cellular_EE (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\477__connections_cellular_ee (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.880] GetProcessHeap () returned 0x3a00000 [0073.881] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.881] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="478__C~1.PRO")) returned 1 [0073.881] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.881] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.881] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.881] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.881] lstrcmpiW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.881] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 172 [0073.881] StrStrIW (lpFirst="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.881] lstrcmpW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.881] lstrcmpW (lpString1="478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.881] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.881] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\478__connections_cellular_vodafone uk (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.881] GetTickCount () returned 0x1152d36 [0073.881] GetTickCount () returned 0x1152d36 [0073.881] GetTickCount () returned 0x1152d36 [0073.881] GetTickCount () returned 0x1152d36 [0073.881] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.881] GetProcessHeap () returned 0x3a00000 [0073.881] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.882] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0073.883] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.883] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0073.883] GetProcessHeap () returned 0x3a00000 [0073.883] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.883] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.883] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.883] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.883] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.883] CloseHandle (hObject=0x440) returned 1 [0073.883] GetProcessHeap () returned 0x3a00000 [0073.884] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.884] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0073.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\478__connections_cellular_vodafone uk (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\478__Connections_Cellular_Vodafone UK (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\478__connections_cellular_vodafone uk (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.884] GetProcessHeap () returned 0x3a00000 [0073.884] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.884] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="479__C~1.PRO")) returned 1 [0073.884] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.884] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.884] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.885] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.885] lstrcmpiW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.885] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 172 [0073.885] StrStrIW (lpFirst="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.885] lstrcmpW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.885] lstrcmpW (lpString1="479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.885] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.885] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\479__connections_cellular_vodafone uk (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.885] GetTickCount () returned 0x1152d36 [0073.885] GetTickCount () returned 0x1152d36 [0073.885] GetTickCount () returned 0x1152d36 [0073.885] GetTickCount () returned 0x1152d36 [0073.885] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.885] GetProcessHeap () returned 0x3a00000 [0073.885] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.885] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34d, lpOverlapped=0x0) returned 1 [0073.911] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.911] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34d, lpOverlapped=0x0) returned 1 [0073.911] GetProcessHeap () returned 0x3a00000 [0073.911] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.911] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.911] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.911] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.912] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.912] CloseHandle (hObject=0x440) returned 1 [0073.912] GetProcessHeap () returned 0x3a00000 [0073.912] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.912] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0073.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\479__connections_cellular_vodafone uk (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\479__Connections_Cellular_Vodafone UK (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\479__connections_cellular_vodafone uk (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.913] GetProcessHeap () returned 0x3a00000 [0073.913] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.913] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", cAlternateFileName="47__CO~1.PRO")) returned 1 [0073.913] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.913] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.913] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.913] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.913] lstrcmpiW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.913] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml") returned 159 [0073.913] StrStrIW (lpFirst="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.913] lstrcmpW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.913] lstrcmpW (lpString1="47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.913] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\47__connections_cellular_orange (belgium)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.914] GetTickCount () returned 0x1152d56 [0073.914] GetTickCount () returned 0x1152d56 [0073.914] GetTickCount () returned 0x1152d56 [0073.914] GetTickCount () returned 0x1152d56 [0073.914] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.914] GetProcessHeap () returned 0x3a00000 [0073.914] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.914] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.915] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.916] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0073.916] GetProcessHeap () returned 0x3a00000 [0073.916] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.916] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.916] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.916] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.916] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.916] CloseHandle (hObject=0x440) returned 1 [0073.916] GetProcessHeap () returned 0x3a00000 [0073.916] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.916] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0073.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\47__connections_cellular_orange (belgium)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\47__Connections_Cellular_ORANGE (Belgium)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\47__connections_cellular_orange (belgium)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.917] GetProcessHeap () returned 0x3a00000 [0073.917] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.917] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x359, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", cAlternateFileName="480__C~1.PRO")) returned 1 [0073.917] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.917] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.917] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.917] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.917] lstrcmpiW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.917] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml") returned 172 [0073.917] StrStrIW (lpFirst="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.917] lstrcmpW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.917] lstrcmpW (lpString1="480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.917] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\480__connections_cellular_vodafone uk (united kingdom)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.918] GetTickCount () returned 0x1152d56 [0073.918] GetTickCount () returned 0x1152d56 [0073.918] GetTickCount () returned 0x1152d56 [0073.918] GetTickCount () returned 0x1152d56 [0073.918] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.918] GetProcessHeap () returned 0x3a00000 [0073.918] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.918] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x359, lpOverlapped=0x0) returned 1 [0073.923] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.923] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x359, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x359, lpOverlapped=0x0) returned 1 [0073.924] GetProcessHeap () returned 0x3a00000 [0073.924] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.924] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.924] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.924] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.924] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.924] CloseHandle (hObject=0x440) returned 1 [0073.924] GetProcessHeap () returned 0x3a00000 [0073.924] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.924] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0073.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\480__connections_cellular_vodafone uk (united kingdom)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\480__Connections_Cellular_Vodafone UK (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\480__connections_cellular_vodafone uk (united kingdom)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.925] GetProcessHeap () returned 0x3a00000 [0073.925] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.925] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9115537f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9115537f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9115537f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", cAlternateFileName="481__C~1.PRO")) returned 1 [0073.925] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.925] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.925] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.925] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.925] lstrcmpiW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.925] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml") returned 172 [0073.925] StrStrIW (lpFirst="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.926] lstrcmpW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.926] lstrcmpW (lpString1="481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.926] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.926] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\481__connections_cellular_vodafone uk (united kingdom)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.926] GetTickCount () returned 0x1152d65 [0073.926] GetTickCount () returned 0x1152d65 [0073.926] GetTickCount () returned 0x1152d65 [0073.926] GetTickCount () returned 0x1152d65 [0073.926] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.926] GetProcessHeap () returned 0x3a00000 [0073.926] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.926] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.928] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.928] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0073.928] GetProcessHeap () returned 0x3a00000 [0073.928] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.928] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.928] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.928] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.928] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.928] CloseHandle (hObject=0x440) returned 1 [0073.928] GetProcessHeap () returned 0x3a00000 [0073.928] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.928] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0073.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\481__connections_cellular_vodafone uk (united kingdom)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\481__Connections_Cellular_Vodafone UK (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\481__connections_cellular_vodafone uk (united kingdom)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.929] GetProcessHeap () returned 0x3a00000 [0073.929] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.929] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", cAlternateFileName="482__C~1.PRO")) returned 1 [0073.929] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.929] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.929] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.929] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.929] lstrcmpiW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.929] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml") returned 172 [0073.929] StrStrIW (lpFirst="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.929] lstrcmpW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.929] lstrcmpW (lpString1="482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.929] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.929] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\482__connections_cellular_vodafone uk (united kingdom)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.930] GetTickCount () returned 0x1152d65 [0073.930] GetTickCount () returned 0x1152d65 [0073.930] GetTickCount () returned 0x1152d65 [0073.930] GetTickCount () returned 0x1152d65 [0073.930] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.930] GetProcessHeap () returned 0x3a00000 [0073.930] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.930] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35c, lpOverlapped=0x0) returned 1 [0073.931] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.931] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35c, lpOverlapped=0x0) returned 1 [0073.932] GetProcessHeap () returned 0x3a00000 [0073.932] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.932] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.932] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.932] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.932] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.932] CloseHandle (hObject=0x440) returned 1 [0073.932] GetProcessHeap () returned 0x3a00000 [0073.932] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.932] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0073.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\482__connections_cellular_vodafone uk (united kingdom)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\482__Connections_Cellular_Vodafone UK (United Kingdom)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\482__connections_cellular_vodafone uk (united kingdom)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.933] GetProcessHeap () returned 0x3a00000 [0073.933] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.933] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", cAlternateFileName="483__C~1.PRO")) returned 1 [0073.933] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.933] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.933] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.933] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.933] lstrcmpiW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.933] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml") returned 172 [0073.933] StrStrIW (lpFirst="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.933] lstrcmpW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.933] lstrcmpW (lpString1="483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.933] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.933] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\483__connections_cellular_vodafone uk (united kingdom)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.934] GetTickCount () returned 0x1152d65 [0073.934] GetTickCount () returned 0x1152d65 [0073.934] GetTickCount () returned 0x1152d65 [0073.934] GetTickCount () returned 0x1152d65 [0073.934] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.934] GetProcessHeap () returned 0x3a00000 [0073.934] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.934] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35d, lpOverlapped=0x0) returned 1 [0073.937] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.937] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35d, lpOverlapped=0x0) returned 1 [0073.937] GetProcessHeap () returned 0x3a00000 [0073.937] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.937] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.937] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.938] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.938] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.938] CloseHandle (hObject=0x440) returned 1 [0073.938] GetProcessHeap () returned 0x3a00000 [0073.938] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.938] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0073.938] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\483__connections_cellular_vodafone uk (united kingdom)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\483__Connections_Cellular_Vodafone UK (United Kingdom)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\483__connections_cellular_vodafone uk (united kingdom)_i5$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.939] GetProcessHeap () returned 0x3a00000 [0073.939] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.939] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="484__C~1.PRO")) returned 1 [0073.941] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.941] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.941] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.941] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.941] lstrcmpiW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.941] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.941] StrStrIW (lpFirst="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.941] lstrcmpW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.941] lstrcmpW (lpString1="484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.941] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\484__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.942] GetTickCount () returned 0x1152d75 [0073.942] GetTickCount () returned 0x1152d75 [0073.942] GetTickCount () returned 0x1152d75 [0073.942] GetTickCount () returned 0x1152d75 [0073.942] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.942] GetProcessHeap () returned 0x3a00000 [0073.942] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.942] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.944] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.944] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0073.944] GetProcessHeap () returned 0x3a00000 [0073.944] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.944] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.944] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.945] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.945] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.945] CloseHandle (hObject=0x440) returned 1 [0073.945] GetProcessHeap () returned 0x3a00000 [0073.945] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.945] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\484__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\484__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\484__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.946] GetProcessHeap () returned 0x3a00000 [0073.946] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.946] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="485__C~1.PRO")) returned 1 [0073.946] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.946] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.946] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.946] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.946] lstrcmpiW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.946] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml") returned 164 [0073.946] StrStrIW (lpFirst="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.946] lstrcmpW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.946] lstrcmpW (lpString1="485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.946] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.946] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\485__connections_cellular_at&t (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.946] GetTickCount () returned 0x1152d75 [0073.946] GetTickCount () returned 0x1152d75 [0073.946] GetTickCount () returned 0x1152d75 [0073.946] GetTickCount () returned 0x1152d75 [0073.947] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.947] GetProcessHeap () returned 0x3a00000 [0073.947] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.947] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.948] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.948] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0073.948] GetProcessHeap () returned 0x3a00000 [0073.948] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.948] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.948] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.948] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.949] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.949] CloseHandle (hObject=0x440) returned 1 [0073.949] GetProcessHeap () returned 0x3a00000 [0073.949] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.949] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0073.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\485__connections_cellular_at&t (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\485__Connections_Cellular_AT&T (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\485__connections_cellular_at&t (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.949] GetProcessHeap () returned 0x3a00000 [0073.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.949] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", cAlternateFileName="486__C~1.PRO")) returned 1 [0073.949] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.949] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.950] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.950] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.950] lstrcmpiW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.950] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml") returned 164 [0073.950] StrStrIW (lpFirst="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.950] lstrcmpW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.950] lstrcmpW (lpString1="486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.950] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\486__connections_cellular_at&t (united states)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.950] GetTickCount () returned 0x1152d85 [0073.950] GetTickCount () returned 0x1152d85 [0073.950] GetTickCount () returned 0x1152d85 [0073.950] GetTickCount () returned 0x1152d85 [0073.950] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.951] GetProcessHeap () returned 0x3a00000 [0073.951] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.951] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0073.959] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.959] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0073.959] GetProcessHeap () returned 0x3a00000 [0073.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.959] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.959] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.959] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.960] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.960] CloseHandle (hObject=0x440) returned 1 [0073.960] GetProcessHeap () returned 0x3a00000 [0073.960] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.960] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0073.960] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\486__connections_cellular_at&t (united states)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\486__Connections_Cellular_AT&T (United States)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\486__connections_cellular_at&t (united states)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.961] GetProcessHeap () returned 0x3a00000 [0073.961] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.961] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", cAlternateFileName="487__C~1.PRO")) returned 1 [0073.961] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.961] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.961] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.961] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.961] lstrcmpiW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.961] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml") returned 164 [0073.961] StrStrIW (lpFirst="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.961] lstrcmpW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.961] lstrcmpW (lpString1="487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.961] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.961] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\487__connections_cellular_at&t (united states)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.961] GetTickCount () returned 0x1152d85 [0073.961] GetTickCount () returned 0x1152d85 [0073.961] GetTickCount () returned 0x1152d85 [0073.961] GetTickCount () returned 0x1152d85 [0073.962] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.962] GetProcessHeap () returned 0x3a00000 [0073.962] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.962] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0073.963] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.963] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0073.963] GetProcessHeap () returned 0x3a00000 [0073.963] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.963] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.963] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.963] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.964] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.964] CloseHandle (hObject=0x440) returned 1 [0073.964] GetProcessHeap () returned 0x3a00000 [0073.964] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.964] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0073.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\487__connections_cellular_at&t (united states)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\487__Connections_Cellular_AT&T (United States)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\487__connections_cellular_at&t (united states)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.964] GetProcessHeap () returned 0x3a00000 [0073.965] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.965] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9117b5eb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9117b5eb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9117b5eb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="488__C~1.PRO")) returned 1 [0073.965] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0073.965] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0073.965] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0073.965] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0073.965] lstrcmpiW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0073.965] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0073.965] StrStrIW (lpFirst="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0073.965] lstrcmpW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.965] lstrcmpW (lpString1="488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0073.965] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\488__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.965] GetTickCount () returned 0x1152d85 [0073.965] GetTickCount () returned 0x1152d85 [0073.965] GetTickCount () returned 0x1152d85 [0073.965] GetTickCount () returned 0x1152d85 [0073.965] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.965] GetProcessHeap () returned 0x3a00000 [0073.965] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.965] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e4, lpOverlapped=0x0) returned 1 [0073.967] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.967] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e4, lpOverlapped=0x0) returned 1 [0073.967] GetProcessHeap () returned 0x3a00000 [0073.967] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.967] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.967] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.967] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.968] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.968] CloseHandle (hObject=0x440) returned 1 [0073.968] GetProcessHeap () returned 0x3a00000 [0073.968] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.968] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0073.968] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\488__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\488__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\488__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.969] GetProcessHeap () returned 0x3a00000 [0073.969] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.969] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="489__C~1.PRO")) returned 1 [0073.969] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0073.969] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0073.969] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0073.969] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0073.969] lstrcmpiW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0073.969] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0073.969] StrStrIW (lpFirst="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0073.969] lstrcmpW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.969] lstrcmpW (lpString1="489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0073.969] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.969] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\489__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.969] GetTickCount () returned 0x1152d94 [0073.969] GetTickCount () returned 0x1152d94 [0073.969] GetTickCount () returned 0x1152d94 [0073.969] GetTickCount () returned 0x1152d94 [0073.969] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.969] GetProcessHeap () returned 0x3a00000 [0073.969] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.970] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d9, lpOverlapped=0x0) returned 1 [0073.970] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.971] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d9, lpOverlapped=0x0) returned 1 [0073.971] GetProcessHeap () returned 0x3a00000 [0073.971] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.971] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.971] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.971] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.972] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.972] CloseHandle (hObject=0x440) returned 1 [0073.972] GetProcessHeap () returned 0x3a00000 [0073.972] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.972] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0073.972] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\489__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\489__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\489__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.973] GetProcessHeap () returned 0x3a00000 [0073.973] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.973] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="48__CO~1.PRO")) returned 1 [0073.973] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.973] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.973] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.973] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.973] lstrcmpiW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.973] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml") returned 161 [0073.973] StrStrIW (lpFirst="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.973] lstrcmpW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.973] lstrcmpW (lpString1="48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.973] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.973] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\48__connections_cellular_proximus (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.973] GetTickCount () returned 0x1152d94 [0073.973] GetTickCount () returned 0x1152d94 [0073.973] GetTickCount () returned 0x1152d94 [0073.973] GetTickCount () returned 0x1152d94 [0073.973] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.973] GetProcessHeap () returned 0x3a00000 [0073.974] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.974] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0073.975] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.975] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0073.975] GetProcessHeap () returned 0x3a00000 [0073.975] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.975] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.975] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.975] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.975] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.976] CloseHandle (hObject=0x440) returned 1 [0073.976] GetProcessHeap () returned 0x3a00000 [0073.976] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.976] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0073.976] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\48__connections_cellular_proximus (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\48__Connections_Cellular_Proximus (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\48__connections_cellular_proximus (belgium)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.976] GetProcessHeap () returned 0x3a00000 [0073.976] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.976] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="490__C~1.PRO")) returned 1 [0073.976] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.976] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.976] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.976] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.977] lstrcmpiW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.977] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml") returned 184 [0073.977] StrStrIW (lpFirst="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.977] lstrcmpW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.977] lstrcmpW (lpString1="490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.977] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.977] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\490__connections_cellular_cincinnati bell wireless (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.977] GetTickCount () returned 0x1152d94 [0073.977] GetTickCount () returned 0x1152d94 [0073.977] GetTickCount () returned 0x1152d94 [0073.977] GetTickCount () returned 0x1152d94 [0073.977] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.977] GetProcessHeap () returned 0x3a00000 [0073.977] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.977] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x29f, lpOverlapped=0x0) returned 1 [0073.979] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.979] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x29f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x29f, lpOverlapped=0x0) returned 1 [0073.979] GetProcessHeap () returned 0x3a00000 [0073.979] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.979] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.979] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.979] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.979] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.979] CloseHandle (hObject=0x440) returned 1 [0073.979] GetProcessHeap () returned 0x3a00000 [0073.979] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.979] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 203 [0073.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\490__connections_cellular_cincinnati bell wireless (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\490__Connections_Cellular_Cincinnati Bell Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\490__connections_cellular_cincinnati bell wireless (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.980] GetProcessHeap () returned 0x3a00000 [0073.980] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.980] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="491__C~1.PRO")) returned 1 [0073.980] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.980] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.980] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.980] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.980] lstrcmpiW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.980] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml") returned 176 [0073.980] StrStrIW (lpFirst="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.980] lstrcmpW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.980] lstrcmpW (lpString1="491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.980] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.980] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\491__connections_cellular_plateau wireless (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.981] GetTickCount () returned 0x1152d94 [0073.981] GetTickCount () returned 0x1152d94 [0073.981] GetTickCount () returned 0x1152d94 [0073.981] GetTickCount () returned 0x1152d94 [0073.981] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.981] GetProcessHeap () returned 0x3a00000 [0073.981] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.981] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0073.983] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.983] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0073.983] GetProcessHeap () returned 0x3a00000 [0073.983] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.983] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.983] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.983] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.983] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.983] CloseHandle (hObject=0x440) returned 1 [0073.983] GetProcessHeap () returned 0x3a00000 [0073.983] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.983] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0073.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\491__connections_cellular_plateau wireless (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\491__Connections_Cellular_Plateau Wireless (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\491__connections_cellular_plateau wireless (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.987] GetProcessHeap () returned 0x3a00000 [0073.987] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.987] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2a2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="492__C~1.PRO")) returned 1 [0073.987] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.987] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.987] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.987] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.987] lstrcmpiW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.988] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml") returned 186 [0073.988] StrStrIW (lpFirst="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.988] lstrcmpW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.988] lstrcmpW (lpString1="492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.988] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.988] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\492__connections_cellular_rural cellular corporation (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.988] GetTickCount () returned 0x1152da4 [0073.988] GetTickCount () returned 0x1152da4 [0073.988] GetTickCount () returned 0x1152da4 [0073.988] GetTickCount () returned 0x1152da4 [0073.988] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.988] GetProcessHeap () returned 0x3a00000 [0073.988] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.988] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2a2, lpOverlapped=0x0) returned 1 [0073.989] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd5e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0073.990] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2a2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2a2, lpOverlapped=0x0) returned 1 [0073.990] GetProcessHeap () returned 0x3a00000 [0073.990] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0073.990] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.990] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0073.990] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0073.990] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0073.990] CloseHandle (hObject=0x440) returned 1 [0073.990] GetProcessHeap () returned 0x3a00000 [0073.990] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0073.990] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 205 [0073.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\492__connections_cellular_rural cellular corporation (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\492__Connections_Cellular_Rural Cellular Corporation (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\492__connections_cellular_rural cellular corporation (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0073.991] GetProcessHeap () returned 0x3a00000 [0073.991] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0073.991] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911a1852, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911a1852, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911a1852, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="493__C~1.PRO")) returned 1 [0073.991] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0073.991] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0073.991] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0073.991] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0073.991] lstrcmpiW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0073.991] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml") returned 166 [0073.991] StrStrIW (lpFirst="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0073.991] lstrcmpW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0073.991] lstrcmpW (lpString1="493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0073.991] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0073.992] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\493__connections_cellular_suncom (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] GetTickCount () returned 0x1152da4 [0073.992] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0073.992] GetProcessHeap () returned 0x3a00000 [0073.992] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0073.992] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0074.003] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd72, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.003] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28e, lpOverlapped=0x0) returned 1 [0074.004] GetProcessHeap () returned 0x3a00000 [0074.004] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.004] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.004] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.004] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.004] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.004] CloseHandle (hObject=0x440) returned 1 [0074.004] GetProcessHeap () returned 0x3a00000 [0074.004] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.004] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0074.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\493__connections_cellular_suncom (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\493__Connections_Cellular_SunCom (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\493__connections_cellular_suncom (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.005] GetProcessHeap () returned 0x3a00000 [0074.005] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.005] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="494__C~1.PRO")) returned 1 [0074.005] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.005] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.005] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.005] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.005] lstrcmpiW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.005] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml") returned 172 [0074.005] StrStrIW (lpFirst="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.005] lstrcmpW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.005] lstrcmpW (lpString1="494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.005] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.005] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\494__connections_cellular_t-mobile usa (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.006] GetTickCount () returned 0x1152db3 [0074.006] GetTickCount () returned 0x1152db3 [0074.006] GetTickCount () returned 0x1152db3 [0074.006] GetTickCount () returned 0x1152db3 [0074.006] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.006] GetProcessHeap () returned 0x3a00000 [0074.006] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.006] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0074.008] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.008] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0074.008] GetProcessHeap () returned 0x3a00000 [0074.008] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.008] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.008] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.008] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.008] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.008] CloseHandle (hObject=0x440) returned 1 [0074.008] GetProcessHeap () returned 0x3a00000 [0074.008] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.008] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0074.008] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\494__connections_cellular_t-mobile usa (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\494__Connections_Cellular_T-Mobile USA (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\494__connections_cellular_t-mobile usa (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.009] GetProcessHeap () returned 0x3a00000 [0074.009] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.009] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="495__C~1.PRO")) returned 1 [0074.009] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0074.009] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0074.009] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0074.009] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0074.009] lstrcmpiW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0074.010] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0074.010] StrStrIW (lpFirst="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0074.010] lstrcmpW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.010] lstrcmpW (lpString1="495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0074.010] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\495__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.010] GetTickCount () returned 0x1152db3 [0074.010] GetTickCount () returned 0x1152db3 [0074.010] GetTickCount () returned 0x1152db3 [0074.010] GetTickCount () returned 0x1152db3 [0074.010] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.011] GetProcessHeap () returned 0x3a00000 [0074.011] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.011] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0074.012] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.012] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0074.012] GetProcessHeap () returned 0x3a00000 [0074.012] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.012] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.012] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.058] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.058] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.058] CloseHandle (hObject=0x440) returned 1 [0074.058] GetProcessHeap () returned 0x3a00000 [0074.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.058] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0074.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\495__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\495__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\495__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.059] GetProcessHeap () returned 0x3a00000 [0074.059] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.059] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="496__C~1.PRO")) returned 1 [0074.060] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.060] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.060] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.060] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.060] lstrcmpiW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.060] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml") returned 182 [0074.060] StrStrIW (lpFirst="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.060] lstrcmpW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.060] lstrcmpW (lpString1="496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.060] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.060] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\496__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.061] GetTickCount () returned 0x1152df2 [0074.061] GetTickCount () returned 0x1152df2 [0074.061] GetTickCount () returned 0x1152df2 [0074.061] GetTickCount () returned 0x1152df2 [0074.061] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.061] GetProcessHeap () returned 0x3a00000 [0074.061] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.061] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0074.062] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.063] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0074.063] GetProcessHeap () returned 0x3a00000 [0074.063] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.063] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.063] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.063] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.063] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.063] CloseHandle (hObject=0x440) returned 1 [0074.063] GetProcessHeap () returned 0x3a00000 [0074.063] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.063] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 201 [0074.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\496__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\496__Connections_Cellular_T-Mobile USA_ TracFone (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\496__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.064] GetProcessHeap () returned 0x3a00000 [0074.064] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.064] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911c7ac2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911c7ac2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911c7ac2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="497__C~1.PRO")) returned 1 [0074.064] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.064] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.064] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.064] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.064] lstrcmpiW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.064] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml") returned 177 [0074.064] StrStrIW (lpFirst="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.064] lstrcmpW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.065] lstrcmpW (lpString1="497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.065] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.065] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\497__connections_cellular_t-mobile usa_ idt (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.065] GetTickCount () returned 0x1152df2 [0074.065] GetTickCount () returned 0x1152df2 [0074.065] GetTickCount () returned 0x1152df2 [0074.065] GetTickCount () returned 0x1152df2 [0074.065] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.065] GetProcessHeap () returned 0x3a00000 [0074.065] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.065] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0074.067] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.067] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0074.067] GetProcessHeap () returned 0x3a00000 [0074.067] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.067] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.067] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.067] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.067] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.067] CloseHandle (hObject=0x440) returned 1 [0074.067] GetProcessHeap () returned 0x3a00000 [0074.067] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.067] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 196 [0074.067] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\497__connections_cellular_t-mobile usa_ idt (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\497__Connections_Cellular_T-Mobile USA_ IDT (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\497__connections_cellular_t-mobile usa_ idt (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.068] GetProcessHeap () returned 0x3a00000 [0074.068] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.068] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="498__C~1.PRO")) returned 1 [0074.068] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.068] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.068] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.068] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.068] lstrcmpiW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.068] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml") returned 187 [0074.068] StrStrIW (lpFirst="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.068] lstrcmpW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.068] lstrcmpW (lpString1="498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.068] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.068] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\498__connections_cellular_t-mobile usa_ simple mobile (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.069] GetTickCount () returned 0x1152df2 [0074.069] GetTickCount () returned 0x1152df2 [0074.069] GetTickCount () returned 0x1152df2 [0074.069] GetTickCount () returned 0x1152df2 [0074.069] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.069] GetProcessHeap () returned 0x3a00000 [0074.069] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.069] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0074.072] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.072] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0074.072] GetProcessHeap () returned 0x3a00000 [0074.072] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.072] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.072] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.072] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.072] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.072] CloseHandle (hObject=0x440) returned 1 [0074.072] GetProcessHeap () returned 0x3a00000 [0074.072] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.072] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 206 [0074.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\498__connections_cellular_t-mobile usa_ simple mobile (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\498__Connections_Cellular_T-Mobile USA_ Simple Mobile (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\498__connections_cellular_t-mobile usa_ simple mobile (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.073] GetProcessHeap () returned 0x3a00000 [0074.073] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.073] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="499__C~1.PRO")) returned 1 [0074.076] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.076] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.076] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.076] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.076] lstrcmpiW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.076] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml") returned 181 [0074.076] StrStrIW (lpFirst="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.076] lstrcmpW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.076] lstrcmpW (lpString1="499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.076] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.076] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\499__connections_cellular_t-mobile usa_ walmart (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.076] GetTickCount () returned 0x1152e02 [0074.076] GetTickCount () returned 0x1152e02 [0074.076] GetTickCount () returned 0x1152e02 [0074.077] GetTickCount () returned 0x1152e02 [0074.077] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.077] GetProcessHeap () returned 0x3a00000 [0074.077] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.077] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0074.078] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd23, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.078] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dd, lpOverlapped=0x0) returned 1 [0074.078] GetProcessHeap () returned 0x3a00000 [0074.078] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.078] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.078] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.078] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.078] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.079] CloseHandle (hObject=0x440) returned 1 [0074.079] GetProcessHeap () returned 0x3a00000 [0074.079] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.079] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0074.079] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\499__connections_cellular_t-mobile usa_ walmart (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\499__Connections_Cellular_T-Mobile USA_ Walmart (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\499__connections_cellular_t-mobile usa_ walmart (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.079] GetProcessHeap () returned 0x3a00000 [0074.079] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.080] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="49__CE~1.PRO")) returned 1 [0074.080] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0074.080] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0074.080] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0074.080] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0074.080] lstrcmpiW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0074.080] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0074.080] StrStrIW (lpFirst="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0074.080] lstrcmpW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.080] lstrcmpW (lpString1="49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0074.080] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.080] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\49__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.080] GetTickCount () returned 0x1152e02 [0074.080] GetTickCount () returned 0x1152e02 [0074.080] GetTickCount () returned 0x1152e02 [0074.080] GetTickCount () returned 0x1152e02 [0074.080] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.080] GetProcessHeap () returned 0x3a00000 [0074.080] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.080] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0074.081] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.081] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0074.082] GetProcessHeap () returned 0x3a00000 [0074.082] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.082] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.082] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.082] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.082] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.082] CloseHandle (hObject=0x440) returned 1 [0074.083] GetProcessHeap () returned 0x3a00000 [0074.083] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.083] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0074.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\49__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\49__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\49__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.083] GetProcessHeap () returned 0x3a00000 [0074.083] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.084] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900f0949, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900f0949, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900f0949, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x307, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="4__CON~1.PRO")) returned 1 [0074.084] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.084] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.084] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.084] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.084] lstrcmpiW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.084] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml") returned 159 [0074.084] StrStrIW (lpFirst="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.084] lstrcmpW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.084] lstrcmpW (lpString1="4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.084] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.084] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\4__connections_cellular_claro (argentina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.084] GetTickCount () returned 0x1152e02 [0074.084] GetTickCount () returned 0x1152e02 [0074.084] GetTickCount () returned 0x1152e02 [0074.084] GetTickCount () returned 0x1152e02 [0074.084] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.084] GetProcessHeap () returned 0x3a00000 [0074.084] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.084] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0074.092] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.092] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x307, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x307, lpOverlapped=0x0) returned 1 [0074.092] GetProcessHeap () returned 0x3a00000 [0074.092] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.092] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.093] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.093] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.093] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.093] CloseHandle (hObject=0x440) returned 1 [0074.093] GetProcessHeap () returned 0x3a00000 [0074.093] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.093] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0074.093] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\4__connections_cellular_claro (argentina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\4__Connections_Cellular_Claro (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\4__connections_cellular_claro (argentina)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.094] GetProcessHeap () returned 0x3a00000 [0074.094] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.094] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="500__C~1.PRO")) returned 1 [0074.094] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.094] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.094] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.094] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.094] lstrcmpiW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.094] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml") returned 187 [0074.094] StrStrIW (lpFirst="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.094] lstrcmpW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.094] lstrcmpW (lpString1="500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.094] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.094] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\500__connections_cellular_t-mobile usa_ roam mobility (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.094] GetTickCount () returned 0x1152e11 [0074.094] GetTickCount () returned 0x1152e11 [0074.094] GetTickCount () returned 0x1152e11 [0074.094] GetTickCount () returned 0x1152e11 [0074.095] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.095] GetProcessHeap () returned 0x3a00000 [0074.095] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.095] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0074.096] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.096] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0074.096] GetProcessHeap () returned 0x3a00000 [0074.096] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.096] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.096] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.096] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.097] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.097] CloseHandle (hObject=0x440) returned 1 [0074.097] GetProcessHeap () returned 0x3a00000 [0074.097] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.097] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 206 [0074.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\500__connections_cellular_t-mobile usa_ roam mobility (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\500__Connections_Cellular_T-Mobile USA_ Roam Mobility (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\500__connections_cellular_t-mobile usa_ roam mobility (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.097] GetProcessHeap () returned 0x3a00000 [0074.097] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.098] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x911edd2d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x911edd2d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x911edd2d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="501__C~1.PRO")) returned 1 [0074.098] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.098] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.098] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.098] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.098] lstrcmpiW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.098] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml") returned 182 [0074.098] StrStrIW (lpFirst="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.098] lstrcmpW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.098] lstrcmpW (lpString1="501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.098] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.098] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\501__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.098] GetTickCount () returned 0x1152e11 [0074.098] GetTickCount () returned 0x1152e11 [0074.098] GetTickCount () returned 0x1152e11 [0074.098] GetTickCount () returned 0x1152e11 [0074.098] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.098] GetProcessHeap () returned 0x3a00000 [0074.098] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.098] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0074.100] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.100] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0074.100] GetProcessHeap () returned 0x3a00000 [0074.100] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.100] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.100] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.100] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.100] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.100] CloseHandle (hObject=0x440) returned 1 [0074.101] GetProcessHeap () returned 0x3a00000 [0074.101] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.101] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 201 [0074.101] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\501__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\501__Connections_Cellular_T-Mobile USA_ Tracfone (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\501__connections_cellular_t-mobile usa_ tracfone (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.101] GetProcessHeap () returned 0x3a00000 [0074.101] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.101] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91213f95, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91213f95, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91213f95, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="502__C~1.PRO")) returned 1 [0074.101] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.101] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.101] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.101] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.101] lstrcmpiW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.101] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml") returned 181 [0074.102] StrStrIW (lpFirst="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.102] lstrcmpW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.102] lstrcmpW (lpString1="502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.102] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.102] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\502__connections_cellular_t-mobile usa_ aspider (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.102] GetTickCount () returned 0x1152e11 [0074.102] GetTickCount () returned 0x1152e11 [0074.102] GetTickCount () returned 0x1152e11 [0074.102] GetTickCount () returned 0x1152e11 [0074.102] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.102] GetProcessHeap () returned 0x3a00000 [0074.102] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.102] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0074.103] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.104] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0074.104] GetProcessHeap () returned 0x3a00000 [0074.104] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.104] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.104] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.104] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.104] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.104] CloseHandle (hObject=0x440) returned 1 [0074.104] GetProcessHeap () returned 0x3a00000 [0074.104] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.104] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0074.104] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\502__connections_cellular_t-mobile usa_ aspider (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\502__Connections_Cellular_T-Mobile USA_ ASpider (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\502__connections_cellular_t-mobile usa_ aspider (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.105] GetProcessHeap () returned 0x3a00000 [0074.105] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.105] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91213f95, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91213f95, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91213f95, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="503__C~1.PRO")) returned 1 [0074.105] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.105] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.105] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.105] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.105] lstrcmpiW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.105] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml") returned 180 [0074.105] StrStrIW (lpFirst="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.105] lstrcmpW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.105] lstrcmpW (lpString1="503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.105] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.105] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\503__connections_cellular_t-mobile usa_ wyless (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.106] GetTickCount () returned 0x1152e11 [0074.106] GetTickCount () returned 0x1152e11 [0074.106] GetTickCount () returned 0x1152e11 [0074.106] GetTickCount () returned 0x1152e11 [0074.106] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.106] GetProcessHeap () returned 0x3a00000 [0074.106] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.106] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0074.107] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.108] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0074.108] GetProcessHeap () returned 0x3a00000 [0074.108] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.108] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.108] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.108] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.108] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.108] CloseHandle (hObject=0x440) returned 1 [0074.108] GetProcessHeap () returned 0x3a00000 [0074.108] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.108] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0074.108] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\503__connections_cellular_t-mobile usa_ wyless (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\503__Connections_Cellular_T-Mobile USA_ Wyless (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\503__connections_cellular_t-mobile usa_ wyless (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.109] GetProcessHeap () returned 0x3a00000 [0074.109] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.109] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="504__C~1.PRO")) returned 1 [0074.109] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.109] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.109] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.109] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.109] lstrcmpiW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.109] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml") returned 181 [0074.109] StrStrIW (lpFirst="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.109] lstrcmpW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.109] lstrcmpW (lpString1="504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.109] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.109] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\504__connections_cellular_t-mobile usa_ solavei (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.110] GetTickCount () returned 0x1152e21 [0074.110] GetTickCount () returned 0x1152e21 [0074.110] GetTickCount () returned 0x1152e21 [0074.110] GetTickCount () returned 0x1152e21 [0074.110] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.110] GetProcessHeap () returned 0x3a00000 [0074.110] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.110] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0074.111] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.111] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0074.112] GetProcessHeap () returned 0x3a00000 [0074.112] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.112] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.112] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.112] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.112] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.112] CloseHandle (hObject=0x440) returned 1 [0074.112] GetProcessHeap () returned 0x3a00000 [0074.112] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.112] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0074.112] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\504__connections_cellular_t-mobile usa_ solavei (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\504__Connections_Cellular_T-Mobile USA_ Solavei (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\504__connections_cellular_t-mobile usa_ solavei (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.113] GetProcessHeap () returned 0x3a00000 [0074.113] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.113] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", cAlternateFileName="505__C~1.PRO")) returned 1 [0074.113] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.113] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.113] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.113] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.113] lstrcmpiW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.113] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml") returned 173 [0074.113] StrStrIW (lpFirst="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.113] lstrcmpW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.113] lstrcmpW (lpString1="505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.113] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.113] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\505__connections_cellular_verizon (united states) admin_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.114] GetTickCount () returned 0x1152e21 [0074.114] GetTickCount () returned 0x1152e21 [0074.114] GetTickCount () returned 0x1152e21 [0074.114] GetTickCount () returned 0x1152e21 [0074.114] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.114] GetProcessHeap () returned 0x3a00000 [0074.114] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.114] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0074.116] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.116] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0074.116] GetProcessHeap () returned 0x3a00000 [0074.116] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.116] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.116] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.116] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.116] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.116] CloseHandle (hObject=0x440) returned 1 [0074.116] GetProcessHeap () returned 0x3a00000 [0074.116] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.116] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0074.117] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\505__connections_cellular_verizon (united states) admin_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\505__Connections_Cellular_Verizon (United States) Admin_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\505__connections_cellular_verizon (united states) admin_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.117] GetProcessHeap () returned 0x3a00000 [0074.117] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.117] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", cAlternateFileName="506__C~1.PRO")) returned 1 [0074.117] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.117] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.117] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.117] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.117] lstrcmpiW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.117] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml") returned 171 [0074.117] StrStrIW (lpFirst="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.118] lstrcmpW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.118] lstrcmpW (lpString1="506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.118] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.118] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\506__connections_cellular_verizon (united states) app_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.118] GetTickCount () returned 0x1152e21 [0074.118] GetTickCount () returned 0x1152e21 [0074.118] GetTickCount () returned 0x1152e21 [0074.118] GetTickCount () returned 0x1152e21 [0074.118] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.118] GetProcessHeap () returned 0x3a00000 [0074.118] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.118] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0074.119] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.119] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0074.120] GetProcessHeap () returned 0x3a00000 [0074.120] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.120] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.120] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.120] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.120] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.120] CloseHandle (hObject=0x440) returned 1 [0074.120] GetProcessHeap () returned 0x3a00000 [0074.120] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.120] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0074.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\506__connections_cellular_verizon (united states) app_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\506__Connections_Cellular_Verizon (United States) App_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\506__connections_cellular_verizon (united states) app_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.121] GetProcessHeap () returned 0x3a00000 [0074.121] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.121] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", cAlternateFileName="507__C~1.PRO")) returned 1 [0074.121] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.121] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.121] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.121] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.121] lstrcmpiW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.121] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml") returned 171 [0074.121] StrStrIW (lpFirst="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.121] lstrcmpW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.121] lstrcmpW (lpString1="507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.121] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.122] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\507__connections_cellular_verizon (united states) ims_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.122] GetTickCount () returned 0x1152e30 [0074.122] GetTickCount () returned 0x1152e30 [0074.122] GetTickCount () returned 0x1152e30 [0074.122] GetTickCount () returned 0x1152e30 [0074.122] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.122] GetProcessHeap () returned 0x3a00000 [0074.122] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.122] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0074.124] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.124] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0074.124] GetProcessHeap () returned 0x3a00000 [0074.124] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.124] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.124] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.124] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.124] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.124] CloseHandle (hObject=0x440) returned 1 [0074.125] GetProcessHeap () returned 0x3a00000 [0074.125] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.125] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0074.125] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\507__connections_cellular_verizon (united states) ims_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\507__Connections_Cellular_Verizon (United States) Ims_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\507__connections_cellular_verizon (united states) ims_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.125] GetProcessHeap () returned 0x3a00000 [0074.125] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.125] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x295, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", cAlternateFileName="508__C~1.PRO")) returned 1 [0074.125] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.125] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.125] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.126] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.126] lstrcmpiW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.126] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml") returned 176 [0074.126] StrStrIW (lpFirst="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.126] lstrcmpW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.126] lstrcmpW (lpString1="508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.126] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.126] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\508__connections_cellular_verizon (united states) internet_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.126] GetTickCount () returned 0x1152e30 [0074.126] GetTickCount () returned 0x1152e30 [0074.126] GetTickCount () returned 0x1152e30 [0074.126] GetTickCount () returned 0x1152e30 [0074.126] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.126] GetProcessHeap () returned 0x3a00000 [0074.126] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.126] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x295, lpOverlapped=0x0) returned 1 [0074.142] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.143] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x295, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x295, lpOverlapped=0x0) returned 1 [0074.143] GetProcessHeap () returned 0x3a00000 [0074.143] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.143] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.143] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.143] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.143] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.143] CloseHandle (hObject=0x440) returned 1 [0074.143] GetProcessHeap () returned 0x3a00000 [0074.143] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.143] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0074.143] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\508__connections_cellular_verizon (united states) internet_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\508__Connections_Cellular_Verizon (United States) Internet_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\508__connections_cellular_verizon (united states) internet_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.144] GetProcessHeap () returned 0x3a00000 [0074.144] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.144] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="509__C~1.PRO")) returned 1 [0074.144] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0074.144] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0074.144] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0074.144] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0074.145] lstrcmpiW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0074.145] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0074.145] StrStrIW (lpFirst="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0074.145] lstrcmpW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.145] lstrcmpW (lpString1="509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0074.145] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.145] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\509__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.145] GetTickCount () returned 0x1152e40 [0074.145] GetTickCount () returned 0x1152e40 [0074.145] GetTickCount () returned 0x1152e40 [0074.145] GetTickCount () returned 0x1152e40 [0074.145] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.145] GetProcessHeap () returned 0x3a00000 [0074.145] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.145] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1db, lpOverlapped=0x0) returned 1 [0074.146] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.146] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1db, lpOverlapped=0x0) returned 1 [0074.146] GetProcessHeap () returned 0x3a00000 [0074.147] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.147] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.147] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.148] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.148] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.148] CloseHandle (hObject=0x440) returned 1 [0074.148] GetProcessHeap () returned 0x3a00000 [0074.148] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.148] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0074.148] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\509__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\509__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\509__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.149] GetProcessHeap () returned 0x3a00000 [0074.149] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.149] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9026e179, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9026e179, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9026e179, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="50__CO~1.PRO")) returned 1 [0074.149] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.149] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.149] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.149] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.149] lstrcmpiW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.149] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml") returned 185 [0074.149] StrStrIW (lpFirst="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.149] lstrcmpW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.149] lstrcmpW (lpString1="50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.149] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.149] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\50__connections_cellular_bh telekom bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.150] GetTickCount () returned 0x1152e40 [0074.150] GetTickCount () returned 0x1152e40 [0074.150] GetTickCount () returned 0x1152e40 [0074.150] GetTickCount () returned 0x1152e40 [0074.150] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.150] GetProcessHeap () returned 0x3a00000 [0074.150] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.150] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e4, lpOverlapped=0x0) returned 1 [0074.151] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.151] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e4, lpOverlapped=0x0) returned 1 [0074.151] GetProcessHeap () returned 0x3a00000 [0074.151] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.151] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.151] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.152] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.152] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.152] CloseHandle (hObject=0x440) returned 1 [0074.152] GetProcessHeap () returned 0x3a00000 [0074.152] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.152] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 204 [0074.152] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\50__connections_cellular_bh telekom bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\50__Connections_Cellular_BH Telekom Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\50__connections_cellular_bh telekom bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.153] GetProcessHeap () returned 0x3a00000 [0074.153] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.153] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", cAlternateFileName="510__C~1.PRO")) returned 1 [0074.153] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="Windows") returned -1 [0074.153] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="$Recycle.bin") returned 1 [0074.153] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="System Volume Information") returned -1 [0074.153] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="Program Files") returned -1 [0074.153] lstrcmpiW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="Program Files (x86)") returned -1 [0074.153] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml") returned 158 [0074.153] StrStrIW (lpFirst="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpSrch=".ebal") returned 0x0 [0074.153] lstrcmpW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.153] lstrcmpW (lpString1="510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml", lpString2="taridd") returned -1 [0074.153] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.153] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\510__cellular_persimsettings_$(__iccid)_networkblocklist.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.154] GetTickCount () returned 0x1152e50 [0074.154] GetTickCount () returned 0x1152e50 [0074.154] GetTickCount () returned 0x1152e50 [0074.154] GetTickCount () returned 0x1152e50 [0074.154] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.154] GetProcessHeap () returned 0x3a00000 [0074.154] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.154] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c7, lpOverlapped=0x0) returned 1 [0074.155] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.155] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c7, lpOverlapped=0x0) returned 1 [0074.155] GetProcessHeap () returned 0x3a00000 [0074.155] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.155] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.155] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.156] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.156] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.156] CloseHandle (hObject=0x440) returned 1 [0074.156] GetProcessHeap () returned 0x3a00000 [0074.156] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.156] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml_r00t_{8ew5f6}.ebal") returned 177 [0074.156] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\510__cellular_persimsettings_$(__iccid)_networkblocklist.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\510__Cellular_PerSimSettings_$(__ICCID)_NetworkBlockList.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\510__cellular_persimsettings_$(__iccid)_networkblocklist.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.157] GetProcessHeap () returned 0x3a00000 [0074.157] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.157] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9123a200, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9123a200, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9123a200, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", cAlternateFileName="511__C~1.PRO")) returned 1 [0074.157] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="Windows") returned -1 [0074.157] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="$Recycle.bin") returned 1 [0074.157] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="System Volume Information") returned -1 [0074.157] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="Program Files") returned -1 [0074.157] lstrcmpiW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="Program Files (x86)") returned -1 [0074.157] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml") returned 154 [0074.157] StrStrIW (lpFirst="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpSrch=".ebal") returned 0x0 [0074.157] lstrcmpW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.157] lstrcmpW (lpString1="511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml", lpString2="taridd") returned -1 [0074.157] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.157] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\511__cellular_persimsettings_$(__iccid)_simblocklist.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.158] GetTickCount () returned 0x1152e50 [0074.158] GetTickCount () returned 0x1152e50 [0074.158] GetTickCount () returned 0x1152e50 [0074.158] GetTickCount () returned 0x1152e50 [0074.158] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.158] GetProcessHeap () returned 0x3a00000 [0074.158] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.158] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0074.159] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.159] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0074.159] GetProcessHeap () returned 0x3a00000 [0074.159] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.159] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.159] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.160] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.160] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.160] CloseHandle (hObject=0x440) returned 1 [0074.160] GetProcessHeap () returned 0x3a00000 [0074.160] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.160] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml_r00t_{8ew5f6}.ebal") returned 173 [0074.160] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\511__cellular_persimsettings_$(__iccid)_simblocklist.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\511__Cellular_PerSimSettings_$(__ICCID)_SIMBlockList.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\511__cellular_persimsettings_$(__iccid)_simblocklist.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.161] GetProcessHeap () returned 0x3a00000 [0074.161] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.161] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x283, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="512__C~1.PRO")) returned 1 [0074.164] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.164] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.164] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.164] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.164] lstrcmpiW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.164] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml") returned 159 [0074.164] StrStrIW (lpFirst="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.164] lstrcmpW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.164] lstrcmpW (lpString1="512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.164] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.164] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\512__connections_cellular_ancel (uruguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.164] GetTickCount () returned 0x1152e50 [0074.164] GetTickCount () returned 0x1152e50 [0074.164] GetTickCount () returned 0x1152e50 [0074.164] GetTickCount () returned 0x1152e50 [0074.164] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.164] GetProcessHeap () returned 0x3a00000 [0074.165] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.165] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0074.166] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.166] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x283, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x283, lpOverlapped=0x0) returned 1 [0074.166] GetProcessHeap () returned 0x3a00000 [0074.166] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.166] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.166] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.166] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.166] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.166] CloseHandle (hObject=0x440) returned 1 [0074.166] GetProcessHeap () returned 0x3a00000 [0074.166] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.166] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0074.167] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\512__connections_cellular_ancel (uruguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\512__Connections_Cellular_Ancel (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\512__connections_cellular_ancel (uruguay)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.167] GetProcessHeap () returned 0x3a00000 [0074.167] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.167] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="513__C~1.PRO")) returned 1 [0074.167] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.167] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.167] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.167] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.167] lstrcmpiW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.167] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml") returned 159 [0074.167] StrStrIW (lpFirst="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.167] lstrcmpW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.167] lstrcmpW (lpString1="513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.167] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.168] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\513__connections_cellular_claro (uruguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.168] GetTickCount () returned 0x1152e50 [0074.168] GetTickCount () returned 0x1152e50 [0074.168] GetTickCount () returned 0x1152e50 [0074.168] GetTickCount () returned 0x1152e50 [0074.168] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.168] GetProcessHeap () returned 0x3a00000 [0074.168] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.168] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0074.169] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.169] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0074.170] GetProcessHeap () returned 0x3a00000 [0074.170] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.170] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.170] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.170] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.170] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.170] CloseHandle (hObject=0x440) returned 1 [0074.170] GetProcessHeap () returned 0x3a00000 [0074.170] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.170] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0074.170] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\513__connections_cellular_claro (uruguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\513__Connections_Cellular_Claro (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\513__connections_cellular_claro (uruguay)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.171] GetProcessHeap () returned 0x3a00000 [0074.171] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.171] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", cAlternateFileName="514__C~1.PRO")) returned 1 [0074.171] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.171] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.171] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.171] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.171] lstrcmpiW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.171] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml") returned 164 [0074.171] StrStrIW (lpFirst="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.171] lstrcmpW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.171] lstrcmpW (lpString1="514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.171] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.171] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\514__connections_cellular_telefonica (uruguay)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.172] GetTickCount () returned 0x1152e5f [0074.172] GetTickCount () returned 0x1152e5f [0074.172] GetTickCount () returned 0x1152e5f [0074.172] GetTickCount () returned 0x1152e5f [0074.172] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.172] GetProcessHeap () returned 0x3a00000 [0074.172] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.172] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0074.173] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.173] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0074.174] GetProcessHeap () returned 0x3a00000 [0074.174] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.174] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.174] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.174] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.174] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.174] CloseHandle (hObject=0x440) returned 1 [0074.174] GetProcessHeap () returned 0x3a00000 [0074.174] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.174] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0074.174] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\514__connections_cellular_telefonica (uruguay)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\514__Connections_Cellular_Telefonica (Uruguay)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\514__connections_cellular_telefonica (uruguay)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.175] GetProcessHeap () returned 0x3a00000 [0074.175] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.175] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9126046c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9126046c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9126046c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="515__C~1.PRO")) returned 1 [0074.175] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0074.175] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0074.175] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0074.175] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0074.175] lstrcmpiW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0074.175] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0074.175] StrStrIW (lpFirst="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0074.175] lstrcmpW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.175] lstrcmpW (lpString1="515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0074.175] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.175] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\515__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.176] GetTickCount () returned 0x1152e5f [0074.176] GetTickCount () returned 0x1152e5f [0074.176] GetTickCount () returned 0x1152e5f [0074.176] GetTickCount () returned 0x1152e5f [0074.176] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.176] GetProcessHeap () returned 0x3a00000 [0074.176] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.176] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d7, lpOverlapped=0x0) returned 1 [0074.177] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.177] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d7, lpOverlapped=0x0) returned 1 [0074.177] GetProcessHeap () returned 0x3a00000 [0074.177] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.177] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.177] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.197] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.197] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.198] CloseHandle (hObject=0x440) returned 1 [0074.198] GetProcessHeap () returned 0x3a00000 [0074.198] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.198] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0074.198] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\515__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\515__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\515__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.199] GetProcessHeap () returned 0x3a00000 [0074.199] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.199] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="516__C~1.PRO")) returned 1 [0074.199] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.199] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.200] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.200] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.200] lstrcmpiW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.200] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml") returned 168 [0074.200] StrStrIW (lpFirst="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.200] lstrcmpW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.200] lstrcmpW (lpString1="516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.200] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.200] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\516__connections_cellular_uzdunrobita (uzbekistan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.249] GetTickCount () returned 0x1152ead [0074.249] GetTickCount () returned 0x1152ead [0074.249] GetTickCount () returned 0x1152ead [0074.249] GetTickCount () returned 0x1152ead [0074.249] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.250] GetProcessHeap () returned 0x3a00000 [0074.250] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.250] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0074.439] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.439] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0074.439] GetProcessHeap () returned 0x3a00000 [0074.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.439] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.439] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.439] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.440] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.440] CloseHandle (hObject=0x440) returned 1 [0074.440] GetProcessHeap () returned 0x3a00000 [0074.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.440] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0074.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\516__connections_cellular_uzdunrobita (uzbekistan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\516__Connections_Cellular_Uzdunrobita (Uzbekistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\516__connections_cellular_uzdunrobita (uzbekistan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.441] GetProcessHeap () returned 0x3a00000 [0074.441] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.441] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x294, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", cAlternateFileName="517__C~1.PRO")) returned 1 [0074.441] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.441] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.441] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.441] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.441] lstrcmpiW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.441] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml") returned 166 [0074.441] StrStrIW (lpFirst="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.441] lstrcmpW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.441] lstrcmpW (lpString1="517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.441] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\517__connections_cellular_telefonica (venezuela)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.442] GetTickCount () returned 0x1152f69 [0074.442] GetTickCount () returned 0x1152f69 [0074.442] GetTickCount () returned 0x1152f69 [0074.442] GetTickCount () returned 0x1152f69 [0074.442] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.442] GetProcessHeap () returned 0x3a00000 [0074.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.442] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0074.480] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.480] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x294, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x294, lpOverlapped=0x0) returned 1 [0074.480] GetProcessHeap () returned 0x3a00000 [0074.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.480] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.480] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.480] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.480] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.480] CloseHandle (hObject=0x440) returned 1 [0074.480] GetProcessHeap () returned 0x3a00000 [0074.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.480] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0074.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\517__connections_cellular_telefonica (venezuela)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\517__Connections_Cellular_Telefonica (Venezuela)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\517__connections_cellular_telefonica (venezuela)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.481] GetProcessHeap () returned 0x3a00000 [0074.481] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.482] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", cAlternateFileName="518__C~1.PRO")) returned 1 [0074.482] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.482] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.482] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.482] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.482] lstrcmpiW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.482] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml") returned 161 [0074.482] StrStrIW (lpFirst="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.482] lstrcmpW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.482] lstrcmpW (lpString1="518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.482] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\518__connections_cellular_viettel (vietnam)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.482] GetTickCount () returned 0x1152f98 [0074.482] GetTickCount () returned 0x1152f98 [0074.482] GetTickCount () returned 0x1152f98 [0074.482] GetTickCount () returned 0x1152f98 [0074.482] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.483] GetProcessHeap () returned 0x3a00000 [0074.483] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.483] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0074.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0074.484] GetProcessHeap () returned 0x3a00000 [0074.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.484] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.485] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.485] CloseHandle (hObject=0x440) returned 1 [0074.485] GetProcessHeap () returned 0x3a00000 [0074.485] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.485] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0074.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\518__connections_cellular_viettel (vietnam)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\518__Connections_Cellular_Viettel (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\518__connections_cellular_viettel (vietnam)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.489] GetProcessHeap () returned 0x3a00000 [0074.489] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.489] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912866d8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912866d8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912866d8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", cAlternateFileName="519__C~1.PRO")) returned 1 [0074.489] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.489] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.489] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.489] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.489] lstrcmpiW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.489] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml") returned 163 [0074.489] StrStrIW (lpFirst="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.489] lstrcmpW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.489] lstrcmpW (lpString1="519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.489] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\519__connections_cellular_vinaphone (vietnam)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.490] GetTickCount () returned 0x1152f98 [0074.490] GetTickCount () returned 0x1152f98 [0074.490] GetTickCount () returned 0x1152f98 [0074.490] GetTickCount () returned 0x1152f98 [0074.490] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.490] GetProcessHeap () returned 0x3a00000 [0074.490] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.490] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0074.491] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.491] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0074.491] GetProcessHeap () returned 0x3a00000 [0074.491] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.492] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.492] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.492] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.492] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.492] CloseHandle (hObject=0x440) returned 1 [0074.492] GetProcessHeap () returned 0x3a00000 [0074.492] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.492] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0074.492] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\519__connections_cellular_vinaphone (vietnam)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\519__Connections_Cellular_Vinaphone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\519__connections_cellular_vinaphone (vietnam)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.493] GetProcessHeap () returned 0x3a00000 [0074.493] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.493] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902943e8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902943e8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902943e8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="51__CO~1.PRO")) returned 1 [0074.493] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.493] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.493] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.493] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.493] lstrcmpiW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.493] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml") returned 181 [0074.493] StrStrIW (lpFirst="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.493] lstrcmpW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.493] lstrcmpW (lpString1="51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.493] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\51__connections_cellular_eronet bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.494] GetTickCount () returned 0x1152f98 [0074.494] GetTickCount () returned 0x1152f98 [0074.494] GetTickCount () returned 0x1152f98 [0074.494] GetTickCount () returned 0x1152f98 [0074.494] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.494] GetProcessHeap () returned 0x3a00000 [0074.494] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.494] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e1, lpOverlapped=0x0) returned 1 [0074.495] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.495] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e1, lpOverlapped=0x0) returned 1 [0074.495] GetProcessHeap () returned 0x3a00000 [0074.495] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.496] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.496] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.496] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.496] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.496] CloseHandle (hObject=0x440) returned 1 [0074.496] GetProcessHeap () returned 0x3a00000 [0074.496] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.496] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0074.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\51__connections_cellular_eronet bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\51__Connections_Cellular_Eronet Bosnia (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\51__connections_cellular_eronet bosnia (bosnia and herzegovina)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.497] GetProcessHeap () returned 0x3a00000 [0074.497] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.497] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", cAlternateFileName="520__C~1.PRO")) returned 1 [0074.497] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.497] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.497] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.497] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.497] lstrcmpiW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.497] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml") returned 166 [0074.497] StrStrIW (lpFirst="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.497] lstrcmpW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.497] lstrcmpW (lpString1="520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.498] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\520__connections_cellular_vms mobifone (vietnam)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.498] GetTickCount () returned 0x1152fa7 [0074.498] GetTickCount () returned 0x1152fa7 [0074.498] GetTickCount () returned 0x1152fa7 [0074.498] GetTickCount () returned 0x1152fa7 [0074.498] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.498] GetProcessHeap () returned 0x3a00000 [0074.498] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.498] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0074.500] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.500] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0074.500] GetProcessHeap () returned 0x3a00000 [0074.500] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.500] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.500] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.500] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.500] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.500] CloseHandle (hObject=0x440) returned 1 [0074.501] GetProcessHeap () returned 0x3a00000 [0074.501] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.501] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0074.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\520__connections_cellular_vms mobifone (vietnam)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\520__Connections_Cellular_VMS MobiFone (Vietnam)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\520__connections_cellular_vms mobifone (vietnam)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.501] GetProcessHeap () returned 0x3a00000 [0074.501] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.501] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", cAlternateFileName="521__C~1.PRO")) returned 1 [0074.501] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.502] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.502] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.502] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.502] lstrcmpiW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.502] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml") returned 164 [0074.502] StrStrIW (lpFirst="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.502] lstrcmpW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.502] lstrcmpW (lpString1="521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.502] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\521__connections_cellular_vodafone (worldwide)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.502] GetTickCount () returned 0x1152fa7 [0074.502] GetTickCount () returned 0x1152fa7 [0074.502] GetTickCount () returned 0x1152fa7 [0074.502] GetTickCount () returned 0x1152fa7 [0074.502] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.502] GetProcessHeap () returned 0x3a00000 [0074.502] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.502] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0074.504] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.504] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0074.504] GetProcessHeap () returned 0x3a00000 [0074.504] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.504] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.504] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.504] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.504] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.504] CloseHandle (hObject=0x440) returned 1 [0074.504] GetProcessHeap () returned 0x3a00000 [0074.504] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.504] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0074.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\521__connections_cellular_vodafone (worldwide)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\521__Connections_Cellular_Vodafone (Worldwide)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\521__connections_cellular_vodafone (worldwide)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.505] GetProcessHeap () returned 0x3a00000 [0074.505] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.505] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="522__C~1.PRO")) returned 1 [0074.505] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0074.505] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0074.505] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0074.505] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0074.505] lstrcmpiW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0074.505] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0074.505] StrStrIW (lpFirst="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0074.505] lstrcmpW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.505] lstrcmpW (lpString1="522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0074.505] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\522__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.506] GetTickCount () returned 0x1152fa7 [0074.506] GetTickCount () returned 0x1152fa7 [0074.506] GetTickCount () returned 0x1152fa7 [0074.506] GetTickCount () returned 0x1152fa7 [0074.506] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.506] GetProcessHeap () returned 0x3a00000 [0074.506] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.506] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cd, lpOverlapped=0x0) returned 1 [0074.618] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.618] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cd, lpOverlapped=0x0) returned 1 [0074.619] GetProcessHeap () returned 0x3a00000 [0074.619] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.619] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.619] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.619] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.619] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.619] CloseHandle (hObject=0x440) returned 1 [0074.620] GetProcessHeap () returned 0x3a00000 [0074.620] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.620] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0074.620] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\522__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\522__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\522__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.621] GetProcessHeap () returned 0x3a00000 [0074.621] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.621] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="523__C~1.PRO")) returned 1 [0074.621] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0074.621] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0074.621] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0074.621] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0074.621] lstrcmpiW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0074.621] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0074.621] StrStrIW (lpFirst="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0074.621] lstrcmpW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.621] lstrcmpW (lpString1="523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0074.621] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.621] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\523__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.623] GetTickCount () returned 0x1153024 [0074.623] GetTickCount () returned 0x1153024 [0074.623] GetTickCount () returned 0x1153024 [0074.623] GetTickCount () returned 0x1153024 [0074.623] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.623] GetProcessHeap () returned 0x3a00000 [0074.623] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.623] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0074.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0074.624] GetProcessHeap () returned 0x3a00000 [0074.624] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.625] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.625] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.625] CloseHandle (hObject=0x440) returned 1 [0074.625] GetProcessHeap () returned 0x3a00000 [0074.625] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.625] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0074.625] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\523__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\523__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\523__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.626] GetProcessHeap () returned 0x3a00000 [0074.626] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.626] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", cAlternateFileName="524__C~1.PRO")) returned 1 [0074.626] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.626] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.626] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.626] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.626] lstrcmpiW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.626] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml") returned 159 [0074.626] StrStrIW (lpFirst="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.626] lstrcmpW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.626] lstrcmpW (lpString1="524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.626] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.626] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\524__connections_cellular_sabafon (yemen)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.627] GetTickCount () returned 0x1153024 [0074.627] GetTickCount () returned 0x1153024 [0074.627] GetTickCount () returned 0x1153024 [0074.627] GetTickCount () returned 0x1153024 [0074.627] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.627] GetProcessHeap () returned 0x3a00000 [0074.627] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.627] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0074.628] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.628] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0074.628] GetProcessHeap () returned 0x3a00000 [0074.629] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.629] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.629] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.629] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.629] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.629] CloseHandle (hObject=0x440) returned 1 [0074.629] GetProcessHeap () returned 0x3a00000 [0074.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.629] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0074.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\524__connections_cellular_sabafon (yemen)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\524__Connections_Cellular_Sabafon (Yemen)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\524__connections_cellular_sabafon (yemen)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.630] GetProcessHeap () returned 0x3a00000 [0074.630] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.630] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912ac947, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912ac947, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912ac947, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="525__C~1.PRO")) returned 1 [0074.630] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.630] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.630] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.630] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.630] lstrcmpiW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.630] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml") returned 156 [0074.630] StrStrIW (lpFirst="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.630] lstrcmpW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.630] lstrcmpW (lpString1="525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.630] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\525__connections_cellular_idea (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.630] GetTickCount () returned 0x1153024 [0074.630] GetTickCount () returned 0x1153024 [0074.630] GetTickCount () returned 0x1153024 [0074.631] GetTickCount () returned 0x1153024 [0074.631] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.631] GetProcessHeap () returned 0x3a00000 [0074.631] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.631] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0074.632] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.632] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0074.632] GetProcessHeap () returned 0x3a00000 [0074.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.632] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.632] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.632] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.633] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.633] CloseHandle (hObject=0x440) returned 1 [0074.633] GetProcessHeap () returned 0x3a00000 [0074.633] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.633] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0074.633] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\525__connections_cellular_idea (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\525__Connections_Cellular_Idea (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\525__connections_cellular_idea (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.634] GetProcessHeap () returned 0x3a00000 [0074.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.634] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x27d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="526__C~1.PRO")) returned 1 [0074.634] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.634] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.634] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.634] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.634] lstrcmpiW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.634] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml") returned 156 [0074.634] StrStrIW (lpFirst="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.634] lstrcmpW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.634] lstrcmpW (lpString1="526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.634] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.634] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\526__connections_cellular_mtnl (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.634] GetTickCount () returned 0x1153024 [0074.634] GetTickCount () returned 0x1153024 [0074.634] GetTickCount () returned 0x1153024 [0074.634] GetTickCount () returned 0x1153024 [0074.634] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.635] GetProcessHeap () returned 0x3a00000 [0074.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.635] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x27d, lpOverlapped=0x0) returned 1 [0074.636] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.636] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x27d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x27d, lpOverlapped=0x0) returned 1 [0074.636] GetProcessHeap () returned 0x3a00000 [0074.636] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.636] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.636] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.637] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.637] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.637] CloseHandle (hObject=0x440) returned 1 [0074.637] GetProcessHeap () returned 0x3a00000 [0074.637] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.637] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0074.637] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\526__connections_cellular_mtnl (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\526__Connections_Cellular_MTNL (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\526__connections_cellular_mtnl (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.639] GetProcessHeap () returned 0x3a00000 [0074.639] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.639] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="527__C~1.PRO")) returned 1 [0074.639] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.639] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.639] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.639] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.639] lstrcmpiW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.639] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml") returned 174 [0074.639] StrStrIW (lpFirst="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.639] lstrcmpW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.639] lstrcmpW (lpString1="527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.639] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.639] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\527__connections_cellular_reliance communication (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.639] GetTickCount () returned 0x1153034 [0074.639] GetTickCount () returned 0x1153034 [0074.639] GetTickCount () returned 0x1153034 [0074.639] GetTickCount () returned 0x1153034 [0074.640] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.640] GetProcessHeap () returned 0x3a00000 [0074.640] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.640] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0074.641] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.641] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0074.641] GetProcessHeap () returned 0x3a00000 [0074.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.641] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.641] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.641] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.641] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.642] CloseHandle (hObject=0x440) returned 1 [0074.642] GetProcessHeap () returned 0x3a00000 [0074.642] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.642] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0074.642] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\527__connections_cellular_reliance communication (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\527__Connections_Cellular_Reliance Communication (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\527__connections_cellular_reliance communication (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.642] GetProcessHeap () returned 0x3a00000 [0074.643] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.643] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="528__C~1.PRO")) returned 1 [0074.644] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.644] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.644] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.644] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.644] lstrcmpiW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.644] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml") returned 163 [0074.644] StrStrIW (lpFirst="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.644] lstrcmpW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.644] lstrcmpW (lpString1="528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.644] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.645] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\528__connections_cellular_vodafone in (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.645] GetTickCount () returned 0x1153034 [0074.645] GetTickCount () returned 0x1153034 [0074.645] GetTickCount () returned 0x1153034 [0074.645] GetTickCount () returned 0x1153034 [0074.645] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.645] GetProcessHeap () returned 0x3a00000 [0074.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.645] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0074.646] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.646] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0074.647] GetProcessHeap () returned 0x3a00000 [0074.647] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.647] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.647] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.647] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.647] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.647] CloseHandle (hObject=0x440) returned 1 [0074.647] GetProcessHeap () returned 0x3a00000 [0074.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.647] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0074.647] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\528__connections_cellular_vodafone in (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\528__Connections_Cellular_Vodafone IN (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\528__connections_cellular_vodafone in (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.648] GetProcessHeap () returned 0x3a00000 [0074.648] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.648] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912d2bb2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912d2bb2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912d2bb2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="529__C~1.PRO")) returned 1 [0074.648] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0074.648] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0074.648] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0074.648] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0074.648] lstrcmpiW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0074.648] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0074.648] StrStrIW (lpFirst="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0074.648] lstrcmpW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.648] lstrcmpW (lpString1="529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0074.648] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.648] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\529__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.649] GetTickCount () returned 0x1153034 [0074.649] GetTickCount () returned 0x1153034 [0074.649] GetTickCount () returned 0x1153034 [0074.649] GetTickCount () returned 0x1153034 [0074.649] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.649] GetProcessHeap () returned 0x3a00000 [0074.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.649] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0074.650] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.650] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0074.650] GetProcessHeap () returned 0x3a00000 [0074.650] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.650] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.650] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.658] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.658] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.658] CloseHandle (hObject=0x440) returned 1 [0074.658] GetProcessHeap () returned 0x3a00000 [0074.658] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.658] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0074.658] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\529__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\529__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\529__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.660] GetProcessHeap () returned 0x3a00000 [0074.660] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.660] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902943e8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902943e8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902943e8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="52__CO~1.PRO")) returned 1 [0074.660] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.660] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.660] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.660] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.660] lstrcmpiW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.660] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml") returned 173 [0074.660] StrStrIW (lpFirst="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.660] lstrcmpW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.660] lstrcmpW (lpString1="52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.660] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.660] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\52__connections_cellular_tele2 (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.660] GetTickCount () returned 0x1153044 [0074.660] GetTickCount () returned 0x1153044 [0074.660] GetTickCount () returned 0x1153044 [0074.661] GetTickCount () returned 0x1153044 [0074.661] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.661] GetProcessHeap () returned 0x3a00000 [0074.661] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.661] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0074.745] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.745] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0074.745] GetProcessHeap () returned 0x3a00000 [0074.745] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.745] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.745] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.745] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.746] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.746] CloseHandle (hObject=0x440) returned 1 [0074.746] GetProcessHeap () returned 0x3a00000 [0074.746] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0074.746] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\52__connections_cellular_tele2 (bosnia and herzegovina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\52__Connections_Cellular_Tele2 (Bosnia and Herzegovina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\52__connections_cellular_tele2 (bosnia and herzegovina)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.749] GetProcessHeap () returned 0x3a00000 [0074.749] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.749] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="530__C~1.PRO")) returned 1 [0074.749] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.749] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.749] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.749] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.749] lstrcmpiW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.750] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml") returned 160 [0074.750] StrStrIW (lpFirst="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.750] lstrcmpW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.750] lstrcmpW (lpString1="530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.750] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\530__connections_cellular_axis (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.750] GetTickCount () returned 0x11530a1 [0074.750] GetTickCount () returned 0x11530a1 [0074.750] GetTickCount () returned 0x11530a1 [0074.750] GetTickCount () returned 0x11530a1 [0074.750] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.750] GetProcessHeap () returned 0x3a00000 [0074.750] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.751] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.752] GetProcessHeap () returned 0x3a00000 [0074.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.752] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.752] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.753] CloseHandle (hObject=0x440) returned 1 [0074.753] GetProcessHeap () returned 0x3a00000 [0074.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.753] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0074.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\530__connections_cellular_axis (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\530__Connections_Cellular_Axis (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\530__connections_cellular_axis (indonesia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.754] GetProcessHeap () returned 0x3a00000 [0074.754] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.754] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="531__C~1.PRO")) returned 1 [0074.754] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.754] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.754] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.754] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.754] lstrcmpiW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.754] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml") returned 159 [0074.754] StrStrIW (lpFirst="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.754] lstrcmpW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.754] lstrcmpW (lpString1="531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.754] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.754] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\531__connections_cellular_im3 (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.754] GetTickCount () returned 0x11530a1 [0074.754] GetTickCount () returned 0x11530a1 [0074.754] GetTickCount () returned 0x11530a1 [0074.754] GetTickCount () returned 0x11530a1 [0074.754] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.755] GetProcessHeap () returned 0x3a00000 [0074.755] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.755] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0074.756] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.756] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0074.756] GetProcessHeap () returned 0x3a00000 [0074.756] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.756] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.756] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.757] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.757] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.757] CloseHandle (hObject=0x440) returned 1 [0074.757] GetProcessHeap () returned 0x3a00000 [0074.757] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.757] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0074.757] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\531__connections_cellular_im3 (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\531__Connections_Cellular_IM3 (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\531__connections_cellular_im3 (indonesia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.758] GetProcessHeap () returned 0x3a00000 [0074.758] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.758] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="532__C~1.PRO")) returned 1 [0074.758] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.758] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.758] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.758] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.758] lstrcmpiW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.758] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml") returned 160 [0074.758] StrStrIW (lpFirst="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.758] lstrcmpW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.758] lstrcmpW (lpString1="532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.758] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.758] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\532__connections_cellular_orange (armenia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.758] GetTickCount () returned 0x11530a1 [0074.758] GetTickCount () returned 0x11530a1 [0074.758] GetTickCount () returned 0x11530a1 [0074.758] GetTickCount () returned 0x11530a1 [0074.758] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.759] GetProcessHeap () returned 0x3a00000 [0074.759] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.759] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x30b, lpOverlapped=0x0) returned 1 [0074.760] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.760] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x30b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x30b, lpOverlapped=0x0) returned 1 [0074.760] GetProcessHeap () returned 0x3a00000 [0074.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.760] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.760] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.760] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.761] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.761] CloseHandle (hObject=0x440) returned 1 [0074.761] GetProcessHeap () returned 0x3a00000 [0074.761] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0074.761] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\532__connections_cellular_orange (armenia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\532__Connections_Cellular_Orange (Armenia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\532__connections_cellular_orange (armenia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.762] GetProcessHeap () returned 0x3a00000 [0074.762] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.762] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x912f8e1e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x912f8e1e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x912f8e1e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x363, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="533__C~1.PRO")) returned 1 [0074.762] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.762] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.762] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.762] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.762] lstrcmpiW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.762] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml") returned 170 [0074.762] StrStrIW (lpFirst="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.762] lstrcmpW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.762] lstrcmpW (lpString1="533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.762] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.762] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\533__connections_cellular_orange la réunion (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.836] GetTickCount () returned 0x11530f0 [0074.841] GetTickCount () returned 0x11530ff [0074.841] GetTickCount () returned 0x11530ff [0074.841] GetTickCount () returned 0x11530ff [0074.841] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.842] GetProcessHeap () returned 0x3a00000 [0074.842] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.842] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x363, lpOverlapped=0x0) returned 1 [0074.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc9d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.844] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x363, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x363, lpOverlapped=0x0) returned 1 [0074.844] GetProcessHeap () returned 0x3a00000 [0074.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.844] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.844] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.844] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.845] CloseHandle (hObject=0x440) returned 1 [0074.845] GetProcessHeap () returned 0x3a00000 [0074.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.845] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0074.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\533__connections_cellular_orange la réunion (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\533__Connections_Cellular_Orange La Réunion (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\533__connections_cellular_orange la réunion (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.846] GetProcessHeap () returned 0x3a00000 [0074.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.846] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9131f086, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x356, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="534__C~1.PRO")) returned 1 [0074.846] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.846] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.846] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.846] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.846] lstrcmpiW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.846] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml") returned 170 [0074.846] StrStrIW (lpFirst="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.846] lstrcmpW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.846] lstrcmpW (lpString1="534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.846] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.846] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\534__connections_cellular_orange la réunion (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.849] GetTickCount () returned 0x11530ff [0074.849] GetTickCount () returned 0x11530ff [0074.849] GetTickCount () returned 0x11530ff [0074.849] GetTickCount () returned 0x11530ff [0074.849] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.849] GetProcessHeap () returned 0x3a00000 [0074.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.849] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0074.850] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcaa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.850] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x356, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x356, lpOverlapped=0x0) returned 1 [0074.850] GetProcessHeap () returned 0x3a00000 [0074.850] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.850] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.850] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.851] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.851] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.851] CloseHandle (hObject=0x440) returned 1 [0074.851] GetProcessHeap () returned 0x3a00000 [0074.851] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.851] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0074.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\534__connections_cellular_orange la réunion (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\534__Connections_Cellular_Orange La Réunion (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\534__connections_cellular_orange la réunion (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.852] GetProcessHeap () returned 0x3a00000 [0074.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.852] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9131f086, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", cAlternateFileName="535__C~1.PRO")) returned 1 [0074.852] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.852] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.852] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.852] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.852] lstrcmpiW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.852] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml") returned 160 [0074.852] StrStrIW (lpFirst="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.852] lstrcmpW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.852] lstrcmpW (lpString1="535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.852] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.852] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\535__connections_cellular_orange (moldova)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.853] GetTickCount () returned 0x11530ff [0074.853] GetTickCount () returned 0x11530ff [0074.853] GetTickCount () returned 0x11530ff [0074.853] GetTickCount () returned 0x11530ff [0074.853] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.853] GetProcessHeap () returned 0x3a00000 [0074.853] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.853] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0074.854] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.854] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0074.855] GetProcessHeap () returned 0x3a00000 [0074.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.855] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.855] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.855] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.855] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.855] CloseHandle (hObject=0x440) returned 1 [0074.855] GetProcessHeap () returned 0x3a00000 [0074.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.855] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0074.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\535__connections_cellular_orange (moldova)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\535__Connections_Cellular_Orange (Moldova)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\535__connections_cellular_orange (moldova)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.856] GetProcessHeap () returned 0x3a00000 [0074.856] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.856] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9131f086, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x348, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="536__C~1.PRO")) returned 1 [0074.856] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.856] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.857] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.857] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.857] lstrcmpiW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.857] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml") returned 158 [0074.857] StrStrIW (lpFirst="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.857] lstrcmpW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.857] lstrcmpW (lpString1="536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.857] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.857] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\536__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.857] GetTickCount () returned 0x115310f [0074.857] GetTickCount () returned 0x115310f [0074.857] GetTickCount () returned 0x115310f [0074.857] GetTickCount () returned 0x115310f [0074.857] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.857] GetProcessHeap () returned 0x3a00000 [0074.857] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.857] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x348, lpOverlapped=0x0) returned 1 [0074.859] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.859] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x348, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x348, lpOverlapped=0x0) returned 1 [0074.859] GetProcessHeap () returned 0x3a00000 [0074.859] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.859] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.859] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.859] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.859] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.859] CloseHandle (hObject=0x440) returned 1 [0074.859] GetProcessHeap () returned 0x3a00000 [0074.859] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.859] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0074.860] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\536__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\536__Connections_Cellular_Orange (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\536__connections_cellular_orange (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.860] GetProcessHeap () returned 0x3a00000 [0074.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.860] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9131f086, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9131f086, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", cAlternateFileName="537__C~1.PRO")) returned 1 [0074.860] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.860] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.860] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.860] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.860] lstrcmpiW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.860] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml") returned 161 [0074.860] StrStrIW (lpFirst="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.860] lstrcmpW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.860] lstrcmpW (lpString1="537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.860] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.861] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\537__connections_cellular_orange (botswana)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.861] GetTickCount () returned 0x115310f [0074.861] GetTickCount () returned 0x115310f [0074.861] GetTickCount () returned 0x115310f [0074.861] GetTickCount () returned 0x115310f [0074.861] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.861] GetProcessHeap () returned 0x3a00000 [0074.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.861] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0074.936] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.936] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0074.936] GetProcessHeap () returned 0x3a00000 [0074.936] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.937] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.937] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.937] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.937] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.937] CloseHandle (hObject=0x440) returned 1 [0074.937] GetProcessHeap () returned 0x3a00000 [0074.937] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.937] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0074.937] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\537__connections_cellular_orange (botswana)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\537__Connections_Cellular_Orange (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\537__connections_cellular_orange (botswana)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.938] GetProcessHeap () returned 0x3a00000 [0074.938] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.938] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913452f1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913452f1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="538__C~1.PRO")) returned 1 [0074.938] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.938] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.938] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.938] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.938] lstrcmpiW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.938] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml") returned 161 [0074.938] StrStrIW (lpFirst="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.938] lstrcmpW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.938] lstrcmpW (lpString1="538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.939] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.939] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\538__connections_cellular_orange (cameroon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.939] GetTickCount () returned 0x115315d [0074.939] GetTickCount () returned 0x115315d [0074.939] GetTickCount () returned 0x115315d [0074.939] GetTickCount () returned 0x115315d [0074.939] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.939] GetProcessHeap () returned 0x3a00000 [0074.939] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.939] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0074.941] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.941] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0074.941] GetProcessHeap () returned 0x3a00000 [0074.941] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.941] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.941] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.941] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.941] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.941] CloseHandle (hObject=0x440) returned 1 [0074.942] GetProcessHeap () returned 0x3a00000 [0074.942] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.942] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0074.942] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\538__connections_cellular_orange (cameroon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\538__Connections_Cellular_Orange (Cameroon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\538__connections_cellular_orange (cameroon)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.942] GetProcessHeap () returned 0x3a00000 [0074.942] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.942] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913452f1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913452f1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="539__C~1.PRO")) returned 1 [0074.942] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.942] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.942] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.943] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.943] lstrcmpiW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.943] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml") returned 177 [0074.943] StrStrIW (lpFirst="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.943] lstrcmpW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.943] lstrcmpW (lpString1="539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.943] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.943] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\539__connections_cellular_orange (central african republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.943] GetTickCount () returned 0x115315d [0074.943] GetTickCount () returned 0x115315d [0074.943] GetTickCount () returned 0x115315d [0074.943] GetTickCount () returned 0x115315d [0074.943] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.943] GetProcessHeap () returned 0x3a00000 [0074.943] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.943] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0074.945] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.945] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0074.945] GetProcessHeap () returned 0x3a00000 [0074.945] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.945] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.945] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.945] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.945] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.945] CloseHandle (hObject=0x440) returned 1 [0074.945] GetProcessHeap () returned 0x3a00000 [0074.945] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.946] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 196 [0074.946] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\539__connections_cellular_orange (central african republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\539__Connections_Cellular_Orange (Central African Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\539__connections_cellular_orange (central african republic)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.946] GetProcessHeap () returned 0x3a00000 [0074.946] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.946] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902943e8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902943e8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902943e8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", cAlternateFileName="53__CO~1.PRO")) returned 1 [0074.946] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.946] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.946] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.946] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.947] lstrcmpiW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.947] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml") returned 169 [0074.947] StrStrIW (lpFirst="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.947] lstrcmpW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.947] lstrcmpW (lpString1="53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.947] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.947] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\53__connections_cellular_mascom wireless (botswana)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.947] GetTickCount () returned 0x115315d [0074.947] GetTickCount () returned 0x115315d [0074.947] GetTickCount () returned 0x115315d [0074.947] GetTickCount () returned 0x115315d [0074.947] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.947] GetProcessHeap () returned 0x3a00000 [0074.947] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.947] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0074.949] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.949] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0074.949] GetProcessHeap () returned 0x3a00000 [0074.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.949] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.949] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.949] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.949] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.949] CloseHandle (hObject=0x440) returned 1 [0074.949] GetProcessHeap () returned 0x3a00000 [0074.949] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.949] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0074.949] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\53__connections_cellular_mascom wireless (botswana)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\53__Connections_Cellular_Mascom Wireless (Botswana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\53__connections_cellular_mascom wireless (botswana)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.950] GetProcessHeap () returned 0x3a00000 [0074.950] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.950] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913452f1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913452f1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913452f1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="540__C~1.PRO")) returned 1 [0074.950] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.950] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.950] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.950] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.950] lstrcmpiW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.950] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml") returned 171 [0074.950] StrStrIW (lpFirst="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.950] lstrcmpW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.950] lstrcmpW (lpString1="540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.950] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.950] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\540__connections_cellular_orange (dominican republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.951] GetTickCount () returned 0x115315d [0074.951] GetTickCount () returned 0x115315d [0074.951] GetTickCount () returned 0x115315d [0074.951] GetTickCount () returned 0x115315d [0074.951] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.952] GetProcessHeap () returned 0x3a00000 [0074.952] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.952] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0074.953] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.953] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0074.954] GetProcessHeap () returned 0x3a00000 [0074.954] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.954] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.954] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.954] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.955] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.955] CloseHandle (hObject=0x440) returned 1 [0074.955] GetProcessHeap () returned 0x3a00000 [0074.955] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.955] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0074.955] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\540__connections_cellular_orange (dominican republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\540__Connections_Cellular_Orange (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\540__connections_cellular_orange (dominican republic)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.956] GetProcessHeap () returned 0x3a00000 [0074.956] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.956] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="541__C~1.PRO")) returned 1 [0074.956] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.956] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.956] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.956] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.956] lstrcmpiW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.956] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml") returned 170 [0074.956] StrStrIW (lpFirst="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.956] lstrcmpW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.956] lstrcmpW (lpString1="541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.956] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.956] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\541__connections_cellular_orange (equatorial guinea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.957] GetTickCount () returned 0x115316d [0074.957] GetTickCount () returned 0x115316d [0074.957] GetTickCount () returned 0x115316d [0074.957] GetTickCount () returned 0x115316d [0074.957] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.957] GetProcessHeap () returned 0x3a00000 [0074.957] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.957] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35b, lpOverlapped=0x0) returned 1 [0074.958] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.958] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35b, lpOverlapped=0x0) returned 1 [0074.959] GetProcessHeap () returned 0x3a00000 [0074.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.959] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.959] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.959] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.959] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.959] CloseHandle (hObject=0x440) returned 1 [0074.959] GetProcessHeap () returned 0x3a00000 [0074.959] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.959] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0074.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\541__connections_cellular_orange (equatorial guinea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\541__Connections_Cellular_Orange (Equatorial Guinea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\541__connections_cellular_orange (equatorial guinea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.960] GetProcessHeap () returned 0x3a00000 [0074.960] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.960] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", cAlternateFileName="542__C~1.PRO")) returned 1 [0074.960] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.960] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.960] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.960] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.960] lstrcmpiW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.960] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml") returned 170 [0074.960] StrStrIW (lpFirst="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.960] lstrcmpW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.960] lstrcmpW (lpString1="542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.960] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.960] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\542__connections_cellular_orange (equatorial guinea)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.961] GetTickCount () returned 0x115316d [0074.961] GetTickCount () returned 0x115316d [0074.961] GetTickCount () returned 0x115316d [0074.961] GetTickCount () returned 0x115316d [0074.961] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.961] GetProcessHeap () returned 0x3a00000 [0074.961] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.961] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0074.962] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.962] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0074.962] GetProcessHeap () returned 0x3a00000 [0074.962] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.962] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.962] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.963] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.963] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.963] CloseHandle (hObject=0x440) returned 1 [0074.963] GetProcessHeap () returned 0x3a00000 [0074.963] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.963] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0074.963] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\542__connections_cellular_orange (equatorial guinea)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\542__Connections_Cellular_Orange (Equatorial Guinea)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\542__connections_cellular_orange (equatorial guinea)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.964] GetProcessHeap () returned 0x3a00000 [0074.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.964] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="543__C~1.PRO")) returned 1 [0074.966] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.966] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.966] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.966] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.966] lstrcmpiW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.966] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml") returned 159 [0074.966] StrStrIW (lpFirst="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.966] lstrcmpW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.966] lstrcmpW (lpString1="543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.966] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.966] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\543__connections_cellular_orange (guinea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.967] GetTickCount () returned 0x115317c [0074.967] GetTickCount () returned 0x115317c [0074.967] GetTickCount () returned 0x115317c [0074.967] GetTickCount () returned 0x115317c [0074.967] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.967] GetProcessHeap () returned 0x3a00000 [0074.967] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.967] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0074.968] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.968] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0074.969] GetProcessHeap () returned 0x3a00000 [0074.969] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.969] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.969] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.969] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.969] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.969] CloseHandle (hObject=0x440) returned 1 [0074.969] GetProcessHeap () returned 0x3a00000 [0074.969] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.969] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0074.969] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\543__connections_cellular_orange (guinea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\543__Connections_Cellular_Orange (Guinea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\543__connections_cellular_orange (guinea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.970] GetProcessHeap () returned 0x3a00000 [0074.970] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.970] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9136b55d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9136b55d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9136b55d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", cAlternateFileName="544__C~1.PRO")) returned 1 [0074.970] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.970] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.970] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.970] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.970] lstrcmpiW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.970] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml") returned 166 [0074.970] StrStrIW (lpFirst="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0074.970] lstrcmpW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0074.970] lstrcmpW (lpString1="544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0074.970] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0074.970] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\544__connections_cellular_orange (guinea-bissau)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0074.970] GetTickCount () returned 0x115317c [0074.970] GetTickCount () returned 0x115317c [0074.970] GetTickCount () returned 0x115317c [0074.971] GetTickCount () returned 0x115317c [0074.971] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0074.971] GetProcessHeap () returned 0x3a00000 [0074.971] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0074.971] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0074.972] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0074.972] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0074.972] GetProcessHeap () returned 0x3a00000 [0074.972] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0074.972] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.972] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0074.972] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0074.973] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0074.973] CloseHandle (hObject=0x440) returned 1 [0074.973] GetProcessHeap () returned 0x3a00000 [0074.973] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0074.973] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0074.973] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\544__connections_cellular_orange (guinea-bissau)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\544__Connections_Cellular_Orange (Guinea-Bissau)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\544__connections_cellular_orange (guinea-bissau)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0074.973] GetProcessHeap () returned 0x3a00000 [0074.973] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0074.973] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913917c8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913917c8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913917c8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", cAlternateFileName="545__C~1.PRO")) returned 1 [0074.974] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0074.974] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0074.974] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0074.974] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0074.974] lstrcmpiW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0074.974] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml") returned 166 [0074.974] StrStrIW (lpFirst="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.122] lstrcmpW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.122] lstrcmpW (lpString1="545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.122] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.122] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\545__connections_cellular_orange (côte d’ivoire)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.124] GetTickCount () returned 0x1153218 [0075.124] GetTickCount () returned 0x1153218 [0075.124] GetTickCount () returned 0x1153218 [0075.124] GetTickCount () returned 0x1153218 [0075.124] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.124] GetProcessHeap () returned 0x3a00000 [0075.124] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.124] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0075.125] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.125] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0075.126] GetProcessHeap () returned 0x3a00000 [0075.126] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.126] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.126] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.126] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.126] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.126] CloseHandle (hObject=0x440) returned 1 [0075.126] GetProcessHeap () returned 0x3a00000 [0075.126] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.126] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0075.126] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\545__connections_cellular_orange (côte d’ivoire)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\545__Connections_Cellular_Orange (Côte d’Ivoire)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\545__connections_cellular_orange (côte d’ivoire)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.127] GetProcessHeap () returned 0x3a00000 [0075.127] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.127] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913917c8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913917c8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913917c8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x350, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", cAlternateFileName="546__C~1.PRO")) returned 1 [0075.127] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.127] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.127] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.127] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.127] lstrcmpiW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.128] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml") returned 166 [0075.128] StrStrIW (lpFirst="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.128] lstrcmpW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.128] lstrcmpW (lpString1="546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.128] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.128] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\546__connections_cellular_orange (côte d’ivoire)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.128] GetTickCount () returned 0x1153218 [0075.128] GetTickCount () returned 0x1153218 [0075.128] GetTickCount () returned 0x1153218 [0075.128] GetTickCount () returned 0x1153218 [0075.128] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.128] GetProcessHeap () returned 0x3a00000 [0075.128] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.128] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x350, lpOverlapped=0x0) returned 1 [0075.130] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.130] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x350, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x350, lpOverlapped=0x0) returned 1 [0075.130] GetProcessHeap () returned 0x3a00000 [0075.130] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.130] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.130] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.130] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.131] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.131] CloseHandle (hObject=0x440) returned 1 [0075.154] GetProcessHeap () returned 0x3a00000 [0075.154] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.154] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0075.154] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\546__connections_cellular_orange (côte d’ivoire)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\546__Connections_Cellular_Orange (Côte d’Ivoire)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\546__connections_cellular_orange (côte d’ivoire)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.155] GetProcessHeap () returned 0x3a00000 [0075.155] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.155] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x355, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", cAlternateFileName="547__C~1.PRO")) returned 1 [0075.155] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.155] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.155] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.155] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.155] lstrcmpiW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.155] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml") returned 166 [0075.155] StrStrIW (lpFirst="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.156] lstrcmpW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.156] lstrcmpW (lpString1="547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.156] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.156] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\547__connections_cellular_orange (côte d’ivoire)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.156] GetTickCount () returned 0x1153238 [0075.156] GetTickCount () returned 0x1153238 [0075.156] GetTickCount () returned 0x1153238 [0075.156] GetTickCount () returned 0x1153238 [0075.156] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.156] GetProcessHeap () returned 0x3a00000 [0075.156] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.156] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x355, lpOverlapped=0x0) returned 1 [0075.258] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcab, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.258] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x355, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x355, lpOverlapped=0x0) returned 1 [0075.258] GetProcessHeap () returned 0x3a00000 [0075.258] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.258] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.258] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.258] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.259] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.259] CloseHandle (hObject=0x440) returned 1 [0075.259] GetProcessHeap () returned 0x3a00000 [0075.259] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.259] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0075.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\547__connections_cellular_orange (côte d’ivoire)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\547__Connections_Cellular_Orange (Côte d’Ivoire)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\547__connections_cellular_orange (côte d’ivoire)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.260] GetProcessHeap () returned 0x3a00000 [0075.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.260] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", cAlternateFileName="548__C~1.PRO")) returned 1 [0075.260] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.260] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.260] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.260] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.260] lstrcmpiW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.260] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml") returned 166 [0075.260] StrStrIW (lpFirst="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.260] lstrcmpW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.260] lstrcmpW (lpString1="548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.260] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\548__connections_cellular_orange (côte d’ivoire)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.261] GetTickCount () returned 0x1153295 [0075.261] GetTickCount () returned 0x1153295 [0075.261] GetTickCount () returned 0x1153295 [0075.261] GetTickCount () returned 0x1153295 [0075.261] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.261] GetProcessHeap () returned 0x3a00000 [0075.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.261] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0075.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0075.263] GetProcessHeap () returned 0x3a00000 [0075.263] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.263] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.263] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.263] CloseHandle (hObject=0x440) returned 1 [0075.264] GetProcessHeap () returned 0x3a00000 [0075.264] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.264] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0075.264] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\548__connections_cellular_orange (côte d’ivoire)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\548__Connections_Cellular_Orange (Côte d’Ivoire)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\548__connections_cellular_orange (côte d’ivoire)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.265] GetProcessHeap () returned 0x3a00000 [0075.265] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.265] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", cAlternateFileName="549__C~1.PRO")) returned 1 [0075.265] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.265] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.265] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.265] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.265] lstrcmpiW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.265] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml") returned 158 [0075.265] StrStrIW (lpFirst="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.265] lstrcmpW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.265] lstrcmpW (lpString1="549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.265] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\549__connections_cellular_orange (kenya)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.266] GetTickCount () returned 0x11532a5 [0075.266] GetTickCount () returned 0x11532a5 [0075.266] GetTickCount () returned 0x11532a5 [0075.266] GetTickCount () returned 0x11532a5 [0075.266] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.266] GetProcessHeap () returned 0x3a00000 [0075.266] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.266] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0075.267] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.267] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0075.268] GetProcessHeap () returned 0x3a00000 [0075.268] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.268] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.268] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.268] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.268] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.268] CloseHandle (hObject=0x440) returned 1 [0075.268] GetProcessHeap () returned 0x3a00000 [0075.268] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.268] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0075.268] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\549__connections_cellular_orange (kenya)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\549__Connections_Cellular_Orange (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\549__connections_cellular_orange (kenya)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.269] GetProcessHeap () returned 0x3a00000 [0075.269] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.269] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="54__CO~1.PRO")) returned 1 [0075.269] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.269] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.269] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.269] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.269] lstrcmpiW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.269] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml") returned 156 [0075.269] StrStrIW (lpFirst="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.269] lstrcmpW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.269] lstrcmpW (lpString1="54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.269] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\54__connections_cellular_ctbc (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.270] GetTickCount () returned 0x11532a5 [0075.270] GetTickCount () returned 0x11532a5 [0075.270] GetTickCount () returned 0x11532a5 [0075.270] GetTickCount () returned 0x11532a5 [0075.270] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.270] GetProcessHeap () returned 0x3a00000 [0075.270] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.270] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0075.271] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.271] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0075.272] GetProcessHeap () returned 0x3a00000 [0075.272] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.272] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.272] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.272] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.272] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.272] CloseHandle (hObject=0x440) returned 1 [0075.272] GetProcessHeap () returned 0x3a00000 [0075.272] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.272] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.272] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\54__connections_cellular_ctbc (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\54__Connections_Cellular_CTBC (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\54__connections_cellular_ctbc (brazil)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.273] GetProcessHeap () returned 0x3a00000 [0075.273] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.273] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913b7a34, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913b7a34, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913b7a34, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", cAlternateFileName="550__C~1.PRO")) returned 1 [0075.273] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.273] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.273] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.273] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.273] lstrcmpiW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.273] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml") returned 163 [0075.273] StrStrIW (lpFirst="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.273] lstrcmpW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.273] lstrcmpW (lpString1="550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.273] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.273] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\550__connections_cellular_orange (madagascar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.274] GetTickCount () returned 0x11532a5 [0075.274] GetTickCount () returned 0x11532a5 [0075.274] GetTickCount () returned 0x11532a5 [0075.274] GetTickCount () returned 0x11532a5 [0075.274] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.274] GetProcessHeap () returned 0x3a00000 [0075.274] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.274] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.275] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.275] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.275] GetProcessHeap () returned 0x3a00000 [0075.275] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.275] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.276] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.276] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.276] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.276] CloseHandle (hObject=0x440) returned 1 [0075.276] GetProcessHeap () returned 0x3a00000 [0075.276] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.276] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0075.276] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\550__connections_cellular_orange (madagascar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\550__Connections_Cellular_Orange (Madagascar)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\550__connections_cellular_orange (madagascar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.277] GetProcessHeap () returned 0x3a00000 [0075.277] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.277] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x33c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", cAlternateFileName="551__C~1.PRO")) returned 1 [0075.277] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.277] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.277] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.277] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.277] lstrcmpiW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.277] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml") returned 157 [0075.277] StrStrIW (lpFirst="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.277] lstrcmpW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.277] lstrcmpW (lpString1="551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.277] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.277] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\551__connections_cellular_orange (mali)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.278] GetTickCount () returned 0x11532a5 [0075.278] GetTickCount () returned 0x11532a5 [0075.278] GetTickCount () returned 0x11532a5 [0075.278] GetTickCount () returned 0x11532a5 [0075.278] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.278] GetProcessHeap () returned 0x3a00000 [0075.278] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.278] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x33c, lpOverlapped=0x0) returned 1 [0075.280] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcc4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.280] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x33c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x33c, lpOverlapped=0x0) returned 1 [0075.280] GetProcessHeap () returned 0x3a00000 [0075.280] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.280] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.280] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.280] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.280] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.280] CloseHandle (hObject=0x440) returned 1 [0075.280] GetProcessHeap () returned 0x3a00000 [0075.280] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.280] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\551__connections_cellular_orange (mali)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\551__Connections_Cellular_Orange (Mali)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\551__connections_cellular_orange (mali)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.281] GetProcessHeap () returned 0x3a00000 [0075.281] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.281] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x347, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", cAlternateFileName="552__C~1.PRO")) returned 1 [0075.281] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.281] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.281] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.281] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.281] lstrcmpiW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.281] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml") returned 157 [0075.282] StrStrIW (lpFirst="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.282] lstrcmpW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.282] lstrcmpW (lpString1="552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.282] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.282] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\552__connections_cellular_orange (mali)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.282] GetTickCount () returned 0x11532b5 [0075.282] GetTickCount () returned 0x11532b5 [0075.282] GetTickCount () returned 0x11532b5 [0075.282] GetTickCount () returned 0x11532b5 [0075.282] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.282] GetProcessHeap () returned 0x3a00000 [0075.282] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.282] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x347, lpOverlapped=0x0) returned 1 [0075.285] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.285] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x347, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x347, lpOverlapped=0x0) returned 1 [0075.286] GetProcessHeap () returned 0x3a00000 [0075.286] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.286] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.286] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.286] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.286] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.286] CloseHandle (hObject=0x440) returned 1 [0075.286] GetProcessHeap () returned 0x3a00000 [0075.286] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.286] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.286] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\552__connections_cellular_orange (mali)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\552__Connections_Cellular_Orange (Mali)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\552__connections_cellular_orange (mali)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.287] GetProcessHeap () returned 0x3a00000 [0075.287] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.287] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", cAlternateFileName="553__C~1.PRO")) returned 1 [0075.287] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.287] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.287] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.287] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.287] lstrcmpiW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.287] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml") returned 162 [0075.287] StrStrIW (lpFirst="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.287] lstrcmpW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.287] lstrcmpW (lpString1="553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.287] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.287] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\553__connections_cellular_orange (mauritius)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.288] GetTickCount () returned 0x11532b5 [0075.288] GetTickCount () returned 0x11532b5 [0075.288] GetTickCount () returned 0x11532b5 [0075.288] GetTickCount () returned 0x11532b5 [0075.288] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.288] GetProcessHeap () returned 0x3a00000 [0075.288] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.288] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0075.357] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.358] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0075.358] GetProcessHeap () returned 0x3a00000 [0075.358] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.358] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.358] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.358] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.358] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.358] CloseHandle (hObject=0x440) returned 1 [0075.358] GetProcessHeap () returned 0x3a00000 [0075.358] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.358] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.358] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\553__connections_cellular_orange (mauritius)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\553__Connections_Cellular_Orange (Mauritius)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\553__connections_cellular_orange (mauritius)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.360] GetProcessHeap () returned 0x3a00000 [0075.360] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.360] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x913ddca3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x913ddca3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x913ddca3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x352, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", cAlternateFileName="554__C~1.PRO")) returned 1 [0075.360] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.360] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.360] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.360] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.360] lstrcmpiW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.360] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml") returned 161 [0075.360] StrStrIW (lpFirst="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.360] lstrcmpW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.360] lstrcmpW (lpString1="554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.360] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.360] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\554__connections_cellular_meditel (morocco)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.361] GetTickCount () returned 0x1153303 [0075.361] GetTickCount () returned 0x1153303 [0075.361] GetTickCount () returned 0x1153303 [0075.361] GetTickCount () returned 0x1153303 [0075.361] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.361] GetProcessHeap () returned 0x3a00000 [0075.361] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.361] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0075.362] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcae, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.362] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x352, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x352, lpOverlapped=0x0) returned 1 [0075.363] GetProcessHeap () returned 0x3a00000 [0075.363] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.363] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.363] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.363] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.363] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.363] CloseHandle (hObject=0x440) returned 1 [0075.363] GetProcessHeap () returned 0x3a00000 [0075.363] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.363] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0075.363] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\554__connections_cellular_meditel (morocco)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\554__Connections_Cellular_Meditel (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\554__connections_cellular_meditel (morocco)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.364] GetProcessHeap () returned 0x3a00000 [0075.364] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.364] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91403f0f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91403f0f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91403f0f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", cAlternateFileName="555__C~1.PRO")) returned 1 [0075.364] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.364] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.364] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.364] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.364] lstrcmpiW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.364] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml") returned 158 [0075.365] StrStrIW (lpFirst="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.365] lstrcmpW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.365] lstrcmpW (lpString1="555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.365] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.365] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\555__connections_cellular_orange (niger)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.365] GetTickCount () returned 0x1153303 [0075.365] GetTickCount () returned 0x1153303 [0075.365] GetTickCount () returned 0x1153303 [0075.365] GetTickCount () returned 0x1153303 [0075.365] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.365] GetProcessHeap () returned 0x3a00000 [0075.365] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.365] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.367] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.367] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.367] GetProcessHeap () returned 0x3a00000 [0075.367] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.367] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.367] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.367] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.367] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.367] CloseHandle (hObject=0x440) returned 1 [0075.368] GetProcessHeap () returned 0x3a00000 [0075.368] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.368] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0075.368] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\555__connections_cellular_orange (niger)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\555__Connections_Cellular_Orange (Niger)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\555__connections_cellular_orange (niger)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.369] GetProcessHeap () returned 0x3a00000 [0075.369] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.369] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91403f0f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91403f0f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91403f0f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", cAlternateFileName="556__C~1.PRO")) returned 1 [0075.369] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.369] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.369] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.369] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.369] lstrcmpiW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.369] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml") returned 182 [0075.369] StrStrIW (lpFirst="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.369] lstrcmpW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.369] lstrcmpW (lpString1="556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.369] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.369] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\556__connections_cellular_cct (democratic republic of the congo)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.370] GetTickCount () returned 0x1153303 [0075.370] GetTickCount () returned 0x1153303 [0075.370] GetTickCount () returned 0x1153303 [0075.370] GetTickCount () returned 0x1153303 [0075.370] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.370] GetProcessHeap () returned 0x3a00000 [0075.370] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.370] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0075.372] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.372] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0075.372] GetProcessHeap () returned 0x3a00000 [0075.372] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.372] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.372] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.372] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.372] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.373] CloseHandle (hObject=0x440) returned 1 [0075.373] GetProcessHeap () returned 0x3a00000 [0075.373] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.373] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 201 [0075.373] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\556__connections_cellular_cct (democratic republic of the congo)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\556__Connections_Cellular_CCT (Democratic Republic of the Congo)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\556__connections_cellular_cct (democratic republic of the congo)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.374] GetProcessHeap () returned 0x3a00000 [0075.374] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.374] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91403f0f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91403f0f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91403f0f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", cAlternateFileName="557__C~1.PRO")) returned 1 [0075.374] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.374] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.374] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.374] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.374] lstrcmpiW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.374] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml") returned 160 [0075.374] StrStrIW (lpFirst="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.374] lstrcmpW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.374] lstrcmpW (lpString1="557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.374] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.374] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\557__connections_cellular_orange (senegal)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.374] GetTickCount () returned 0x1153312 [0075.375] GetTickCount () returned 0x1153312 [0075.375] GetTickCount () returned 0x1153312 [0075.375] GetTickCount () returned 0x1153312 [0075.375] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.375] GetProcessHeap () returned 0x3a00000 [0075.375] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.375] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35d, lpOverlapped=0x0) returned 1 [0075.376] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.376] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35d, lpOverlapped=0x0) returned 1 [0075.376] GetProcessHeap () returned 0x3a00000 [0075.376] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.376] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.376] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.377] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.377] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.377] CloseHandle (hObject=0x440) returned 1 [0075.377] GetProcessHeap () returned 0x3a00000 [0075.377] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.377] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.377] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\557__connections_cellular_orange (senegal)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\557__Connections_Cellular_Orange (Senegal)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\557__connections_cellular_orange (senegal)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.378] GetProcessHeap () returned 0x3a00000 [0075.378] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.378] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x349, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", cAlternateFileName="558__C~1.PRO")) returned 1 [0075.378] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.378] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.378] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.378] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.378] lstrcmpiW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.378] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml") returned 160 [0075.378] StrStrIW (lpFirst="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.378] lstrcmpW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.378] lstrcmpW (lpString1="558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.378] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.378] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\558__connections_cellular_orange (senegal)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.378] GetTickCount () returned 0x1153312 [0075.379] GetTickCount () returned 0x1153312 [0075.379] GetTickCount () returned 0x1153312 [0075.379] GetTickCount () returned 0x1153312 [0075.379] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.379] GetProcessHeap () returned 0x3a00000 [0075.379] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.379] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x349, lpOverlapped=0x0) returned 1 [0075.380] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.380] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x349, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x349, lpOverlapped=0x0) returned 1 [0075.380] GetProcessHeap () returned 0x3a00000 [0075.380] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.380] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.380] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.380] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.381] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.381] CloseHandle (hObject=0x440) returned 1 [0075.381] GetProcessHeap () returned 0x3a00000 [0075.381] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.381] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\558__connections_cellular_orange (senegal)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\558__Connections_Cellular_Orange (Senegal)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\558__connections_cellular_orange (senegal)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.381] GetProcessHeap () returned 0x3a00000 [0075.381] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.382] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="559__C~1.PRO")) returned 1 [0075.384] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.384] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.384] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.384] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.384] lstrcmpiW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.384] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml") returned 160 [0075.384] StrStrIW (lpFirst="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.384] lstrcmpW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.384] lstrcmpW (lpString1="559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.384] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.384] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\559__connections_cellular_orange (tunisia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.385] GetTickCount () returned 0x1153312 [0075.385] GetTickCount () returned 0x1153312 [0075.385] GetTickCount () returned 0x1153312 [0075.385] GetTickCount () returned 0x1153312 [0075.385] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.385] GetProcessHeap () returned 0x3a00000 [0075.385] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.385] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0075.386] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.386] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0075.386] GetProcessHeap () returned 0x3a00000 [0075.386] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.386] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.387] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.387] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.387] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.387] CloseHandle (hObject=0x440) returned 1 [0075.387] GetProcessHeap () returned 0x3a00000 [0075.387] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.387] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\559__connections_cellular_orange (tunisia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\559__Connections_Cellular_Orange (Tunisia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\559__connections_cellular_orange (tunisia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.388] GetProcessHeap () returned 0x3a00000 [0075.388] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.388] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="55__CO~1.PRO")) returned 1 [0075.388] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.388] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.388] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.388] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.388] lstrcmpiW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.388] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml") returned 154 [0075.388] StrStrIW (lpFirst="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.388] lstrcmpW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.388] lstrcmpW (lpString1="55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.388] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\55__connections_cellular_oi (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.389] GetTickCount () returned 0x1153322 [0075.389] GetTickCount () returned 0x1153322 [0075.389] GetTickCount () returned 0x1153322 [0075.389] GetTickCount () returned 0x1153322 [0075.389] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.389] GetProcessHeap () returned 0x3a00000 [0075.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.389] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.390] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.390] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.391] GetProcessHeap () returned 0x3a00000 [0075.391] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.391] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.391] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.391] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.391] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.391] CloseHandle (hObject=0x440) returned 1 [0075.391] GetProcessHeap () returned 0x3a00000 [0075.391] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.391] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0075.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\55__connections_cellular_oi (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\55__Connections_Cellular_Oi (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\55__connections_cellular_oi (brazil)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.392] GetProcessHeap () returned 0x3a00000 [0075.392] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.392] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="560__C~1.PRO")) returned 1 [0075.392] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.392] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.392] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.392] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.392] lstrcmpiW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.392] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml") returned 160 [0075.392] StrStrIW (lpFirst="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.392] lstrcmpW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.392] lstrcmpW (lpString1="560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.392] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\560__connections_cellular_orange (tunisia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.393] GetTickCount () returned 0x1153322 [0075.393] GetTickCount () returned 0x1153322 [0075.393] GetTickCount () returned 0x1153322 [0075.393] GetTickCount () returned 0x1153322 [0075.393] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.393] GetProcessHeap () returned 0x3a00000 [0075.393] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.393] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0075.413] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.413] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0075.413] GetProcessHeap () returned 0x3a00000 [0075.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.413] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.413] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.413] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.413] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.413] CloseHandle (hObject=0x440) returned 1 [0075.413] GetProcessHeap () returned 0x3a00000 [0075.413] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.414] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\560__connections_cellular_orange (tunisia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\560__Connections_Cellular_Orange (Tunisia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\560__connections_cellular_orange (tunisia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.415] GetProcessHeap () returned 0x3a00000 [0075.415] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.415] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9142a17a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", cAlternateFileName="561__C~1.PRO")) returned 1 [0075.415] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.415] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.415] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.415] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.415] lstrcmpiW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.415] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml") returned 160 [0075.415] StrStrIW (lpFirst="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.415] lstrcmpW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.415] lstrcmpW (lpString1="561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.415] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.415] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\561__connections_cellular_orange (tunisia)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.416] GetTickCount () returned 0x1153332 [0075.416] GetTickCount () returned 0x1153332 [0075.416] GetTickCount () returned 0x1153332 [0075.416] GetTickCount () returned 0x1153332 [0075.416] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.416] GetProcessHeap () returned 0x3a00000 [0075.416] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.416] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0075.418] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.418] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0075.418] GetProcessHeap () returned 0x3a00000 [0075.418] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.418] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.418] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.418] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.418] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.418] CloseHandle (hObject=0x440) returned 1 [0075.418] GetProcessHeap () returned 0x3a00000 [0075.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.418] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.418] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\561__connections_cellular_orange (tunisia)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\561__Connections_Cellular_Orange (Tunisia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\561__connections_cellular_orange (tunisia)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.419] GetProcessHeap () returned 0x3a00000 [0075.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.419] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9142a17a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9142a17a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", cAlternateFileName="562__C~1.PRO")) returned 1 [0075.420] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.420] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.420] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.420] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.420] lstrcmpiW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.420] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml") returned 160 [0075.420] StrStrIW (lpFirst="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.420] lstrcmpW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.420] lstrcmpW (lpString1="562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.420] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.420] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\562__connections_cellular_orange (tunisia)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.420] GetTickCount () returned 0x1153341 [0075.420] GetTickCount () returned 0x1153341 [0075.420] GetTickCount () returned 0x1153341 [0075.420] GetTickCount () returned 0x1153341 [0075.420] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.420] GetProcessHeap () returned 0x3a00000 [0075.421] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.421] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0075.422] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.422] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0075.422] GetProcessHeap () returned 0x3a00000 [0075.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.422] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.422] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.422] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.422] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.423] CloseHandle (hObject=0x440) returned 1 [0075.423] GetProcessHeap () returned 0x3a00000 [0075.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.423] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.423] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\562__connections_cellular_orange (tunisia)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\562__Connections_Cellular_Orange (Tunisia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\562__connections_cellular_orange (tunisia)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.423] GetProcessHeap () returned 0x3a00000 [0075.423] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.423] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", cAlternateFileName="563__C~1.PRO")) returned 1 [0075.424] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.424] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.424] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.424] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.424] lstrcmpiW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.424] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml") returned 160 [0075.424] StrStrIW (lpFirst="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.424] lstrcmpW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.424] lstrcmpW (lpString1="563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.424] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.424] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\563__connections_cellular_orange (tunisia)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.424] GetTickCount () returned 0x1153341 [0075.424] GetTickCount () returned 0x1153341 [0075.424] GetTickCount () returned 0x1153341 [0075.424] GetTickCount () returned 0x1153341 [0075.424] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.424] GetProcessHeap () returned 0x3a00000 [0075.424] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.424] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0075.426] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.426] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0075.426] GetProcessHeap () returned 0x3a00000 [0075.426] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.426] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.426] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.426] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.426] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.427] CloseHandle (hObject=0x440) returned 1 [0075.427] GetProcessHeap () returned 0x3a00000 [0075.427] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.427] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.427] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\563__connections_cellular_orange (tunisia)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\563__Connections_Cellular_Orange (Tunisia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\563__connections_cellular_orange (tunisia)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.428] GetProcessHeap () returned 0x3a00000 [0075.428] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.428] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", cAlternateFileName="564__C~1.PRO")) returned 1 [0075.428] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.428] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.428] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.428] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.428] lstrcmpiW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.428] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml") returned 160 [0075.428] StrStrIW (lpFirst="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.428] lstrcmpW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.428] lstrcmpW (lpString1="564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.428] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.428] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\564__connections_cellular_orange (tunisia)_i5$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.428] GetTickCount () returned 0x1153341 [0075.428] GetTickCount () returned 0x1153341 [0075.428] GetTickCount () returned 0x1153341 [0075.428] GetTickCount () returned 0x1153341 [0075.428] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.429] GetProcessHeap () returned 0x3a00000 [0075.429] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.429] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0075.430] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.430] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0075.430] GetProcessHeap () returned 0x3a00000 [0075.430] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.430] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.430] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.430] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.431] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.431] CloseHandle (hObject=0x440) returned 1 [0075.431] GetProcessHeap () returned 0x3a00000 [0075.431] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.431] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\564__connections_cellular_orange (tunisia)_i5$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\564__Connections_Cellular_Orange (Tunisia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\564__connections_cellular_orange (tunisia)_i5$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.432] GetProcessHeap () returned 0x3a00000 [0075.432] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.432] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", cAlternateFileName="565__C~1.PRO")) returned 1 [0075.432] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.432] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.432] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.432] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.432] lstrcmpiW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.432] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml") returned 159 [0075.432] StrStrIW (lpFirst="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.432] lstrcmpW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.432] lstrcmpW (lpString1="565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.432] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\565__connections_cellular_orange (uganda)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.432] GetTickCount () returned 0x1153341 [0075.432] GetTickCount () returned 0x1153341 [0075.432] GetTickCount () returned 0x1153341 [0075.432] GetTickCount () returned 0x1153341 [0075.432] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.433] GetProcessHeap () returned 0x3a00000 [0075.433] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.433] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0075.434] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.435] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0075.435] GetProcessHeap () returned 0x3a00000 [0075.435] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.435] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.435] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.435] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.435] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.435] CloseHandle (hObject=0x440) returned 1 [0075.435] GetProcessHeap () returned 0x3a00000 [0075.435] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.435] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0075.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\565__connections_cellular_orange (uganda)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\565__Connections_Cellular_Orange (Uganda)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\565__connections_cellular_orange (uganda)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.436] GetProcessHeap () returned 0x3a00000 [0075.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.436] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914503e2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914503e2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914503e2, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x35a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", cAlternateFileName="566__C~1.PRO")) returned 1 [0075.436] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.436] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.436] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.436] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.436] lstrcmpiW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.436] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml") returned 173 [0075.436] StrStrIW (lpFirst="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.436] lstrcmpW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.436] lstrcmpW (lpString1="566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.436] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\566__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.437] GetTickCount () returned 0x1153351 [0075.437] GetTickCount () returned 0x1153351 [0075.437] GetTickCount () returned 0x1153351 [0075.437] GetTickCount () returned 0x1153351 [0075.437] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.437] GetProcessHeap () returned 0x3a00000 [0075.437] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.437] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x35a, lpOverlapped=0x0) returned 1 [0075.438] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.439] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x35a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x35a, lpOverlapped=0x0) returned 1 [0075.439] GetProcessHeap () returned 0x3a00000 [0075.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.439] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.439] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.439] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.439] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.439] CloseHandle (hObject=0x440) returned 1 [0075.439] GetProcessHeap () returned 0x3a00000 [0075.439] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.439] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0075.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\566__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\566__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\566__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.440] GetProcessHeap () returned 0x3a00000 [0075.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.440] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9147664e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9147664e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9147664e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", cAlternateFileName="567__C~1.PRO")) returned 1 [0075.440] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.440] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.440] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.440] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.440] lstrcmpiW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.440] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml") returned 173 [0075.440] StrStrIW (lpFirst="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.441] lstrcmpW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.441] lstrcmpW (lpString1="567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.441] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.441] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\567__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.441] GetTickCount () returned 0x1153351 [0075.441] GetTickCount () returned 0x1153351 [0075.441] GetTickCount () returned 0x1153351 [0075.441] GetTickCount () returned 0x1153351 [0075.441] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.442] GetProcessHeap () returned 0x3a00000 [0075.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.442] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0075.443] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.443] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34e, lpOverlapped=0x0) returned 1 [0075.443] GetProcessHeap () returned 0x3a00000 [0075.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.443] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.443] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.443] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.444] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.444] CloseHandle (hObject=0x440) returned 1 [0075.444] GetProcessHeap () returned 0x3a00000 [0075.444] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.444] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0075.444] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\567__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\567__Connections_Cellular_Cubic Telecom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\567__connections_cellular_cubic telecom (liechtenstein)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.445] GetProcessHeap () returned 0x3a00000 [0075.445] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.445] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9147664e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9147664e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9147664e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="568__C~1.PRO")) returned 1 [0075.445] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.445] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.445] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.445] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.445] lstrcmpiW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.445] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml") returned 164 [0075.445] StrStrIW (lpFirst="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.445] lstrcmpW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.445] lstrcmpW (lpString1="568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.445] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\568__connections_cellular_digi.mobil (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.445] GetTickCount () returned 0x1153351 [0075.445] GetTickCount () returned 0x1153351 [0075.445] GetTickCount () returned 0x1153351 [0075.445] GetTickCount () returned 0x1153351 [0075.445] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.446] GetProcessHeap () returned 0x3a00000 [0075.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.446] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x30f, lpOverlapped=0x0) returned 1 [0075.447] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.447] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x30f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x30f, lpOverlapped=0x0) returned 1 [0075.447] GetProcessHeap () returned 0x3a00000 [0075.447] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.447] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.447] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.447] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.447] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.448] CloseHandle (hObject=0x440) returned 1 [0075.448] GetProcessHeap () returned 0x3a00000 [0075.448] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.448] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.448] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\568__connections_cellular_digi.mobil (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\568__Connections_Cellular_Digi.Mobil (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\568__connections_cellular_digi.mobil (romania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.448] GetProcessHeap () returned 0x3a00000 [0075.448] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.448] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9147664e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9147664e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9147664e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x30b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", cAlternateFileName="569__C~1.PRO")) returned 1 [0075.449] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.449] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.449] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.449] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.449] lstrcmpiW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.449] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml") returned 164 [0075.449] StrStrIW (lpFirst="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.449] lstrcmpW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.449] lstrcmpW (lpString1="569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.449] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.449] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\569__connections_cellular_telekom.ro (romania)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.449] GetTickCount () returned 0x1153351 [0075.449] GetTickCount () returned 0x1153351 [0075.449] GetTickCount () returned 0x1153351 [0075.449] GetTickCount () returned 0x1153351 [0075.449] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.449] GetProcessHeap () returned 0x3a00000 [0075.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.449] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x30b, lpOverlapped=0x0) returned 1 [0075.454] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.454] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x30b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x30b, lpOverlapped=0x0) returned 1 [0075.454] GetProcessHeap () returned 0x3a00000 [0075.454] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.454] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.455] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.455] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.455] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.455] CloseHandle (hObject=0x440) returned 1 [0075.455] GetProcessHeap () returned 0x3a00000 [0075.455] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.455] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.455] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\569__connections_cellular_telekom.ro (romania)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\569__Connections_Cellular_TELEKOM.RO (Romania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\569__connections_cellular_telekom.ro (romania)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.456] GetProcessHeap () returned 0x3a00000 [0075.456] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.456] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="56__CO~1.PRO")) returned 1 [0075.456] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.456] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.456] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.456] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.456] lstrcmpiW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.456] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml") returned 161 [0075.456] StrStrIW (lpFirst="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.456] lstrcmpW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.456] lstrcmpW (lpString1="56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.456] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\56__connections_cellular_sercomtel (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.457] GetTickCount () returned 0x1153361 [0075.457] GetTickCount () returned 0x1153361 [0075.457] GetTickCount () returned 0x1153361 [0075.457] GetTickCount () returned 0x1153361 [0075.457] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.457] GetProcessHeap () returned 0x3a00000 [0075.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.457] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0075.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0075.459] GetProcessHeap () returned 0x3a00000 [0075.459] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.459] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.459] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.459] CloseHandle (hObject=0x440) returned 1 [0075.459] GetProcessHeap () returned 0x3a00000 [0075.459] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.459] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0075.459] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\56__connections_cellular_sercomtel (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\56__Connections_Cellular_Sercomtel (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\56__connections_cellular_sercomtel (brazil)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.460] GetProcessHeap () returned 0x3a00000 [0075.460] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.460] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", cAlternateFileName="570__C~1.PRO")) returned 1 [0075.460] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.460] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.460] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.460] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.460] lstrcmpiW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.460] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml") returned 164 [0075.460] StrStrIW (lpFirst="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.461] lstrcmpW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.461] lstrcmpW (lpString1="570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.461] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\570__connections_cellular_telekom.ro (romania)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.461] GetTickCount () returned 0x1153361 [0075.461] GetTickCount () returned 0x1153361 [0075.461] GetTickCount () returned 0x1153361 [0075.461] GetTickCount () returned 0x1153361 [0075.461] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.461] GetProcessHeap () returned 0x3a00000 [0075.461] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.461] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x37c, lpOverlapped=0x0) returned 1 [0075.465] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc84, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.465] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x37c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x37c, lpOverlapped=0x0) returned 1 [0075.465] GetProcessHeap () returned 0x3a00000 [0075.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.465] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.465] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.465] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.465] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.465] CloseHandle (hObject=0x440) returned 1 [0075.466] GetProcessHeap () returned 0x3a00000 [0075.466] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.466] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.466] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\570__connections_cellular_telekom.ro (romania)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\570__Connections_Cellular_TELEKOM.RO (Romania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\570__connections_cellular_telekom.ro (romania)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.467] GetProcessHeap () returned 0x3a00000 [0075.467] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.467] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x37d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", cAlternateFileName="571__C~1.PRO")) returned 1 [0075.467] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.467] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.467] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.467] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.467] lstrcmpiW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.467] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml") returned 164 [0075.467] StrStrIW (lpFirst="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.467] lstrcmpW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.467] lstrcmpW (lpString1="571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.467] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\571__connections_cellular_telekom.ro (romania)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.468] GetTickCount () returned 0x1153370 [0075.468] GetTickCount () returned 0x1153370 [0075.468] GetTickCount () returned 0x1153370 [0075.468] GetTickCount () returned 0x1153370 [0075.468] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.468] GetProcessHeap () returned 0x3a00000 [0075.468] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.468] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x37d, lpOverlapped=0x0) returned 1 [0075.469] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc83, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.469] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x37d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x37d, lpOverlapped=0x0) returned 1 [0075.470] GetProcessHeap () returned 0x3a00000 [0075.470] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.470] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.470] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.470] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.470] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.470] CloseHandle (hObject=0x440) returned 1 [0075.470] GetProcessHeap () returned 0x3a00000 [0075.470] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.470] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.470] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\571__connections_cellular_telekom.ro (romania)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\571__Connections_Cellular_TELEKOM.RO (Romania)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\571__connections_cellular_telekom.ro (romania)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.471] GetProcessHeap () returned 0x3a00000 [0075.471] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.471] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="572__C~1.PRO")) returned 1 [0075.471] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.471] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.471] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.471] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.471] lstrcmpiW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.471] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.471] StrStrIW (lpFirst="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.471] lstrcmpW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.471] lstrcmpW (lpString1="572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.471] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.471] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\572__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.472] GetTickCount () returned 0x1153370 [0075.472] GetTickCount () returned 0x1153370 [0075.472] GetTickCount () returned 0x1153370 [0075.472] GetTickCount () returned 0x1153370 [0075.472] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.472] GetProcessHeap () returned 0x3a00000 [0075.472] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.472] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.473] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.473] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.474] GetProcessHeap () returned 0x3a00000 [0075.474] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.474] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.474] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.474] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.474] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.474] CloseHandle (hObject=0x440) returned 1 [0075.474] GetProcessHeap () returned 0x3a00000 [0075.474] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.474] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.474] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\572__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\572__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\572__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.475] GetProcessHeap () returned 0x3a00000 [0075.475] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.475] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9149c8b9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9149c8b9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9149c8b9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="573__C~1.PRO")) returned 1 [0075.475] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0075.475] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0075.475] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0075.475] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0075.475] lstrcmpiW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0075.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0075.475] StrStrIW (lpFirst="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0075.475] lstrcmpW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.475] lstrcmpW (lpString1="573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0075.475] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.475] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\573__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.476] GetTickCount () returned 0x1153370 [0075.476] GetTickCount () returned 0x1153370 [0075.476] GetTickCount () returned 0x1153370 [0075.476] GetTickCount () returned 0x1153370 [0075.476] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.476] GetProcessHeap () returned 0x3a00000 [0075.476] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.476] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0075.477] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.477] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0075.477] GetProcessHeap () returned 0x3a00000 [0075.477] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.477] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.477] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.478] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.478] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.478] CloseHandle (hObject=0x440) returned 1 [0075.478] GetProcessHeap () returned 0x3a00000 [0075.478] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.478] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0075.478] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\573__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\573__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\573__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.479] GetProcessHeap () returned 0x3a00000 [0075.479] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.479] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="574__C~1.PRO")) returned 1 [0075.481] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.481] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.481] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.481] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.481] lstrcmpiW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.481] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.482] StrStrIW (lpFirst="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.482] lstrcmpW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.482] lstrcmpW (lpString1="574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.482] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\574__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.482] GetTickCount () returned 0x1153380 [0075.482] GetTickCount () returned 0x1153380 [0075.482] GetTickCount () returned 0x1153380 [0075.482] GetTickCount () returned 0x1153380 [0075.483] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.483] GetProcessHeap () returned 0x3a00000 [0075.483] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.483] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.484] GetProcessHeap () returned 0x3a00000 [0075.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.484] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.484] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.484] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.485] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.485] CloseHandle (hObject=0x440) returned 1 [0075.485] GetProcessHeap () returned 0x3a00000 [0075.485] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.485] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.485] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\574__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\574__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\574__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.489] GetProcessHeap () returned 0x3a00000 [0075.489] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.489] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="575__C~1.PRO")) returned 1 [0075.489] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0075.489] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0075.489] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0075.489] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0075.489] lstrcmpiW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0075.489] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0075.489] StrStrIW (lpFirst="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0075.489] lstrcmpW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.489] lstrcmpW (lpString1="575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0075.489] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.489] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\575__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.489] GetTickCount () returned 0x1153380 [0075.490] GetTickCount () returned 0x1153380 [0075.490] GetTickCount () returned 0x1153380 [0075.490] GetTickCount () returned 0x1153380 [0075.490] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.490] GetProcessHeap () returned 0x3a00000 [0075.490] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.490] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0075.513] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.513] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0075.514] GetProcessHeap () returned 0x3a00000 [0075.514] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.514] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.514] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.514] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.514] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.515] CloseHandle (hObject=0x440) returned 1 [0075.515] GetProcessHeap () returned 0x3a00000 [0075.515] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.515] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0075.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\575__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\575__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\575__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.516] GetProcessHeap () returned 0x3a00000 [0075.516] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.516] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="576__C~1.PRO")) returned 1 [0075.516] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.516] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.516] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.516] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.516] lstrcmpiW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.516] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.516] StrStrIW (lpFirst="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.516] lstrcmpW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.516] lstrcmpW (lpString1="576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.516] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\576__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.517] GetTickCount () returned 0x115339f [0075.517] GetTickCount () returned 0x115339f [0075.517] GetTickCount () returned 0x115339f [0075.517] GetTickCount () returned 0x115339f [0075.517] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.517] GetProcessHeap () returned 0x3a00000 [0075.517] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.517] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.519] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.519] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.519] GetProcessHeap () returned 0x3a00000 [0075.519] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.519] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.519] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.519] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.519] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.519] CloseHandle (hObject=0x440) returned 1 [0075.519] GetProcessHeap () returned 0x3a00000 [0075.519] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.519] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\576__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\576__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\576__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.520] GetProcessHeap () returned 0x3a00000 [0075.520] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.520] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="577__C~1.PRO")) returned 1 [0075.520] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.520] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.520] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.520] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.520] lstrcmpiW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.521] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.521] StrStrIW (lpFirst="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.521] lstrcmpW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.521] lstrcmpW (lpString1="577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\577__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.521] GetTickCount () returned 0x115339f [0075.521] GetTickCount () returned 0x115339f [0075.521] GetTickCount () returned 0x115339f [0075.521] GetTickCount () returned 0x115339f [0075.521] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.521] GetProcessHeap () returned 0x3a00000 [0075.521] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.521] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.523] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.523] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.523] GetProcessHeap () returned 0x3a00000 [0075.523] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.523] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.523] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.523] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.523] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.523] CloseHandle (hObject=0x440) returned 1 [0075.524] GetProcessHeap () returned 0x3a00000 [0075.524] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.524] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\577__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\577__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\577__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.524] GetProcessHeap () returned 0x3a00000 [0075.524] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.524] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914c2b28, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914c2b28, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914c2b28, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="578__C~1.PRO")) returned 1 [0075.524] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.524] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.524] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.524] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.524] lstrcmpiW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.524] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.525] StrStrIW (lpFirst="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.525] lstrcmpW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.525] lstrcmpW (lpString1="578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.525] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\578__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.525] GetTickCount () returned 0x115339f [0075.525] GetTickCount () returned 0x115339f [0075.525] GetTickCount () returned 0x115339f [0075.525] GetTickCount () returned 0x115339f [0075.525] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.525] GetProcessHeap () returned 0x3a00000 [0075.525] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.525] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0075.527] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.527] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0075.527] GetProcessHeap () returned 0x3a00000 [0075.527] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.527] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.528] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.528] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.528] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.528] CloseHandle (hObject=0x440) returned 1 [0075.528] GetProcessHeap () returned 0x3a00000 [0075.528] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.528] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\578__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\578__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\578__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.529] GetProcessHeap () returned 0x3a00000 [0075.529] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.529] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914e8d94, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914e8d94, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914e8d94, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="579__C~1.PRO")) returned 1 [0075.529] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.529] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.529] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.529] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.529] lstrcmpiW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.529] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.529] StrStrIW (lpFirst="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.530] lstrcmpW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.530] lstrcmpW (lpString1="579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\579__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.530] GetTickCount () returned 0x11533af [0075.530] GetTickCount () returned 0x11533af [0075.530] GetTickCount () returned 0x11533af [0075.530] GetTickCount () returned 0x11533af [0075.530] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.530] GetProcessHeap () returned 0x3a00000 [0075.530] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.530] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0075.532] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.532] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0075.532] GetProcessHeap () returned 0x3a00000 [0075.532] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.532] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.532] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.532] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.532] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.532] CloseHandle (hObject=0x440) returned 1 [0075.532] GetProcessHeap () returned 0x3a00000 [0075.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.532] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.532] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\579__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\579__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\579__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.533] GetProcessHeap () returned 0x3a00000 [0075.533] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.533] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902ba650, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902ba650, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902ba650, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x340, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="57__CO~1.PRO")) returned 1 [0075.533] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.533] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.533] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.533] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.533] lstrcmpiW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.533] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml") returned 155 [0075.533] StrStrIW (lpFirst="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.533] lstrcmpW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.533] lstrcmpW (lpString1="57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.533] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.533] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\57__connections_cellular_tim (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.534] GetTickCount () returned 0x11533af [0075.534] GetTickCount () returned 0x11533af [0075.534] GetTickCount () returned 0x11533af [0075.534] GetTickCount () returned 0x11533af [0075.534] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.534] GetProcessHeap () returned 0x3a00000 [0075.534] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.534] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x340, lpOverlapped=0x0) returned 1 [0075.536] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcc0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.536] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x340, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x340, lpOverlapped=0x0) returned 1 [0075.536] GetProcessHeap () returned 0x3a00000 [0075.536] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.536] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.536] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.536] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.536] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.536] CloseHandle (hObject=0x440) returned 1 [0075.536] GetProcessHeap () returned 0x3a00000 [0075.536] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.536] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0075.536] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\57__connections_cellular_tim (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\57__Connections_Cellular_TIM (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\57__connections_cellular_tim (brazil)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.537] GetProcessHeap () returned 0x3a00000 [0075.537] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.537] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914e8d94, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914e8d94, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914e8d94, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="580__C~1.PRO")) returned 1 [0075.537] lstrcmpiW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.537] lstrcmpiW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.537] lstrcmpiW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.537] lstrcmpiW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.537] lstrcmpiW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.537] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.537] StrStrIW (lpFirst="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.537] lstrcmpW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.537] lstrcmpW (lpString1="580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.538] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\580__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.538] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\580__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.538] GetTickCount () returned 0x11533af [0075.538] GetTickCount () returned 0x11533af [0075.538] GetTickCount () returned 0x11533af [0075.538] GetTickCount () returned 0x11533af [0075.538] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.538] GetProcessHeap () returned 0x3a00000 [0075.538] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.538] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.540] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.540] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.540] GetProcessHeap () returned 0x3a00000 [0075.540] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.540] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.540] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.540] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.540] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.540] CloseHandle (hObject=0x440) returned 1 [0075.540] GetProcessHeap () returned 0x3a00000 [0075.540] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.540] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.540] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\580__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\580__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\580__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.541] GetProcessHeap () returned 0x3a00000 [0075.541] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.541] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914e8d94, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914e8d94, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914e8d94, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="581__C~1.PRO")) returned 1 [0075.541] lstrcmpiW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.541] lstrcmpiW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.541] lstrcmpiW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.541] lstrcmpiW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.541] lstrcmpiW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.541] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.542] StrStrIW (lpFirst="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.542] lstrcmpW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.542] lstrcmpW (lpString1="581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.542] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\581__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.542] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\581__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.542] GetTickCount () returned 0x11533af [0075.542] GetTickCount () returned 0x11533af [0075.542] GetTickCount () returned 0x11533af [0075.542] GetTickCount () returned 0x11533af [0075.542] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.542] GetProcessHeap () returned 0x3a00000 [0075.542] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.542] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0075.546] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.546] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0075.547] GetProcessHeap () returned 0x3a00000 [0075.547] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.547] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.547] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.547] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.547] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.547] CloseHandle (hObject=0x440) returned 1 [0075.547] GetProcessHeap () returned 0x3a00000 [0075.547] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.547] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\581__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\581__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\581__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.548] GetProcessHeap () returned 0x3a00000 [0075.548] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.548] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x914e8d94, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x914e8d94, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x914e8d94, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="582__C~1.PRO")) returned 1 [0075.548] lstrcmpiW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.548] lstrcmpiW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.548] lstrcmpiW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.548] lstrcmpiW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.548] lstrcmpiW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.548] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.548] StrStrIW (lpFirst="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.548] lstrcmpW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.548] lstrcmpW (lpString1="582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.548] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\582__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.548] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\582__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.549] GetTickCount () returned 0x11533be [0075.549] GetTickCount () returned 0x11533be [0075.549] GetTickCount () returned 0x11533be [0075.549] GetTickCount () returned 0x11533be [0075.549] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.549] GetProcessHeap () returned 0x3a00000 [0075.549] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.549] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.550] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.551] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.551] GetProcessHeap () returned 0x3a00000 [0075.551] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.551] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.551] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.551] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.551] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.551] CloseHandle (hObject=0x440) returned 1 [0075.551] GetProcessHeap () returned 0x3a00000 [0075.551] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.551] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\582__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\582__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\582__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.552] GetProcessHeap () returned 0x3a00000 [0075.552] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.552] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9150effc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9150effc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9150effc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="583__C~1.PRO")) returned 1 [0075.552] lstrcmpiW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.552] lstrcmpiW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.552] lstrcmpiW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.552] lstrcmpiW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.552] lstrcmpiW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.552] StrStrIW (lpFirst="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.552] lstrcmpW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.552] lstrcmpW (lpString1="583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.552] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\583__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.552] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\583__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.553] GetTickCount () returned 0x11533be [0075.553] GetTickCount () returned 0x11533be [0075.553] GetTickCount () returned 0x11533be [0075.553] GetTickCount () returned 0x11533be [0075.553] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.553] GetProcessHeap () returned 0x3a00000 [0075.553] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.553] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.576] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.576] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.577] GetProcessHeap () returned 0x3a00000 [0075.577] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.577] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.577] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.577] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.577] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.577] CloseHandle (hObject=0x440) returned 1 [0075.577] GetProcessHeap () returned 0x3a00000 [0075.577] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.577] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\583__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\583__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\583__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.578] GetProcessHeap () returned 0x3a00000 [0075.579] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.579] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9150effc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9150effc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9150effc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="584__C~1.PRO")) returned 1 [0075.579] lstrcmpiW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.579] lstrcmpiW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.579] lstrcmpiW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.579] lstrcmpiW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.579] lstrcmpiW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.579] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.579] StrStrIW (lpFirst="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.579] lstrcmpW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.579] lstrcmpW (lpString1="584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.579] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\584__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.579] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\584__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.579] GetTickCount () returned 0x11533de [0075.579] GetTickCount () returned 0x11533de [0075.579] GetTickCount () returned 0x11533de [0075.579] GetTickCount () returned 0x11533de [0075.580] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.580] GetProcessHeap () returned 0x3a00000 [0075.580] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.580] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0075.581] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.581] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0075.581] GetProcessHeap () returned 0x3a00000 [0075.581] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.581] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.581] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.582] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.582] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.582] CloseHandle (hObject=0x440) returned 1 [0075.582] GetProcessHeap () returned 0x3a00000 [0075.582] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.582] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\584__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\584__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\584__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.583] GetProcessHeap () returned 0x3a00000 [0075.583] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.583] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9150effc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9150effc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9150effc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="585__C~1.PRO")) returned 1 [0075.583] lstrcmpiW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.583] lstrcmpiW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.583] lstrcmpiW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.583] lstrcmpiW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.583] lstrcmpiW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.583] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.583] StrStrIW (lpFirst="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.583] lstrcmpW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.583] lstrcmpW (lpString1="585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.583] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\585__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.583] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\585__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.584] GetTickCount () returned 0x11533de [0075.584] GetTickCount () returned 0x11533de [0075.584] GetTickCount () returned 0x11533de [0075.584] GetTickCount () returned 0x11533de [0075.584] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.584] GetProcessHeap () returned 0x3a00000 [0075.584] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.584] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.585] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.585] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.586] GetProcessHeap () returned 0x3a00000 [0075.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.586] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.586] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.586] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.586] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.586] CloseHandle (hObject=0x440) returned 1 [0075.586] GetProcessHeap () returned 0x3a00000 [0075.586] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.586] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.586] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\585__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\585__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\585__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.587] GetProcessHeap () returned 0x3a00000 [0075.587] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.587] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9150effc, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9150effc, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9150effc, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="586__C~1.PRO")) returned 1 [0075.587] lstrcmpiW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.587] lstrcmpiW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.587] lstrcmpiW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.587] lstrcmpiW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.587] lstrcmpiW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.587] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.587] StrStrIW (lpFirst="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.587] lstrcmpW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.587] lstrcmpW (lpString1="586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.587] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\586__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.587] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\586__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.588] GetTickCount () returned 0x11533de [0075.588] GetTickCount () returned 0x11533de [0075.588] GetTickCount () returned 0x11533de [0075.588] GetTickCount () returned 0x11533de [0075.588] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.588] GetProcessHeap () returned 0x3a00000 [0075.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.588] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0075.590] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.590] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0075.590] GetProcessHeap () returned 0x3a00000 [0075.591] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.591] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.591] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.591] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.591] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.591] CloseHandle (hObject=0x440) returned 1 [0075.591] GetProcessHeap () returned 0x3a00000 [0075.591] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.591] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.592] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\586__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\586__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\586__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.592] GetProcessHeap () returned 0x3a00000 [0075.592] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.592] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91535267, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91535267, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91535267, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="587__C~1.PRO")) returned 1 [0075.592] lstrcmpiW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.592] lstrcmpiW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.592] lstrcmpiW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.592] lstrcmpiW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.593] lstrcmpiW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.593] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.593] StrStrIW (lpFirst="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.593] lstrcmpW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.593] lstrcmpW (lpString1="587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.593] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\587__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.593] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\587__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.593] GetTickCount () returned 0x11533ed [0075.593] GetTickCount () returned 0x11533ed [0075.593] GetTickCount () returned 0x11533ed [0075.593] GetTickCount () returned 0x11533ed [0075.593] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.593] GetProcessHeap () returned 0x3a00000 [0075.593] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.593] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.595] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.595] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.595] GetProcessHeap () returned 0x3a00000 [0075.595] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.595] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.595] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.595] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.595] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.595] CloseHandle (hObject=0x440) returned 1 [0075.595] GetProcessHeap () returned 0x3a00000 [0075.595] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.596] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.596] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\587__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\587__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\587__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.596] GetProcessHeap () returned 0x3a00000 [0075.596] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.596] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91535267, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91535267, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91535267, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="588__C~1.PRO")) returned 1 [0075.596] lstrcmpiW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.596] lstrcmpiW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.596] lstrcmpiW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.596] lstrcmpiW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.596] lstrcmpiW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.596] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.596] StrStrIW (lpFirst="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.596] lstrcmpW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.597] lstrcmpW (lpString1="588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.597] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\588__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.597] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\588__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.597] GetTickCount () returned 0x11533ed [0075.597] GetTickCount () returned 0x11533ed [0075.597] GetTickCount () returned 0x11533ed [0075.597] GetTickCount () returned 0x11533ed [0075.597] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.597] GetProcessHeap () returned 0x3a00000 [0075.597] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.597] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.598] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.599] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.599] GetProcessHeap () returned 0x3a00000 [0075.599] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.599] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.599] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.599] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.599] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.599] CloseHandle (hObject=0x440) returned 1 [0075.599] GetProcessHeap () returned 0x3a00000 [0075.599] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.599] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.599] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\588__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\588__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\588__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.600] GetProcessHeap () returned 0x3a00000 [0075.600] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.600] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91535267, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91535267, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91535267, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="589__C~1.PRO")) returned 1 [0075.600] lstrcmpiW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.600] lstrcmpiW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.600] lstrcmpiW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.600] lstrcmpiW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.600] lstrcmpiW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.600] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.600] StrStrIW (lpFirst="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.600] lstrcmpW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.600] lstrcmpW (lpString1="589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.600] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\589__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.600] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\589__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.601] GetTickCount () returned 0x11533ed [0075.601] GetTickCount () returned 0x11533ed [0075.601] GetTickCount () returned 0x11533ed [0075.601] GetTickCount () returned 0x11533ed [0075.601] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.601] GetProcessHeap () returned 0x3a00000 [0075.601] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.601] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0075.603] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.603] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0075.603] GetProcessHeap () returned 0x3a00000 [0075.603] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.603] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.603] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.603] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.603] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.603] CloseHandle (hObject=0x440) returned 1 [0075.603] GetProcessHeap () returned 0x3a00000 [0075.603] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.604] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.604] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\589__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\589__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\589__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.604] GetProcessHeap () returned 0x3a00000 [0075.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.604] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902e08bf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902e08bf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902e08bf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x33f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="58__CO~1.PRO")) returned 1 [0075.604] lstrcmpiW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.604] lstrcmpiW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.604] lstrcmpiW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.604] lstrcmpiW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.604] lstrcmpiW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.605] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml") returned 156 [0075.605] StrStrIW (lpFirst="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.605] lstrcmpW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.605] lstrcmpW (lpString1="58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.605] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\58__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\58__connections_cellular_vivo (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.605] GetTickCount () returned 0x11533ed [0075.605] GetTickCount () returned 0x11533ed [0075.605] GetTickCount () returned 0x11533ed [0075.605] GetTickCount () returned 0x11533ed [0075.605] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.605] GetProcessHeap () returned 0x3a00000 [0075.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.605] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x33f, lpOverlapped=0x0) returned 1 [0075.607] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcc1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.607] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x33f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x33f, lpOverlapped=0x0) returned 1 [0075.607] GetProcessHeap () returned 0x3a00000 [0075.607] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.607] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.607] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.607] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.607] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.607] CloseHandle (hObject=0x440) returned 1 [0075.607] GetProcessHeap () returned 0x3a00000 [0075.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.608] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.608] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\58__connections_cellular_vivo (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\58__Connections_Cellular_Vivo (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\58__connections_cellular_vivo (brazil)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.608] GetProcessHeap () returned 0x3a00000 [0075.608] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.608] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91535267, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91535267, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91535267, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="590__C~1.PRO")) returned 1 [0075.610] lstrcmpiW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.610] lstrcmpiW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.610] lstrcmpiW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.610] lstrcmpiW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.610] lstrcmpiW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.610] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.610] StrStrIW (lpFirst="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.610] lstrcmpW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.610] lstrcmpW (lpString1="590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.610] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\590__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.610] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\590__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.611] GetTickCount () returned 0x11533fd [0075.611] GetTickCount () returned 0x11533fd [0075.611] GetTickCount () returned 0x11533fd [0075.611] GetTickCount () returned 0x11533fd [0075.611] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.611] GetProcessHeap () returned 0x3a00000 [0075.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.611] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0075.622] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.622] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0075.623] GetProcessHeap () returned 0x3a00000 [0075.623] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.623] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.623] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.623] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.623] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.623] CloseHandle (hObject=0x440) returned 1 [0075.623] GetProcessHeap () returned 0x3a00000 [0075.623] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.623] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.623] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\590__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\590__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\590__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.624] GetProcessHeap () returned 0x3a00000 [0075.624] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.624] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9155b4d3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9155b4d3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9155b4d3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="591__C~1.PRO")) returned 1 [0075.624] lstrcmpiW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.624] lstrcmpiW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.624] lstrcmpiW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.624] lstrcmpiW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.624] lstrcmpiW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.624] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.625] StrStrIW (lpFirst="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.625] lstrcmpW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.625] lstrcmpW (lpString1="591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.625] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\591__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.625] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\591__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.625] GetTickCount () returned 0x115340c [0075.625] GetTickCount () returned 0x115340c [0075.625] GetTickCount () returned 0x115340c [0075.625] GetTickCount () returned 0x115340c [0075.625] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.625] GetProcessHeap () returned 0x3a00000 [0075.625] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.625] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.627] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.627] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.627] GetProcessHeap () returned 0x3a00000 [0075.627] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.627] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.627] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.627] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.627] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.627] CloseHandle (hObject=0x440) returned 1 [0075.627] GetProcessHeap () returned 0x3a00000 [0075.627] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.627] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.628] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\591__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\591__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\591__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.628] GetProcessHeap () returned 0x3a00000 [0075.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.628] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9155b4d3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9155b4d3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9155b4d3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="592__C~1.PRO")) returned 1 [0075.628] lstrcmpiW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.628] lstrcmpiW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.629] lstrcmpiW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.629] lstrcmpiW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.629] lstrcmpiW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.629] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.629] StrStrIW (lpFirst="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.629] lstrcmpW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.629] lstrcmpW (lpString1="592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.629] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\592__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.629] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\592__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.629] GetTickCount () returned 0x115340c [0075.629] GetTickCount () returned 0x115340c [0075.629] GetTickCount () returned 0x115340c [0075.629] GetTickCount () returned 0x115340c [0075.629] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.629] GetProcessHeap () returned 0x3a00000 [0075.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.629] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0075.631] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.631] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0075.631] GetProcessHeap () returned 0x3a00000 [0075.631] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.631] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.631] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.631] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.631] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.631] CloseHandle (hObject=0x440) returned 1 [0075.632] GetProcessHeap () returned 0x3a00000 [0075.632] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.632] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.632] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\592__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\592__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\592__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.633] GetProcessHeap () returned 0x3a00000 [0075.633] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.633] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9155b4d3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9155b4d3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9155b4d3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="593__C~1.PRO")) returned 1 [0075.633] lstrcmpiW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.633] lstrcmpiW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.633] lstrcmpiW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.633] lstrcmpiW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.633] lstrcmpiW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.633] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.633] StrStrIW (lpFirst="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.633] lstrcmpW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.633] lstrcmpW (lpString1="593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.633] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\593__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.633] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\593__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.633] GetTickCount () returned 0x115340c [0075.633] GetTickCount () returned 0x115340c [0075.633] GetTickCount () returned 0x115340c [0075.633] GetTickCount () returned 0x115340c [0075.633] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.634] GetProcessHeap () returned 0x3a00000 [0075.634] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.634] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0075.635] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.635] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0075.635] GetProcessHeap () returned 0x3a00000 [0075.635] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.635] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.635] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.635] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.635] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.636] CloseHandle (hObject=0x440) returned 1 [0075.636] GetProcessHeap () returned 0x3a00000 [0075.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.636] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.636] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\593__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\593__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\593__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.637] GetProcessHeap () returned 0x3a00000 [0075.637] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.637] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91581742, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91581742, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91581742, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="594__C~1.PRO")) returned 1 [0075.637] lstrcmpiW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.637] lstrcmpiW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.637] lstrcmpiW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.637] lstrcmpiW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.637] lstrcmpiW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.637] StrStrIW (lpFirst="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.637] lstrcmpW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.637] lstrcmpW (lpString1="594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.637] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\594__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.638] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\594__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.638] GetTickCount () returned 0x115341c [0075.638] GetTickCount () returned 0x115341c [0075.638] GetTickCount () returned 0x115341c [0075.638] GetTickCount () returned 0x115341c [0075.638] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.638] GetProcessHeap () returned 0x3a00000 [0075.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.638] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0075.640] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.640] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0075.640] GetProcessHeap () returned 0x3a00000 [0075.640] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.640] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.640] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.640] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.640] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.640] CloseHandle (hObject=0x440) returned 1 [0075.640] GetProcessHeap () returned 0x3a00000 [0075.640] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.640] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\594__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\594__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\594__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.641] GetProcessHeap () returned 0x3a00000 [0075.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.641] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91581742, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91581742, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91581742, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="595__C~1.PRO")) returned 1 [0075.641] lstrcmpiW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.642] lstrcmpiW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.642] lstrcmpiW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.642] lstrcmpiW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.642] lstrcmpiW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.642] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.642] StrStrIW (lpFirst="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.642] lstrcmpW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.642] lstrcmpW (lpString1="595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.642] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\595__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.642] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\595__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.642] GetTickCount () returned 0x115341c [0075.642] GetTickCount () returned 0x115341c [0075.642] GetTickCount () returned 0x115341c [0075.642] GetTickCount () returned 0x115341c [0075.642] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.642] GetProcessHeap () returned 0x3a00000 [0075.642] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.642] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0075.644] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.644] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0075.644] GetProcessHeap () returned 0x3a00000 [0075.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.644] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.644] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.644] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.644] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.644] CloseHandle (hObject=0x440) returned 1 [0075.645] GetProcessHeap () returned 0x3a00000 [0075.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.645] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.645] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\595__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\595__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\595__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.645] GetProcessHeap () returned 0x3a00000 [0075.645] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.645] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91581742, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91581742, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91581742, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="596__C~1.PRO")) returned 1 [0075.646] lstrcmpiW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.646] lstrcmpiW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.646] lstrcmpiW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.646] lstrcmpiW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.646] lstrcmpiW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.646] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.646] StrStrIW (lpFirst="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.646] lstrcmpW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.646] lstrcmpW (lpString1="596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.646] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\596__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.646] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\596__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.647] GetTickCount () returned 0x115341c [0075.647] GetTickCount () returned 0x115341c [0075.647] GetTickCount () returned 0x115341c [0075.647] GetTickCount () returned 0x115341c [0075.647] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.647] GetProcessHeap () returned 0x3a00000 [0075.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.647] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0075.649] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.649] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0075.649] GetProcessHeap () returned 0x3a00000 [0075.649] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.649] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.649] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.649] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.649] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.649] CloseHandle (hObject=0x440) returned 1 [0075.649] GetProcessHeap () returned 0x3a00000 [0075.649] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.649] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.649] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\596__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\596__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\596__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.650] GetProcessHeap () returned 0x3a00000 [0075.650] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.650] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91581742, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91581742, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91581742, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="597__C~1.PRO")) returned 1 [0075.650] lstrcmpiW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.650] lstrcmpiW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.650] lstrcmpiW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.650] lstrcmpiW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.650] lstrcmpiW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.650] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.650] StrStrIW (lpFirst="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.650] lstrcmpW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.651] lstrcmpW (lpString1="597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.651] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\597__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.651] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\597__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.651] GetTickCount () returned 0x115341c [0075.651] GetTickCount () returned 0x115341c [0075.651] GetTickCount () returned 0x115341c [0075.651] GetTickCount () returned 0x115341c [0075.651] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.651] GetProcessHeap () returned 0x3a00000 [0075.651] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.651] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.656] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.656] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.656] GetProcessHeap () returned 0x3a00000 [0075.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.656] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.657] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.657] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.657] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.657] CloseHandle (hObject=0x440) returned 1 [0075.657] GetProcessHeap () returned 0x3a00000 [0075.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.657] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.657] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\597__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\597__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\597__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.658] GetProcessHeap () returned 0x3a00000 [0075.658] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.658] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915a79aa, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915a79aa, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915a79aa, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="598__C~1.PRO")) returned 1 [0075.658] lstrcmpiW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.658] lstrcmpiW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.658] lstrcmpiW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.658] lstrcmpiW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.658] lstrcmpiW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.658] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.658] StrStrIW (lpFirst="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.658] lstrcmpW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.658] lstrcmpW (lpString1="598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.658] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\598__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.658] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\598__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.659] GetTickCount () returned 0x115342c [0075.659] GetTickCount () returned 0x115342c [0075.659] GetTickCount () returned 0x115342c [0075.659] GetTickCount () returned 0x115342c [0075.659] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.659] GetProcessHeap () returned 0x3a00000 [0075.659] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.659] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0075.669] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.669] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0075.669] GetProcessHeap () returned 0x3a00000 [0075.669] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.669] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.669] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.669] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.669] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.670] CloseHandle (hObject=0x440) returned 1 [0075.670] GetProcessHeap () returned 0x3a00000 [0075.670] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.670] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\598__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\598__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\598__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.671] GetProcessHeap () returned 0x3a00000 [0075.671] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.671] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915a79aa, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915a79aa, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915a79aa, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="599__C~1.PRO")) returned 1 [0075.671] lstrcmpiW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.671] lstrcmpiW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.671] lstrcmpiW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.671] lstrcmpiW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.671] lstrcmpiW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.671] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml") returned 156 [0075.671] StrStrIW (lpFirst="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.671] lstrcmpW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.671] lstrcmpW (lpString1="599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.671] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\599__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.671] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\599__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.672] GetTickCount () returned 0x115343b [0075.672] GetTickCount () returned 0x115343b [0075.672] GetTickCount () returned 0x115343b [0075.672] GetTickCount () returned 0x115343b [0075.672] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.672] GetProcessHeap () returned 0x3a00000 [0075.672] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.672] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0075.673] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.673] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0075.674] GetProcessHeap () returned 0x3a00000 [0075.674] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.674] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.674] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.674] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.674] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.674] CloseHandle (hObject=0x440) returned 1 [0075.674] GetProcessHeap () returned 0x3a00000 [0075.674] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.674] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.674] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\599__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\599__Connections_Cellular_o2 (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\599__connections_cellular_o2 (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.675] GetProcessHeap () returned 0x3a00000 [0075.675] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.675] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902e08bf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902e08bf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902e08bf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="59__CO~1.PRO")) returned 1 [0075.675] lstrcmpiW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.675] lstrcmpiW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.675] lstrcmpiW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.675] lstrcmpiW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.675] lstrcmpiW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.675] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml") returned 179 [0075.675] StrStrIW (lpFirst="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.676] lstrcmpW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.676] lstrcmpW (lpString1="59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.676] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\59__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.676] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\59__connections_cellular_cosmo bulgaria mobile ead (bulgaria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.676] GetTickCount () returned 0x115343b [0075.676] GetTickCount () returned 0x115343b [0075.676] GetTickCount () returned 0x115343b [0075.676] GetTickCount () returned 0x115343b [0075.676] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.676] GetProcessHeap () returned 0x3a00000 [0075.676] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.676] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2a0, lpOverlapped=0x0) returned 1 [0075.678] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd60, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.678] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2a0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2a0, lpOverlapped=0x0) returned 1 [0075.678] GetProcessHeap () returned 0x3a00000 [0075.678] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.678] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.678] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.678] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.678] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.678] CloseHandle (hObject=0x440) returned 1 [0075.678] GetProcessHeap () returned 0x3a00000 [0075.679] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.679] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0075.679] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\59__connections_cellular_cosmo bulgaria mobile ead (bulgaria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\59__Connections_Cellular_Cosmo Bulgaria Mobile EAD (Bulgaria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\59__connections_cellular_cosmo bulgaria mobile ead (bulgaria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.679] GetProcessHeap () returned 0x3a00000 [0075.679] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.679] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900f0949, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900f0949, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900f0949, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="5__CON~1.PRO")) returned 1 [0075.679] lstrcmpiW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.679] lstrcmpiW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.679] lstrcmpiW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.679] lstrcmpiW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.680] lstrcmpiW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.680] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml") returned 173 [0075.680] StrStrIW (lpFirst="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.680] lstrcmpW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.680] lstrcmpW (lpString1="5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.680] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\5__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.680] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\5__connections_cellular_telecom personal sa (argentina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.680] GetTickCount () returned 0x115343b [0075.680] GetTickCount () returned 0x115343b [0075.680] GetTickCount () returned 0x115343b [0075.680] GetTickCount () returned 0x115343b [0075.680] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.680] GetProcessHeap () returned 0x3a00000 [0075.680] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.680] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0075.682] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.682] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d9, lpOverlapped=0x0) returned 1 [0075.682] GetProcessHeap () returned 0x3a00000 [0075.682] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.682] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.682] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.682] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.682] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.682] CloseHandle (hObject=0x440) returned 1 [0075.683] GetProcessHeap () returned 0x3a00000 [0075.683] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.683] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0075.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\5__connections_cellular_telecom personal sa (argentina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\5__Connections_Cellular_Telecom Personal SA (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\5__connections_cellular_telecom personal sa (argentina)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.683] GetProcessHeap () returned 0x3a00000 [0075.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.683] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915a79aa, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915a79aa, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915a79aa, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="600__C~1.PRO")) returned 1 [0075.683] lstrcmpiW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.683] lstrcmpiW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.683] lstrcmpiW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.684] lstrcmpiW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.684] lstrcmpiW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.684] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml") returned 156 [0075.684] StrStrIW (lpFirst="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.684] lstrcmpW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.684] lstrcmpW (lpString1="600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.684] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\600__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.684] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\600__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.684] GetTickCount () returned 0x115343b [0075.684] GetTickCount () returned 0x115343b [0075.684] GetTickCount () returned 0x115343b [0075.684] GetTickCount () returned 0x115343b [0075.684] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.685] GetProcessHeap () returned 0x3a00000 [0075.685] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.685] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0075.686] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.686] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0075.686] GetProcessHeap () returned 0x3a00000 [0075.686] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.686] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.686] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.686] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.687] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.687] CloseHandle (hObject=0x440) returned 1 [0075.687] GetProcessHeap () returned 0x3a00000 [0075.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.687] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\600__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\600__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\600__connections_cellular_sfr (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.688] GetProcessHeap () returned 0x3a00000 [0075.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.688] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915a79aa, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915a79aa, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915a79aa, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="601__C~1.PRO")) returned 1 [0075.688] lstrcmpiW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.688] lstrcmpiW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.688] lstrcmpiW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.688] lstrcmpiW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.688] lstrcmpiW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.688] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml") returned 156 [0075.688] StrStrIW (lpFirst="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.688] lstrcmpW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.688] lstrcmpW (lpString1="601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.688] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\601__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.688] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\601__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.688] GetTickCount () returned 0x115344b [0075.688] GetTickCount () returned 0x115344b [0075.688] GetTickCount () returned 0x115344b [0075.689] GetTickCount () returned 0x115344b [0075.689] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.689] GetProcessHeap () returned 0x3a00000 [0075.689] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.689] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.690] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.690] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.690] GetProcessHeap () returned 0x3a00000 [0075.690] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.690] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.690] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.690] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.690] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.691] CloseHandle (hObject=0x440) returned 1 [0075.691] GetProcessHeap () returned 0x3a00000 [0075.691] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.691] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.691] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\601__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\601__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\601__connections_cellular_sfr (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.691] GetProcessHeap () returned 0x3a00000 [0075.692] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.692] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915cdc15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915cdc15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915cdc15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", cAlternateFileName="602__C~1.PRO")) returned 1 [0075.692] lstrcmpiW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.692] lstrcmpiW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.692] lstrcmpiW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.692] lstrcmpiW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.692] lstrcmpiW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.692] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml") returned 156 [0075.692] StrStrIW (lpFirst="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.692] lstrcmpW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.692] lstrcmpW (lpString1="602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.692] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\602__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.692] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\602__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.693] GetTickCount () returned 0x115344b [0075.693] GetTickCount () returned 0x115344b [0075.693] GetTickCount () returned 0x115344b [0075.693] GetTickCount () returned 0x115344b [0075.693] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.693] GetProcessHeap () returned 0x3a00000 [0075.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.693] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0075.695] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.695] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0075.695] GetProcessHeap () returned 0x3a00000 [0075.695] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.695] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.695] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.698] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.698] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.699] CloseHandle (hObject=0x440) returned 1 [0075.699] GetProcessHeap () returned 0x3a00000 [0075.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.699] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.699] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\602__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\602__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\602__connections_cellular_sfr (france)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.700] GetProcessHeap () returned 0x3a00000 [0075.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.700] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915cdc15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915cdc15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915cdc15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", cAlternateFileName="603__C~1.PRO")) returned 1 [0075.700] lstrcmpiW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.700] lstrcmpiW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.700] lstrcmpiW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.700] lstrcmpiW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.700] lstrcmpiW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.700] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml") returned 156 [0075.701] StrStrIW (lpFirst="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.701] lstrcmpW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.701] lstrcmpW (lpString1="603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.701] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\603__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.701] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\603__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.702] GetTickCount () returned 0x115345b [0075.702] GetTickCount () returned 0x115345b [0075.702] GetTickCount () returned 0x115345b [0075.702] GetTickCount () returned 0x115345b [0075.702] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.702] GetProcessHeap () returned 0x3a00000 [0075.702] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.702] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0075.703] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.704] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0075.704] GetProcessHeap () returned 0x3a00000 [0075.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.704] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.704] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.704] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.704] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.704] CloseHandle (hObject=0x440) returned 1 [0075.704] GetProcessHeap () returned 0x3a00000 [0075.704] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.704] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0075.704] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\603__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\603__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\603__connections_cellular_sfr (france)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.705] GetProcessHeap () returned 0x3a00000 [0075.705] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.705] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915cdc15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915cdc15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915cdc15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="604__C~1.PRO")) returned 1 [0075.705] lstrcmpiW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.705] lstrcmpiW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.705] lstrcmpiW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.705] lstrcmpiW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.705] lstrcmpiW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.705] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml") returned 164 [0075.705] StrStrIW (lpFirst="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.705] lstrcmpW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.705] lstrcmpW (lpString1="604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.705] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\604__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.706] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\604__connections_cellular_saunalahti (finland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.706] GetTickCount () returned 0x115345b [0075.706] GetTickCount () returned 0x115345b [0075.706] GetTickCount () returned 0x115345b [0075.706] GetTickCount () returned 0x115345b [0075.706] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.706] GetProcessHeap () returned 0x3a00000 [0075.706] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.706] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.708] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.708] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0075.709] GetProcessHeap () returned 0x3a00000 [0075.709] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.709] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.709] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.709] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.709] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.709] CloseHandle (hObject=0x440) returned 1 [0075.709] GetProcessHeap () returned 0x3a00000 [0075.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.709] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\604__connections_cellular_saunalahti (finland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\604__Connections_Cellular_Saunalahti (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\604__connections_cellular_saunalahti (finland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.710] GetProcessHeap () returned 0x3a00000 [0075.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.710] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915cdc15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915cdc15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915cdc15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="605__C~1.PRO")) returned 1 [0075.714] lstrcmpiW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.714] lstrcmpiW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.714] lstrcmpiW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.714] lstrcmpiW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.714] lstrcmpiW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.714] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml") returned 164 [0075.714] StrStrIW (lpFirst="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.714] lstrcmpW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.714] lstrcmpW (lpString1="605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.714] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\605__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.714] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\605__connections_cellular_saunalahti (finland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.715] GetTickCount () returned 0x115345b [0075.715] GetTickCount () returned 0x115345b [0075.715] GetTickCount () returned 0x115345b [0075.715] GetTickCount () returned 0x115345b [0075.715] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.715] GetProcessHeap () returned 0x3a00000 [0075.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.715] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0075.722] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.722] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0075.723] GetProcessHeap () returned 0x3a00000 [0075.723] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.723] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.723] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.723] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.723] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.723] CloseHandle (hObject=0x440) returned 1 [0075.723] GetProcessHeap () returned 0x3a00000 [0075.723] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.723] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\605__connections_cellular_saunalahti (finland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\605__Connections_Cellular_Saunalahti (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\605__connections_cellular_saunalahti (finland)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.724] GetProcessHeap () returned 0x3a00000 [0075.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.724] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915cdc15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915cdc15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915cdc15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="606__C~1.PRO")) returned 1 [0075.724] lstrcmpiW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.724] lstrcmpiW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.724] lstrcmpiW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.724] lstrcmpiW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.724] lstrcmpiW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.724] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml") returned 163 [0075.724] StrStrIW (lpFirst="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.724] lstrcmpW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.724] lstrcmpW (lpString1="606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.725] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\606__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.725] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\606__connections_cellular_tata docomo (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.725] GetTickCount () returned 0x115346a [0075.725] GetTickCount () returned 0x115346a [0075.725] GetTickCount () returned 0x115346a [0075.725] GetTickCount () returned 0x115346a [0075.725] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.725] GetProcessHeap () returned 0x3a00000 [0075.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.725] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0075.729] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.729] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0075.730] GetProcessHeap () returned 0x3a00000 [0075.730] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.730] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.730] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.730] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.730] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.730] CloseHandle (hObject=0x440) returned 1 [0075.730] GetProcessHeap () returned 0x3a00000 [0075.730] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0075.730] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\606__connections_cellular_tata docomo (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\606__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\606__connections_cellular_tata docomo (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.732] GetProcessHeap () returned 0x3a00000 [0075.732] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.732] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915f3e81, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915f3e81, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915f3e81, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="607__C~1.PRO")) returned 1 [0075.732] lstrcmpiW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.732] lstrcmpiW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.732] lstrcmpiW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.732] lstrcmpiW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.732] lstrcmpiW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.732] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.732] StrStrIW (lpFirst="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.732] lstrcmpW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.732] lstrcmpW (lpString1="607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.732] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\607__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\607__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.733] GetTickCount () returned 0x115347a [0075.733] GetTickCount () returned 0x115347a [0075.733] GetTickCount () returned 0x115347a [0075.733] GetTickCount () returned 0x115347a [0075.733] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.733] GetProcessHeap () returned 0x3a00000 [0075.733] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.733] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d5, lpOverlapped=0x0) returned 1 [0075.734] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.734] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d5, lpOverlapped=0x0) returned 1 [0075.734] GetProcessHeap () returned 0x3a00000 [0075.734] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.734] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.734] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.736] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.736] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.736] CloseHandle (hObject=0x440) returned 1 [0075.737] GetProcessHeap () returned 0x3a00000 [0075.737] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.737] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\607__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\607__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\607__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.737] GetProcessHeap () returned 0x3a00000 [0075.737] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.737] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915f3e81, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915f3e81, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915f3e81, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2dc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="608__C~1.PRO")) returned 1 [0075.737] lstrcmpiW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.737] lstrcmpiW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.738] lstrcmpiW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.738] lstrcmpiW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.738] lstrcmpiW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.738] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml") returned 163 [0075.738] StrStrIW (lpFirst="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.738] lstrcmpW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.738] lstrcmpW (lpString1="608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.738] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\608__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.738] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\608__connections_cellular_tata docomo (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.738] GetTickCount () returned 0x115347a [0075.738] GetTickCount () returned 0x115347a [0075.738] GetTickCount () returned 0x115347a [0075.738] GetTickCount () returned 0x115347a [0075.738] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.738] GetProcessHeap () returned 0x3a00000 [0075.738] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.738] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0075.740] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd24, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.740] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2dc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2dc, lpOverlapped=0x0) returned 1 [0075.740] GetProcessHeap () returned 0x3a00000 [0075.740] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.740] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.740] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.740] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.740] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.740] CloseHandle (hObject=0x440) returned 1 [0075.740] GetProcessHeap () returned 0x3a00000 [0075.740] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0075.741] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\608__connections_cellular_tata docomo (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\608__Connections_Cellular_Tata Docomo (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\608__connections_cellular_tata docomo (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.741] GetProcessHeap () returned 0x3a00000 [0075.741] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.741] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915f3e81, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915f3e81, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915f3e81, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", cAlternateFileName="609__C~1.PRO")) returned 1 [0075.741] lstrcmpiW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.741] lstrcmpiW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.741] lstrcmpiW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.742] lstrcmpiW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.742] lstrcmpiW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.742] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml") returned 163 [0075.742] StrStrIW (lpFirst="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.742] lstrcmpW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.742] lstrcmpW (lpString1="609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.742] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\609__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.742] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\609__connections_cellular_tata docomo (india)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.742] GetTickCount () returned 0x115347a [0075.742] GetTickCount () returned 0x115347a [0075.742] GetTickCount () returned 0x115347a [0075.742] GetTickCount () returned 0x115347a [0075.742] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.742] GetProcessHeap () returned 0x3a00000 [0075.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.742] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0075.744] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.744] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0075.744] GetProcessHeap () returned 0x3a00000 [0075.744] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.744] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.744] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.744] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.744] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.745] CloseHandle (hObject=0x440) returned 1 [0075.745] GetProcessHeap () returned 0x3a00000 [0075.745] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0075.745] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\609__connections_cellular_tata docomo (india)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\609__Connections_Cellular_Tata Docomo (India)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\609__connections_cellular_tata docomo (india)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.746] GetProcessHeap () returned 0x3a00000 [0075.746] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.746] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902e08bf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902e08bf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902e08bf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="60__CO~1.PRO")) returned 1 [0075.746] lstrcmpiW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.746] lstrcmpiW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.746] lstrcmpiW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.746] lstrcmpiW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.746] lstrcmpiW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.746] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml") returned 158 [0075.746] StrStrIW (lpFirst="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.746] lstrcmpW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.746] lstrcmpW (lpString1="60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.746] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\60__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.746] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\60__connections_cellular_mtel (bulgaria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.746] GetTickCount () returned 0x115347a [0075.746] GetTickCount () returned 0x115347a [0075.746] GetTickCount () returned 0x115347a [0075.746] GetTickCount () returned 0x115347a [0075.747] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.747] GetProcessHeap () returned 0x3a00000 [0075.747] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.747] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0075.748] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.748] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0075.748] GetProcessHeap () returned 0x3a00000 [0075.748] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.748] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.748] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.749] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.749] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.749] CloseHandle (hObject=0x440) returned 1 [0075.749] GetProcessHeap () returned 0x3a00000 [0075.749] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.749] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0075.749] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\60__connections_cellular_mtel (bulgaria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\60__Connections_Cellular_Mtel (Bulgaria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\60__connections_cellular_mtel (bulgaria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.750] GetProcessHeap () returned 0x3a00000 [0075.750] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.750] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915f3e81, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915f3e81, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915f3e81, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="610__C~1.PRO")) returned 1 [0075.750] lstrcmpiW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.750] lstrcmpiW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.750] lstrcmpiW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.750] lstrcmpiW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.750] lstrcmpiW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.750] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.750] StrStrIW (lpFirst="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.750] lstrcmpW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.750] lstrcmpW (lpString1="610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.750] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\610__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\610__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.750] GetTickCount () returned 0x1153489 [0075.750] GetTickCount () returned 0x1153489 [0075.750] GetTickCount () returned 0x1153489 [0075.750] GetTickCount () returned 0x1153489 [0075.751] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.751] GetProcessHeap () returned 0x3a00000 [0075.751] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.751] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d5, lpOverlapped=0x0) returned 1 [0075.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d5, lpOverlapped=0x0) returned 1 [0075.752] GetProcessHeap () returned 0x3a00000 [0075.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.752] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.752] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.752] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.753] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.753] CloseHandle (hObject=0x440) returned 1 [0075.753] GetProcessHeap () returned 0x3a00000 [0075.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.753] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.753] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\610__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\610__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\610__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.754] GetProcessHeap () returned 0x3a00000 [0075.754] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.754] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915f3e81, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915f3e81, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915f3e81, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x351, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="611__C~1.PRO")) returned 1 [0075.754] lstrcmpiW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.754] lstrcmpiW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.754] lstrcmpiW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.754] lstrcmpiW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.754] lstrcmpiW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.754] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml") returned 166 [0075.754] StrStrIW (lpFirst="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.754] lstrcmpW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.754] lstrcmpW (lpString1="611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.754] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\611__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.754] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\611__connections_cellular_truphone (netherlands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.754] GetTickCount () returned 0x1153489 [0075.754] GetTickCount () returned 0x1153489 [0075.754] GetTickCount () returned 0x1153489 [0075.754] GetTickCount () returned 0x1153489 [0075.754] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.754] GetProcessHeap () returned 0x3a00000 [0075.755] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.755] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x351, lpOverlapped=0x0) returned 1 [0075.791] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcaf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.791] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x351, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x351, lpOverlapped=0x0) returned 1 [0075.792] GetProcessHeap () returned 0x3a00000 [0075.792] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.792] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.792] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.792] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.792] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.792] CloseHandle (hObject=0x440) returned 1 [0075.792] GetProcessHeap () returned 0x3a00000 [0075.792] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.792] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0075.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\611__connections_cellular_truphone (netherlands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\611__Connections_Cellular_Truphone (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\611__connections_cellular_truphone (netherlands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.793] GetProcessHeap () returned 0x3a00000 [0075.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.793] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x915f3e81, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x915f3e81, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x915f3e81, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="612__C~1.PRO")) returned 1 [0075.793] lstrcmpiW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.794] lstrcmpiW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.794] lstrcmpiW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.794] lstrcmpiW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.794] lstrcmpiW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.794] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.794] StrStrIW (lpFirst="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.794] lstrcmpW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.794] lstrcmpW (lpString1="612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.794] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\612__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.794] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\612__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.795] GetTickCount () returned 0x11534b8 [0075.795] GetTickCount () returned 0x11534b8 [0075.795] GetTickCount () returned 0x11534b8 [0075.795] GetTickCount () returned 0x11534b8 [0075.795] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.795] GetProcessHeap () returned 0x3a00000 [0075.795] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.795] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.796] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.796] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.796] GetProcessHeap () returned 0x3a00000 [0075.796] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.796] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.796] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.798] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.798] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.798] CloseHandle (hObject=0x440) returned 1 [0075.798] GetProcessHeap () returned 0x3a00000 [0075.799] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.799] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\612__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\612__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\612__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.799] GetProcessHeap () returned 0x3a00000 [0075.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.799] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9161a0f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9161a0f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9161a0f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="613__C~1.PRO")) returned 1 [0075.799] lstrcmpiW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.800] lstrcmpiW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.800] lstrcmpiW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.800] lstrcmpiW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.800] lstrcmpiW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.800] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 169 [0075.800] StrStrIW (lpFirst="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.800] lstrcmpW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.800] lstrcmpW (lpString1="613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.800] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\613__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.800] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\613__connections_cellular_truphone (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.801] GetTickCount () returned 0x11534b8 [0075.801] GetTickCount () returned 0x11534b8 [0075.801] GetTickCount () returned 0x11534b8 [0075.801] GetTickCount () returned 0x11534b8 [0075.801] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.801] GetProcessHeap () returned 0x3a00000 [0075.801] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.801] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0075.802] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcac, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.802] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x354, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x354, lpOverlapped=0x0) returned 1 [0075.803] GetProcessHeap () returned 0x3a00000 [0075.803] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.803] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.803] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.803] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.803] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.803] CloseHandle (hObject=0x440) returned 1 [0075.803] GetProcessHeap () returned 0x3a00000 [0075.803] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.803] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0075.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\613__connections_cellular_truphone (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\613__Connections_Cellular_Truphone (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\613__connections_cellular_truphone (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.804] GetProcessHeap () returned 0x3a00000 [0075.804] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.804] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9161a0f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9161a0f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9161a0f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="614__C~1.PRO")) returned 1 [0075.804] lstrcmpiW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.804] lstrcmpiW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.804] lstrcmpiW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.804] lstrcmpiW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.804] lstrcmpiW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.804] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.804] StrStrIW (lpFirst="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.804] lstrcmpW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.804] lstrcmpW (lpString1="614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.804] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\614__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\614__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.805] GetTickCount () returned 0x11534b8 [0075.805] GetTickCount () returned 0x11534b8 [0075.805] GetTickCount () returned 0x11534b8 [0075.805] GetTickCount () returned 0x11534b8 [0075.805] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.805] GetProcessHeap () returned 0x3a00000 [0075.805] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.805] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.806] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.806] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.806] GetProcessHeap () returned 0x3a00000 [0075.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.807] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.807] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.807] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.807] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.807] CloseHandle (hObject=0x440) returned 1 [0075.807] GetProcessHeap () returned 0x3a00000 [0075.807] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.807] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\614__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\614__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\614__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.808] GetProcessHeap () returned 0x3a00000 [0075.808] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.808] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9161a0f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9161a0f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9161a0f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="615__C~1.PRO")) returned 1 [0075.808] lstrcmpiW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.808] lstrcmpiW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.808] lstrcmpiW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.808] lstrcmpiW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.808] lstrcmpiW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.808] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml") returned 168 [0075.808] StrStrIW (lpFirst="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.809] lstrcmpW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.809] lstrcmpW (lpString1="615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.809] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\615__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\615__connections_cellular_truphone (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.809] GetTickCount () returned 0x11534b8 [0075.809] GetTickCount () returned 0x11534b8 [0075.809] GetTickCount () returned 0x11534b8 [0075.809] GetTickCount () returned 0x11534b8 [0075.809] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.809] GetProcessHeap () returned 0x3a00000 [0075.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.809] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0075.811] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.811] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0075.811] GetProcessHeap () returned 0x3a00000 [0075.811] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.811] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.811] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.811] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.811] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.811] CloseHandle (hObject=0x440) returned 1 [0075.811] GetProcessHeap () returned 0x3a00000 [0075.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.811] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0075.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\615__connections_cellular_truphone (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\615__Connections_Cellular_Truphone (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\615__connections_cellular_truphone (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.812] GetProcessHeap () returned 0x3a00000 [0075.812] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.812] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9161a0f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9161a0f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9161a0f0, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="616__C~1.PRO")) returned 1 [0075.812] lstrcmpiW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.812] lstrcmpiW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.812] lstrcmpiW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.812] lstrcmpiW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.812] lstrcmpiW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.812] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.812] StrStrIW (lpFirst="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.813] lstrcmpW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.813] lstrcmpW (lpString1="616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.813] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\616__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.813] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\616__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] GetTickCount () returned 0x11534c8 [0075.813] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.813] GetProcessHeap () returned 0x3a00000 [0075.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.813] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.814] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.814] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.814] GetProcessHeap () returned 0x3a00000 [0075.814] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.814] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.814] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.815] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.815] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.815] CloseHandle (hObject=0x440) returned 1 [0075.815] GetProcessHeap () returned 0x3a00000 [0075.815] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.816] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\616__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\616__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\616__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.816] GetProcessHeap () returned 0x3a00000 [0075.816] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.816] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91640358, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91640358, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91640358, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="617__C~1.PRO")) returned 1 [0075.816] lstrcmpiW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.817] lstrcmpiW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.817] lstrcmpiW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.817] lstrcmpiW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.817] lstrcmpiW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.817] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml") returned 164 [0075.817] StrStrIW (lpFirst="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.817] lstrcmpW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.817] lstrcmpW (lpString1="617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.817] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\617__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.817] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\617__connections_cellular_truphone (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] GetTickCount () returned 0x11534c8 [0075.817] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.817] GetProcessHeap () returned 0x3a00000 [0075.817] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.817] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0075.819] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.819] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34f, lpOverlapped=0x0) returned 1 [0075.819] GetProcessHeap () returned 0x3a00000 [0075.819] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.819] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.819] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.819] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.819] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.819] CloseHandle (hObject=0x440) returned 1 [0075.819] GetProcessHeap () returned 0x3a00000 [0075.820] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.820] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0075.820] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\617__connections_cellular_truphone (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\617__Connections_Cellular_Truphone (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\617__connections_cellular_truphone (australia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.820] GetProcessHeap () returned 0x3a00000 [0075.820] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.820] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91640358, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91640358, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91640358, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="618__C~1.PRO")) returned 1 [0075.820] lstrcmpiW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.820] lstrcmpiW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.821] lstrcmpiW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.821] lstrcmpiW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.821] lstrcmpiW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.821] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.821] StrStrIW (lpFirst="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.821] lstrcmpW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.821] lstrcmpW (lpString1="618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.821] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\618__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.821] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\618__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.821] GetTickCount () returned 0x11534c8 [0075.821] GetTickCount () returned 0x11534c8 [0075.821] GetTickCount () returned 0x11534c8 [0075.821] GetTickCount () returned 0x11534c8 [0075.821] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.821] GetProcessHeap () returned 0x3a00000 [0075.821] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.821] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.822] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.822] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.822] GetProcessHeap () returned 0x3a00000 [0075.822] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.823] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.823] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.823] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.823] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.823] CloseHandle (hObject=0x440) returned 1 [0075.823] GetProcessHeap () returned 0x3a00000 [0075.824] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.824] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.824] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\618__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\618__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\618__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.824] GetProcessHeap () returned 0x3a00000 [0075.824] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.824] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91640358, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91640358, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91640358, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="619__C~1.PRO")) returned 1 [0075.824] lstrcmpiW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.824] lstrcmpiW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.824] lstrcmpiW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.824] lstrcmpiW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.824] lstrcmpiW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.825] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 168 [0075.825] StrStrIW (lpFirst="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.825] lstrcmpW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.825] lstrcmpW (lpString1="619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.825] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\619__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.825] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\619__connections_cellular_truphone (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.825] GetTickCount () returned 0x11534d8 [0075.825] GetTickCount () returned 0x11534d8 [0075.825] GetTickCount () returned 0x11534d8 [0075.825] GetTickCount () returned 0x11534d8 [0075.825] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.826] GetProcessHeap () returned 0x3a00000 [0075.826] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.826] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0075.827] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.827] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0075.827] GetProcessHeap () returned 0x3a00000 [0075.827] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.827] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.827] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.827] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.827] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.828] CloseHandle (hObject=0x440) returned 1 [0075.828] GetProcessHeap () returned 0x3a00000 [0075.828] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.828] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0075.828] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\619__connections_cellular_truphone (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\619__Connections_Cellular_Truphone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\619__connections_cellular_truphone (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.829] GetProcessHeap () returned 0x3a00000 [0075.829] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.829] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x902e08bf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x902e08bf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x902e08bf, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="61__CO~1.PRO")) returned 1 [0075.829] lstrcmpiW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.829] lstrcmpiW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.829] lstrcmpiW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.829] lstrcmpiW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.829] lstrcmpiW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.829] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml") returned 161 [0075.829] StrStrIW (lpFirst="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.829] lstrcmpW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.829] lstrcmpW (lpString1="61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.829] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\61__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.829] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\61__connections_cellular_vivatel (bulgaria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.829] GetTickCount () returned 0x11534d8 [0075.829] GetTickCount () returned 0x11534d8 [0075.829] GetTickCount () returned 0x11534d8 [0075.829] GetTickCount () returned 0x11534d8 [0075.829] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.829] GetProcessHeap () returned 0x3a00000 [0075.829] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.829] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0075.855] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.855] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0075.855] GetProcessHeap () returned 0x3a00000 [0075.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.855] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.855] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.855] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.855] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.855] CloseHandle (hObject=0x440) returned 1 [0075.855] GetProcessHeap () returned 0x3a00000 [0075.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.856] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0075.856] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\61__connections_cellular_vivatel (bulgaria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\61__Connections_Cellular_Vivatel (Bulgaria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\61__connections_cellular_vivatel (bulgaria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.857] GetProcessHeap () returned 0x3a00000 [0075.857] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.857] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91640358, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91640358, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91640358, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="620__C~1.PRO")) returned 1 [0075.860] lstrcmpiW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.860] lstrcmpiW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.860] lstrcmpiW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.860] lstrcmpiW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.860] lstrcmpiW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.860] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.860] StrStrIW (lpFirst="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.860] lstrcmpW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.860] lstrcmpW (lpString1="620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.860] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\620__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.860] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\620__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.860] GetTickCount () returned 0x11534f7 [0075.860] GetTickCount () returned 0x11534f7 [0075.860] GetTickCount () returned 0x11534f7 [0075.860] GetTickCount () returned 0x11534f7 [0075.860] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.861] GetProcessHeap () returned 0x3a00000 [0075.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.861] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.862] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.862] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.862] GetProcessHeap () returned 0x3a00000 [0075.862] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.862] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.862] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.863] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.863] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.863] CloseHandle (hObject=0x440) returned 1 [0075.863] GetProcessHeap () returned 0x3a00000 [0075.863] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.863] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.863] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\620__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\620__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\620__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.864] GetProcessHeap () returned 0x3a00000 [0075.864] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.864] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91640358, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91640358, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91640358, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="621__C~1.PRO")) returned 1 [0075.864] lstrcmpiW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.864] lstrcmpiW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.864] lstrcmpiW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.864] lstrcmpiW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.864] lstrcmpiW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.864] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml") returned 162 [0075.864] StrStrIW (lpFirst="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.864] lstrcmpW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.864] lstrcmpW (lpString1="621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.864] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\621__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.864] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\621__connections_cellular_truphone (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.864] GetTickCount () returned 0x11534f7 [0075.864] GetTickCount () returned 0x11534f7 [0075.864] GetTickCount () returned 0x11534f7 [0075.864] GetTickCount () returned 0x11534f7 [0075.864] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.865] GetProcessHeap () returned 0x3a00000 [0075.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.865] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34d, lpOverlapped=0x0) returned 1 [0075.866] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.866] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34d, lpOverlapped=0x0) returned 1 [0075.866] GetProcessHeap () returned 0x3a00000 [0075.866] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.866] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.867] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.867] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.867] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.867] CloseHandle (hObject=0x440) returned 1 [0075.867] GetProcessHeap () returned 0x3a00000 [0075.867] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.867] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.867] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\621__connections_cellular_truphone (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\621__Connections_Cellular_Truphone (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\621__connections_cellular_truphone (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.868] GetProcessHeap () returned 0x3a00000 [0075.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.868] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91640358, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91640358, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91640358, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="622__C~1.PRO")) returned 1 [0075.868] lstrcmpiW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.868] lstrcmpiW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.868] lstrcmpiW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.868] lstrcmpiW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.868] lstrcmpiW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.868] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.868] StrStrIW (lpFirst="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.868] lstrcmpW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.868] lstrcmpW (lpString1="622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.868] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\622__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.868] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\622__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.868] GetTickCount () returned 0x11534f7 [0075.868] GetTickCount () returned 0x11534f7 [0075.868] GetTickCount () returned 0x11534f7 [0075.868] GetTickCount () returned 0x11534f7 [0075.869] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.869] GetProcessHeap () returned 0x3a00000 [0075.869] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.869] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.870] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.870] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.870] GetProcessHeap () returned 0x3a00000 [0075.870] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.870] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.870] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.871] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.871] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.871] CloseHandle (hObject=0x440) returned 1 [0075.871] GetProcessHeap () returned 0x3a00000 [0075.871] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.871] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\622__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\622__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\622__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.872] GetProcessHeap () returned 0x3a00000 [0075.872] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.872] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916665c7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916665c7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916665c7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", cAlternateFileName="623__C~1.PRO")) returned 1 [0075.872] lstrcmpiW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.872] lstrcmpiW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.872] lstrcmpiW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.872] lstrcmpiW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.872] lstrcmpiW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.872] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml") returned 160 [0075.872] StrStrIW (lpFirst="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.872] lstrcmpW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.873] lstrcmpW (lpString1="623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.873] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\623__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.873] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\623__connections_cellular_truphone (spain)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.873] GetTickCount () returned 0x1153506 [0075.874] GetTickCount () returned 0x1153506 [0075.874] GetTickCount () returned 0x1153506 [0075.874] GetTickCount () returned 0x1153506 [0075.874] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.874] GetProcessHeap () returned 0x3a00000 [0075.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.874] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34b, lpOverlapped=0x0) returned 1 [0075.875] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.875] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34b, lpOverlapped=0x0) returned 1 [0075.875] GetProcessHeap () returned 0x3a00000 [0075.875] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.875] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.875] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.876] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.876] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.876] CloseHandle (hObject=0x440) returned 1 [0075.876] GetProcessHeap () returned 0x3a00000 [0075.876] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.876] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0075.876] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\623__connections_cellular_truphone (spain)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\623__Connections_Cellular_Truphone (Spain)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\623__connections_cellular_truphone (spain)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.877] GetProcessHeap () returned 0x3a00000 [0075.877] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.877] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916665c7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916665c7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916665c7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="624__C~1.PRO")) returned 1 [0075.877] lstrcmpiW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.877] lstrcmpiW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.877] lstrcmpiW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.877] lstrcmpiW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.877] lstrcmpiW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.877] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.877] StrStrIW (lpFirst="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.877] lstrcmpW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.877] lstrcmpW (lpString1="624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.877] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\624__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.877] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\624__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.877] GetTickCount () returned 0x1153506 [0075.877] GetTickCount () returned 0x1153506 [0075.877] GetTickCount () returned 0x1153506 [0075.877] GetTickCount () returned 0x1153506 [0075.878] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.878] GetProcessHeap () returned 0x3a00000 [0075.878] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.878] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.879] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.879] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.879] GetProcessHeap () returned 0x3a00000 [0075.879] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.879] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.879] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.879] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.880] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.880] CloseHandle (hObject=0x440) returned 1 [0075.880] GetProcessHeap () returned 0x3a00000 [0075.880] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.880] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.880] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\624__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\624__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\624__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.881] GetProcessHeap () returned 0x3a00000 [0075.881] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.881] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916665c7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916665c7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916665c7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x34c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="625__C~1.PRO")) returned 1 [0075.881] lstrcmpiW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.881] lstrcmpiW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.881] lstrcmpiW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.881] lstrcmpiW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.881] lstrcmpiW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.881] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml") returned 161 [0075.881] StrStrIW (lpFirst="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.881] lstrcmpW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.881] lstrcmpW (lpString1="625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.881] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\625__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.881] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\625__connections_cellular_truphone (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.881] GetTickCount () returned 0x1153506 [0075.881] GetTickCount () returned 0x1153506 [0075.881] GetTickCount () returned 0x1153506 [0075.881] GetTickCount () returned 0x1153506 [0075.881] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.881] GetProcessHeap () returned 0x3a00000 [0075.882] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.882] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0075.883] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcb4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.883] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x34c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x34c, lpOverlapped=0x0) returned 1 [0075.883] GetProcessHeap () returned 0x3a00000 [0075.883] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.883] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.883] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.883] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.883] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.883] CloseHandle (hObject=0x440) returned 1 [0075.884] GetProcessHeap () returned 0x3a00000 [0075.884] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.884] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0075.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\625__connections_cellular_truphone (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\625__Connections_Cellular_Truphone (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\625__connections_cellular_truphone (poland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.884] GetProcessHeap () returned 0x3a00000 [0075.884] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.885] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916665c7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916665c7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916665c7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="626__C~1.PRO")) returned 1 [0075.885] lstrcmpiW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.885] lstrcmpiW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.885] lstrcmpiW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.885] lstrcmpiW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.885] lstrcmpiW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.885] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.885] StrStrIW (lpFirst="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.885] lstrcmpW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.885] lstrcmpW (lpString1="626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.885] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\626__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.885] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\626__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.885] GetTickCount () returned 0x1153506 [0075.885] GetTickCount () returned 0x1153506 [0075.885] GetTickCount () returned 0x1153506 [0075.885] GetTickCount () returned 0x1153506 [0075.885] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.885] GetProcessHeap () returned 0x3a00000 [0075.885] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.885] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.886] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.886] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.886] GetProcessHeap () returned 0x3a00000 [0075.887] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.887] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.887] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.887] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.887] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.887] CloseHandle (hObject=0x440) returned 1 [0075.890] GetProcessHeap () returned 0x3a00000 [0075.890] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.890] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\626__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\626__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\626__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.891] GetProcessHeap () returned 0x3a00000 [0075.891] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.891] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916665c7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916665c7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916665c7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", cAlternateFileName="627__C~1.PRO")) returned 1 [0075.891] lstrcmpiW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.891] lstrcmpiW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.891] lstrcmpiW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.891] lstrcmpiW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.891] lstrcmpiW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.891] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml") returned 161 [0075.891] StrStrIW (lpFirst="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.891] lstrcmpW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.891] lstrcmpW (lpString1="627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.891] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\627__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.891] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\627__connections_cellular_telenet (belgium)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.892] GetTickCount () returned 0x1153516 [0075.892] GetTickCount () returned 0x1153516 [0075.892] GetTickCount () returned 0x1153516 [0075.892] GetTickCount () returned 0x1153516 [0075.892] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.892] GetProcessHeap () returned 0x3a00000 [0075.892] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.892] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.894] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.894] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.894] GetProcessHeap () returned 0x3a00000 [0075.894] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.894] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.894] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.894] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.894] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.894] CloseHandle (hObject=0x440) returned 1 [0075.894] GetProcessHeap () returned 0x3a00000 [0075.894] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.894] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0075.894] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\627__connections_cellular_telenet (belgium)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\627__Connections_Cellular_Telenet (Belgium)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\627__connections_cellular_telenet (belgium)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.898] GetProcessHeap () returned 0x3a00000 [0075.898] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.898] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916665c7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916665c7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916665c7, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="628__C~1.PRO")) returned 1 [0075.898] lstrcmpiW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.898] lstrcmpiW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.898] lstrcmpiW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.898] lstrcmpiW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.898] lstrcmpiW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.898] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.898] StrStrIW (lpFirst="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.898] lstrcmpW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.898] lstrcmpW (lpString1="628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.898] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\628__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.898] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\628__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.899] GetTickCount () returned 0x1153516 [0075.899] GetTickCount () returned 0x1153516 [0075.899] GetTickCount () returned 0x1153516 [0075.899] GetTickCount () returned 0x1153516 [0075.899] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.899] GetProcessHeap () returned 0x3a00000 [0075.899] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.899] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c2, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.910] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c2, lpOverlapped=0x0) returned 1 [0075.911] GetProcessHeap () returned 0x3a00000 [0075.911] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.911] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.911] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.912] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.912] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.912] CloseHandle (hObject=0x440) returned 1 [0075.912] GetProcessHeap () returned 0x3a00000 [0075.912] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.912] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\628__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\628__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\628__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.913] GetProcessHeap () returned 0x3a00000 [0075.913] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.913] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9168c833, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9168c833, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9168c833, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="629__C~1.PRO")) returned 1 [0075.913] lstrcmpiW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.913] lstrcmpiW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.913] lstrcmpiW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.913] lstrcmpiW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.913] lstrcmpiW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.913] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml") returned 157 [0075.913] StrStrIW (lpFirst="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.913] lstrcmpW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.913] lstrcmpW (lpString1="629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.913] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\629__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\629__connections_cellular_bell (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.914] GetTickCount () returned 0x1153526 [0075.914] GetTickCount () returned 0x1153526 [0075.914] GetTickCount () returned 0x1153526 [0075.914] GetTickCount () returned 0x1153526 [0075.914] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.914] GetProcessHeap () returned 0x3a00000 [0075.914] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.914] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0075.917] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.917] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0075.917] GetProcessHeap () returned 0x3a00000 [0075.917] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.918] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.918] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.918] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.918] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.918] CloseHandle (hObject=0x440) returned 1 [0075.918] GetProcessHeap () returned 0x3a00000 [0075.918] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.918] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.918] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\629__connections_cellular_bell (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\629__Connections_Cellular_Bell (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\629__connections_cellular_bell (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.919] GetProcessHeap () returned 0x3a00000 [0075.919] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.919] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90306b27, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90306b27, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90306b27, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", cAlternateFileName="62__CO~1.PRO")) returned 1 [0075.919] lstrcmpiW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.919] lstrcmpiW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.919] lstrcmpiW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.919] lstrcmpiW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.919] lstrcmpiW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.919] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml") returned 157 [0075.919] StrStrIW (lpFirst="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.919] lstrcmpW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.919] lstrcmpW (lpString1="62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.919] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\62__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.919] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\62__connections_cellular_mtn (cameroon)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.920] GetTickCount () returned 0x1153535 [0075.920] GetTickCount () returned 0x1153535 [0075.920] GetTickCount () returned 0x1153535 [0075.920] GetTickCount () returned 0x1153535 [0075.920] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.920] GetProcessHeap () returned 0x3a00000 [0075.920] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.920] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.922] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.923] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.923] GetProcessHeap () returned 0x3a00000 [0075.923] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.923] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.923] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.923] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.923] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.923] CloseHandle (hObject=0x440) returned 1 [0075.923] GetProcessHeap () returned 0x3a00000 [0075.923] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.923] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.923] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\62__connections_cellular_mtn (cameroon)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\62__Connections_Cellular_MTN (Cameroon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\62__connections_cellular_mtn (cameroon)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.925] GetProcessHeap () returned 0x3a00000 [0075.925] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.925] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9168c833, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9168c833, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9168c833, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", cAlternateFileName="630__C~1.PRO")) returned 1 [0075.925] lstrcmpiW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.925] lstrcmpiW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.925] lstrcmpiW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.925] lstrcmpiW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.925] lstrcmpiW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.925] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml") returned 157 [0075.925] StrStrIW (lpFirst="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.925] lstrcmpW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.925] lstrcmpW (lpString1="630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.925] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\630__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.925] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\630__connections_cellular_bell (canada)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.926] GetTickCount () returned 0x1153535 [0075.926] GetTickCount () returned 0x1153535 [0075.926] GetTickCount () returned 0x1153535 [0075.926] GetTickCount () returned 0x1153535 [0075.926] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.926] GetProcessHeap () returned 0x3a00000 [0075.926] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.926] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0075.927] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.927] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0075.927] GetProcessHeap () returned 0x3a00000 [0075.927] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.927] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.928] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.928] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.928] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.928] CloseHandle (hObject=0x440) returned 1 [0075.928] GetProcessHeap () returned 0x3a00000 [0075.928] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.928] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\630__connections_cellular_bell (canada)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\630__Connections_Cellular_Bell (Canada)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\630__connections_cellular_bell (canada)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.929] GetProcessHeap () returned 0x3a00000 [0075.929] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.929] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9168c833, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9168c833, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9168c833, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="631__C~1.PRO")) returned 1 [0075.929] lstrcmpiW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.929] lstrcmpiW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.929] lstrcmpiW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.929] lstrcmpiW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.929] lstrcmpiW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.929] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml") returned 159 [0075.929] StrStrIW (lpFirst="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.929] lstrcmpW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.929] lstrcmpW (lpString1="631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.929] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\631__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.929] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\631__connections_cellular_virgin (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.929] GetTickCount () returned 0x1153535 [0075.929] GetTickCount () returned 0x1153535 [0075.929] GetTickCount () returned 0x1153535 [0075.929] GetTickCount () returned 0x1153535 [0075.929] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.930] GetProcessHeap () returned 0x3a00000 [0075.930] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.930] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0075.931] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.931] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0075.931] GetProcessHeap () returned 0x3a00000 [0075.931] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.931] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.931] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.931] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.932] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.932] CloseHandle (hObject=0x440) returned 1 [0075.932] GetProcessHeap () returned 0x3a00000 [0075.932] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.932] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0075.932] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\631__connections_cellular_virgin (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\631__Connections_Cellular_Virgin (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\631__connections_cellular_virgin (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.932] GetProcessHeap () returned 0x3a00000 [0075.932] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.932] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9168c833, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9168c833, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9168c833, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", cAlternateFileName="632__C~1.PRO")) returned 1 [0075.932] lstrcmpiW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.932] lstrcmpiW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.933] lstrcmpiW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.933] lstrcmpiW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.933] lstrcmpiW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.933] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml") returned 159 [0075.933] StrStrIW (lpFirst="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.933] lstrcmpW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.933] lstrcmpW (lpString1="632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.933] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\632__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.933] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\632__connections_cellular_virgin (canada)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.933] GetTickCount () returned 0x1153535 [0075.933] GetTickCount () returned 0x1153535 [0075.933] GetTickCount () returned 0x1153535 [0075.933] GetTickCount () returned 0x1153535 [0075.933] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.933] GetProcessHeap () returned 0x3a00000 [0075.933] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.933] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0075.935] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.935] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0075.935] GetProcessHeap () returned 0x3a00000 [0075.935] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.935] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.935] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.935] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.935] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.935] CloseHandle (hObject=0x440) returned 1 [0075.936] GetProcessHeap () returned 0x3a00000 [0075.936] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.936] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0075.936] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\632__connections_cellular_virgin (canada)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\632__Connections_Cellular_Virgin (Canada)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\632__connections_cellular_virgin (canada)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.936] GetProcessHeap () returned 0x3a00000 [0075.936] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.936] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9168c833, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9168c833, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916b2a9b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="633__C~1.PRO")) returned 1 [0075.936] lstrcmpiW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.936] lstrcmpiW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.936] lstrcmpiW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.936] lstrcmpiW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.936] lstrcmpiW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.936] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml") returned 157 [0075.936] StrStrIW (lpFirst="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.937] lstrcmpW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.937] lstrcmpW (lpString1="633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.937] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\633__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.937] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\633__connections_cellular_solo (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.937] GetTickCount () returned 0x1153545 [0075.937] GetTickCount () returned 0x1153545 [0075.937] GetTickCount () returned 0x1153545 [0075.937] GetTickCount () returned 0x1153545 [0075.937] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.937] GetProcessHeap () returned 0x3a00000 [0075.937] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.937] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0075.939] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.939] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0075.939] GetProcessHeap () returned 0x3a00000 [0075.939] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.939] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.939] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.939] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.939] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.939] CloseHandle (hObject=0x440) returned 1 [0075.939] GetProcessHeap () returned 0x3a00000 [0075.939] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.939] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\633__connections_cellular_solo (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\633__Connections_Cellular_Solo (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\633__connections_cellular_solo (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.940] GetProcessHeap () returned 0x3a00000 [0075.940] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.940] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916b2a9b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916b2a9b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916b2a9b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="634__C~1.PRO")) returned 1 [0075.940] lstrcmpiW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.940] lstrcmpiW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.940] lstrcmpiW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.940] lstrcmpiW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.940] lstrcmpiW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.940] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml") returned 162 [0075.940] StrStrIW (lpFirst="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.940] lstrcmpW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.940] lstrcmpW (lpString1="634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.940] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\634__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.941] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\634__connections_cellular_pc mobile (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.941] GetTickCount () returned 0x1153545 [0075.941] GetTickCount () returned 0x1153545 [0075.941] GetTickCount () returned 0x1153545 [0075.941] GetTickCount () returned 0x1153545 [0075.941] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.941] GetProcessHeap () returned 0x3a00000 [0075.941] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.941] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0075.942] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.942] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0075.943] GetProcessHeap () returned 0x3a00000 [0075.943] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.943] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.943] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.943] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.943] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.943] CloseHandle (hObject=0x440) returned 1 [0075.943] GetProcessHeap () returned 0x3a00000 [0075.943] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.943] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\634__connections_cellular_pc mobile (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\634__Connections_Cellular_PC Mobile (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\634__connections_cellular_pc mobile (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.944] GetProcessHeap () returned 0x3a00000 [0075.944] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.944] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916b2a9b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916b2a9b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916b2a9b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="635__C~1.PRO")) returned 1 [0075.944] lstrcmpiW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.944] lstrcmpiW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.944] lstrcmpiW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.944] lstrcmpiW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.944] lstrcmpiW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.944] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 162 [0075.944] StrStrIW (lpFirst="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.944] lstrcmpW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.944] lstrcmpW (lpString1="635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.944] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\635__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.945] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\635__connections_cellular_3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.945] GetTickCount () returned 0x1153545 [0075.945] GetTickCount () returned 0x1153545 [0075.945] GetTickCount () returned 0x1153545 [0075.945] GetTickCount () returned 0x1153545 [0075.945] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.945] GetProcessHeap () returned 0x3a00000 [0075.945] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.945] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.949] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.949] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c0, lpOverlapped=0x0) returned 1 [0075.949] GetProcessHeap () returned 0x3a00000 [0075.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.949] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.949] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.950] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.950] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.950] CloseHandle (hObject=0x440) returned 1 [0075.950] GetProcessHeap () returned 0x3a00000 [0075.950] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.950] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.950] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\635__connections_cellular_3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\635__Connections_Cellular_3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\635__connections_cellular_3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.951] GetProcessHeap () returned 0x3a00000 [0075.951] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.951] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916b2a9b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916b2a9b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916b2a9b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="636__C~1.PRO")) returned 1 [0075.953] lstrcmpiW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0075.953] lstrcmpiW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0075.953] lstrcmpiW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0075.953] lstrcmpiW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0075.953] lstrcmpiW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0075.953] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0075.953] StrStrIW (lpFirst="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0075.953] lstrcmpW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.953] lstrcmpW (lpString1="636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0075.953] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\636__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.953] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\636__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.953] GetTickCount () returned 0x1153555 [0075.953] GetTickCount () returned 0x1153555 [0075.953] GetTickCount () returned 0x1153555 [0075.953] GetTickCount () returned 0x1153555 [0075.954] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.954] GetProcessHeap () returned 0x3a00000 [0075.954] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.954] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.955] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.955] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1cb, lpOverlapped=0x0) returned 1 [0075.955] GetProcessHeap () returned 0x3a00000 [0075.955] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.955] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.955] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.957] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.957] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.957] CloseHandle (hObject=0x440) returned 1 [0075.957] GetProcessHeap () returned 0x3a00000 [0075.958] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.958] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0075.958] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\636__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\636__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\636__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.958] GetProcessHeap () returned 0x3a00000 [0075.958] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.958] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916b2a9b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916b2a9b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916b2a9b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="637__C~1.PRO")) returned 1 [0075.958] lstrcmpiW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0075.958] lstrcmpiW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0075.958] lstrcmpiW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0075.958] lstrcmpiW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0075.958] lstrcmpiW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0075.958] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0075.958] StrStrIW (lpFirst="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0075.958] lstrcmpW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.959] lstrcmpW (lpString1="637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0075.959] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\637__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.959] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\637__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.959] GetTickCount () returned 0x1153555 [0075.959] GetTickCount () returned 0x1153555 [0075.959] GetTickCount () returned 0x1153555 [0075.959] GetTickCount () returned 0x1153555 [0075.959] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.959] GetProcessHeap () returned 0x3a00000 [0075.959] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.959] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c0, lpOverlapped=0x0) returned 1 [0075.960] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe40, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.960] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c0, lpOverlapped=0x0) returned 1 [0075.960] GetProcessHeap () returned 0x3a00000 [0075.960] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.960] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.960] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.963] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.963] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.963] CloseHandle (hObject=0x440) returned 1 [0075.964] GetProcessHeap () returned 0x3a00000 [0075.964] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.964] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0075.964] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\637__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\637__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\637__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.964] GetProcessHeap () returned 0x3a00000 [0075.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.964] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916b2a9b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916b2a9b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916b2a9b, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="638__C~1.PRO")) returned 1 [0075.964] lstrcmpiW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.964] lstrcmpiW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.965] lstrcmpiW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.965] lstrcmpiW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.965] lstrcmpiW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.965] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 171 [0075.965] StrStrIW (lpFirst="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.965] lstrcmpW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.965] lstrcmpW (lpString1="638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.965] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\638__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.965] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\638__connections_cellular_mico-p - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.965] GetTickCount () returned 0x1153555 [0075.965] GetTickCount () returned 0x1153555 [0075.965] GetTickCount () returned 0x1153555 [0075.965] GetTickCount () returned 0x1153555 [0075.965] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.965] GetProcessHeap () returned 0x3a00000 [0075.965] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.965] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.969] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.969] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0075.970] GetProcessHeap () returned 0x3a00000 [0075.970] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.970] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.970] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.970] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.970] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.970] CloseHandle (hObject=0x440) returned 1 [0075.970] GetProcessHeap () returned 0x3a00000 [0075.970] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.970] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0075.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\638__connections_cellular_mico-p - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\638__Connections_Cellular_Mico-P - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\638__connections_cellular_mico-p - 3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.971] GetProcessHeap () returned 0x3a00000 [0075.971] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.971] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916d8d0a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916d8d0a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916d8d0a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="639__C~1.PRO")) returned 1 [0075.971] lstrcmpiW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.971] lstrcmpiW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.971] lstrcmpiW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.971] lstrcmpiW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.971] lstrcmpiW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.971] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 171 [0075.971] StrStrIW (lpFirst="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.971] lstrcmpW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.971] lstrcmpW (lpString1="639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.971] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\639__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.971] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\639__connections_cellular_mico-p - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.972] GetTickCount () returned 0x1153564 [0075.972] GetTickCount () returned 0x1153564 [0075.972] GetTickCount () returned 0x1153564 [0075.972] GetTickCount () returned 0x1153564 [0075.972] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.972] GetProcessHeap () returned 0x3a00000 [0075.972] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.972] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0075.974] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.974] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0075.975] GetProcessHeap () returned 0x3a00000 [0075.975] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.975] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.975] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.975] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.975] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.975] CloseHandle (hObject=0x440) returned 1 [0075.975] GetProcessHeap () returned 0x3a00000 [0075.975] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.975] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0075.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\639__connections_cellular_mico-p - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\639__Connections_Cellular_Mico-P - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\639__connections_cellular_mico-p - 3 (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.976] GetProcessHeap () returned 0x3a00000 [0075.976] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.976] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90306b27, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90306b27, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90306b27, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x285, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="63__CO~1.PRO")) returned 1 [0075.976] lstrcmpiW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.976] lstrcmpiW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.976] lstrcmpiW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.976] lstrcmpiW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.976] lstrcmpiW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.976] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml") returned 157 [0075.976] StrStrIW (lpFirst="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.976] lstrcmpW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.976] lstrcmpW (lpString1="63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.976] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\63__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.976] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\63__connections_cellular_telus (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.976] GetTickCount () returned 0x1153564 [0075.977] GetTickCount () returned 0x1153564 [0075.977] GetTickCount () returned 0x1153564 [0075.977] GetTickCount () returned 0x1153564 [0075.977] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.977] GetProcessHeap () returned 0x3a00000 [0075.977] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.977] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0075.978] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.978] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x285, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x285, lpOverlapped=0x0) returned 1 [0075.978] GetProcessHeap () returned 0x3a00000 [0075.978] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.978] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.978] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.978] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.979] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.979] CloseHandle (hObject=0x440) returned 1 [0075.979] GetProcessHeap () returned 0x3a00000 [0075.979] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.979] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0075.979] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\63__connections_cellular_telus (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\63__Connections_Cellular_Telus (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\63__connections_cellular_telus (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.980] GetProcessHeap () returned 0x3a00000 [0075.980] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.980] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916d8d0a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916d8d0a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916d8d0a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="640__C~1.PRO")) returned 1 [0075.980] lstrcmpiW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.980] lstrcmpiW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.980] lstrcmpiW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.980] lstrcmpiW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.980] lstrcmpiW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.980] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 168 [0075.980] StrStrIW (lpFirst="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.980] lstrcmpW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.980] lstrcmpW (lpString1="640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.980] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\640__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.980] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\640__connections_cellular_aql - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.980] GetTickCount () returned 0x1153564 [0075.980] GetTickCount () returned 0x1153564 [0075.980] GetTickCount () returned 0x1153564 [0075.980] GetTickCount () returned 0x1153564 [0075.981] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.981] GetProcessHeap () returned 0x3a00000 [0075.981] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.981] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.983] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.983] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0075.983] GetProcessHeap () returned 0x3a00000 [0075.983] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.983] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.983] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.983] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.983] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.983] CloseHandle (hObject=0x440) returned 1 [0075.983] GetProcessHeap () returned 0x3a00000 [0075.983] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.984] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0075.984] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\640__connections_cellular_aql - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\640__Connections_Cellular_AQL - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\640__connections_cellular_aql - 3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.984] GetProcessHeap () returned 0x3a00000 [0075.984] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.984] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916d8d0a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916d8d0a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916d8d0a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="641__C~1.PRO")) returned 1 [0075.984] lstrcmpiW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.984] lstrcmpiW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.984] lstrcmpiW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.984] lstrcmpiW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.984] lstrcmpiW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.984] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 168 [0075.984] StrStrIW (lpFirst="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.984] lstrcmpW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.984] lstrcmpW (lpString1="641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.985] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\641__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.985] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\641__connections_cellular_aql - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.985] GetTickCount () returned 0x1153574 [0075.985] GetTickCount () returned 0x1153574 [0075.985] GetTickCount () returned 0x1153574 [0075.985] GetTickCount () returned 0x1153574 [0075.985] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.986] GetProcessHeap () returned 0x3a00000 [0075.986] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.986] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.987] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.987] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.987] GetProcessHeap () returned 0x3a00000 [0075.987] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.987] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.987] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.987] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.987] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.988] CloseHandle (hObject=0x440) returned 1 [0075.988] GetProcessHeap () returned 0x3a00000 [0075.988] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.988] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0075.988] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\641__connections_cellular_aql - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\641__Connections_Cellular_AQL - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\641__connections_cellular_aql - 3 (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.988] GetProcessHeap () returned 0x3a00000 [0075.988] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.988] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916d8d0a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916d8d0a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916d8d0a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", cAlternateFileName="642__C~1.PRO")) returned 1 [0075.989] lstrcmpiW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.989] lstrcmpiW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.989] lstrcmpiW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.989] lstrcmpiW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.989] lstrcmpiW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.989] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml") returned 168 [0075.989] StrStrIW (lpFirst="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.989] lstrcmpW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.989] lstrcmpW (lpString1="642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.989] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\642__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.989] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\642__connections_cellular_aql - 3 (united kingdom)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.989] GetTickCount () returned 0x1153574 [0075.989] GetTickCount () returned 0x1153574 [0075.989] GetTickCount () returned 0x1153574 [0075.989] GetTickCount () returned 0x1153574 [0075.989] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.989] GetProcessHeap () returned 0x3a00000 [0075.989] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.989] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.991] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0075.991] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0075.991] GetProcessHeap () returned 0x3a00000 [0075.991] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0075.991] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.991] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0075.992] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0075.992] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0075.992] CloseHandle (hObject=0x440) returned 1 [0075.992] GetProcessHeap () returned 0x3a00000 [0075.992] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0075.992] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0075.992] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\642__connections_cellular_aql - 3 (united kingdom)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\642__Connections_Cellular_AQL - 3 (United Kingdom)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\642__connections_cellular_aql - 3 (united kingdom)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0075.993] GetProcessHeap () returned 0x3a00000 [0075.993] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0075.993] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916d8d0a, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916d8d0a, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916d8d0a, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", cAlternateFileName="643__C~1.PRO")) returned 1 [0075.993] lstrcmpiW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0075.993] lstrcmpiW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0075.993] lstrcmpiW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0075.993] lstrcmpiW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0075.993] lstrcmpiW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0075.993] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml") returned 168 [0075.993] StrStrIW (lpFirst="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0075.993] lstrcmpW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0075.993] lstrcmpW (lpString1="643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0075.993] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\643__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0075.993] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\643__connections_cellular_aql - 3 (united kingdom)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0075.994] GetTickCount () returned 0x1153574 [0075.994] GetTickCount () returned 0x1153574 [0075.994] GetTickCount () returned 0x1153574 [0075.994] GetTickCount () returned 0x1153574 [0075.994] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0075.994] GetProcessHeap () returned 0x3a00000 [0075.994] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0075.994] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0076.000] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.000] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0076.000] GetProcessHeap () returned 0x3a00000 [0076.000] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.000] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.000] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.000] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.000] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.001] CloseHandle (hObject=0x440) returned 1 [0076.001] GetProcessHeap () returned 0x3a00000 [0076.001] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.001] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0076.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\643__connections_cellular_aql - 3 (united kingdom)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\643__Connections_Cellular_AQL - 3 (United Kingdom)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\643__connections_cellular_aql - 3 (united kingdom)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.002] GetProcessHeap () returned 0x3a00000 [0076.002] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.002] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916fef72, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916fef72, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916fef72, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="644__C~1.PRO")) returned 1 [0076.002] lstrcmpiW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.002] lstrcmpiW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.002] lstrcmpiW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.002] lstrcmpiW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.002] lstrcmpiW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.002] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 175 [0076.002] StrStrIW (lpFirst="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.002] lstrcmpW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.002] lstrcmpW (lpString1="644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.002] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\644__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.002] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\644__connections_cellular_x-mobility - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.002] GetTickCount () returned 0x1153583 [0076.002] GetTickCount () returned 0x1153583 [0076.002] GetTickCount () returned 0x1153583 [0076.002] GetTickCount () returned 0x1153583 [0076.002] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.002] GetProcessHeap () returned 0x3a00000 [0076.003] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.003] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0076.004] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.004] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0076.004] GetProcessHeap () returned 0x3a00000 [0076.004] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.004] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.004] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.004] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.004] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.004] CloseHandle (hObject=0x440) returned 1 [0076.005] GetProcessHeap () returned 0x3a00000 [0076.005] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.005] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0076.005] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\644__connections_cellular_x-mobility - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\644__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\644__connections_cellular_x-mobility - 3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.005] GetProcessHeap () returned 0x3a00000 [0076.005] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.005] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916fef72, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916fef72, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916fef72, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="645__C~1.PRO")) returned 1 [0076.005] lstrcmpiW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.006] lstrcmpiW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.006] lstrcmpiW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.006] lstrcmpiW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.006] lstrcmpiW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.006] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 175 [0076.006] StrStrIW (lpFirst="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.006] lstrcmpW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.006] lstrcmpW (lpString1="645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.006] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\645__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.006] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\645__connections_cellular_x-mobility - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.006] GetTickCount () returned 0x1153583 [0076.006] GetTickCount () returned 0x1153583 [0076.006] GetTickCount () returned 0x1153583 [0076.006] GetTickCount () returned 0x1153583 [0076.006] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.006] GetProcessHeap () returned 0x3a00000 [0076.006] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.006] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0076.008] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.008] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2db, lpOverlapped=0x0) returned 1 [0076.008] GetProcessHeap () returned 0x3a00000 [0076.008] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.008] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.008] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.008] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.008] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.008] CloseHandle (hObject=0x440) returned 1 [0076.009] GetProcessHeap () returned 0x3a00000 [0076.009] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.009] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0076.009] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\645__connections_cellular_x-mobility - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\645__Connections_Cellular_X-Mobility - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\645__connections_cellular_x-mobility - 3 (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.009] GetProcessHeap () returned 0x3a00000 [0076.009] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.009] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916fef72, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916fef72, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916fef72, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="646__C~1.PRO")) returned 1 [0076.010] lstrcmpiW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.010] lstrcmpiW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.010] lstrcmpiW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.010] lstrcmpiW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.010] lstrcmpiW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.010] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 171 [0076.010] StrStrIW (lpFirst="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.010] lstrcmpW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.010] lstrcmpW (lpString1="646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.010] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\646__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.010] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\646__connections_cellular_macheen -3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.010] GetTickCount () returned 0x1153583 [0076.010] GetTickCount () returned 0x1153583 [0076.010] GetTickCount () returned 0x1153583 [0076.010] GetTickCount () returned 0x1153583 [0076.010] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.010] GetProcessHeap () returned 0x3a00000 [0076.010] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.010] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0076.012] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.012] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0076.012] GetProcessHeap () returned 0x3a00000 [0076.012] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.012] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.012] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.012] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.012] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.012] CloseHandle (hObject=0x440) returned 1 [0076.013] GetProcessHeap () returned 0x3a00000 [0076.013] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.013] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.013] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\646__connections_cellular_macheen -3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\646__Connections_Cellular_Macheen -3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\646__connections_cellular_macheen -3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.014] GetProcessHeap () returned 0x3a00000 [0076.014] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.014] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x916fef72, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x916fef72, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x916fef72, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="647__C~1.PRO")) returned 1 [0076.014] lstrcmpiW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.014] lstrcmpiW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.014] lstrcmpiW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.014] lstrcmpiW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.014] lstrcmpiW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.014] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 171 [0076.014] StrStrIW (lpFirst="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.014] lstrcmpW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.014] lstrcmpW (lpString1="647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.014] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\647__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.014] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\647__connections_cellular_macheen -3 (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.014] GetTickCount () returned 0x1153593 [0076.014] GetTickCount () returned 0x1153593 [0076.014] GetTickCount () returned 0x1153593 [0076.015] GetTickCount () returned 0x1153593 [0076.015] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.015] GetProcessHeap () returned 0x3a00000 [0076.015] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.015] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.016] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.016] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.016] GetProcessHeap () returned 0x3a00000 [0076.016] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.016] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.016] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.016] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.017] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.017] CloseHandle (hObject=0x440) returned 1 [0076.017] GetProcessHeap () returned 0x3a00000 [0076.017] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.017] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\647__connections_cellular_macheen -3 (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\647__Connections_Cellular_Macheen -3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\647__connections_cellular_macheen -3 (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.017] GetProcessHeap () returned 0x3a00000 [0076.018] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.018] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917251dd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917251dd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917251dd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="648__C~1.PRO")) returned 1 [0076.018] lstrcmpiW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.018] lstrcmpiW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.018] lstrcmpiW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.018] lstrcmpiW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.018] lstrcmpiW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.018] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 171 [0076.018] StrStrIW (lpFirst="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.018] lstrcmpW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.018] lstrcmpW (lpString1="648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.018] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\648__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.018] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\648__connections_cellular_voiamo - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.018] GetTickCount () returned 0x1153593 [0076.018] GetTickCount () returned 0x1153593 [0076.018] GetTickCount () returned 0x1153593 [0076.018] GetTickCount () returned 0x1153593 [0076.018] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.019] GetProcessHeap () returned 0x3a00000 [0076.019] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.019] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.020] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.020] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.020] GetProcessHeap () returned 0x3a00000 [0076.020] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.020] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.020] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.020] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.020] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.021] CloseHandle (hObject=0x440) returned 1 [0076.021] GetProcessHeap () returned 0x3a00000 [0076.021] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.021] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.021] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\648__connections_cellular_voiamo - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\648__Connections_Cellular_Voiamo - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\648__connections_cellular_voiamo - 3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.021] GetProcessHeap () returned 0x3a00000 [0076.021] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.022] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917251dd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917251dd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917251dd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="649__C~1.PRO")) returned 1 [0076.022] lstrcmpiW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.022] lstrcmpiW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.022] lstrcmpiW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.022] lstrcmpiW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.022] lstrcmpiW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.022] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 171 [0076.022] StrStrIW (lpFirst="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.022] lstrcmpW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.022] lstrcmpW (lpString1="649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.022] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\649__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.022] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\649__connections_cellular_voiamo - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.023] GetTickCount () returned 0x1153593 [0076.023] GetTickCount () returned 0x1153593 [0076.023] GetTickCount () returned 0x1153593 [0076.023] GetTickCount () returned 0x1153593 [0076.023] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.023] GetProcessHeap () returned 0x3a00000 [0076.023] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.023] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.193] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.194] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.194] GetProcessHeap () returned 0x3a00000 [0076.194] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.194] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.194] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.194] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.194] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.194] CloseHandle (hObject=0x440) returned 1 [0076.194] GetProcessHeap () returned 0x3a00000 [0076.194] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.194] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\649__connections_cellular_voiamo - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\649__Connections_Cellular_Voiamo - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\649__connections_cellular_voiamo - 3 (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.196] GetProcessHeap () returned 0x3a00000 [0076.196] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.196] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90306b27, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90306b27, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90306b27, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", cAlternateFileName="64__CO~1.PRO")) returned 1 [0076.196] lstrcmpiW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.196] lstrcmpiW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.196] lstrcmpiW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.196] lstrcmpiW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.196] lstrcmpiW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.196] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml") returned 176 [0076.196] StrStrIW (lpFirst="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.196] lstrcmpW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.196] lstrcmpW (lpString1="64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.196] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\64__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.196] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\64__connections_cellular_airtel-vodafone (channel islands)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.197] GetTickCount () returned 0x115363f [0076.197] GetTickCount () returned 0x115363f [0076.197] GetTickCount () returned 0x115363f [0076.197] GetTickCount () returned 0x115363f [0076.197] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.197] GetProcessHeap () returned 0x3a00000 [0076.197] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.197] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2e3, lpOverlapped=0x0) returned 1 [0076.198] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd1d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.198] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2e3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2e3, lpOverlapped=0x0) returned 1 [0076.198] GetProcessHeap () returned 0x3a00000 [0076.198] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.198] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.199] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.199] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.199] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.199] CloseHandle (hObject=0x440) returned 1 [0076.199] GetProcessHeap () returned 0x3a00000 [0076.199] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.199] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0076.199] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\64__connections_cellular_airtel-vodafone (channel islands)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\64__Connections_Cellular_Airtel-Vodafone (Channel Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\64__connections_cellular_airtel-vodafone (channel islands)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.201] GetProcessHeap () returned 0x3a00000 [0076.201] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.201] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917251dd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917251dd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917251dd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="650__C~1.PRO")) returned 1 [0076.204] lstrcmpiW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.204] lstrcmpiW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.204] lstrcmpiW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.204] lstrcmpiW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.204] lstrcmpiW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.204] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 172 [0076.204] StrStrIW (lpFirst="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.204] lstrcmpW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.204] lstrcmpW (lpString1="650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.204] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\650__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.204] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\650__connections_cellular_shebang - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.204] GetTickCount () returned 0x115364f [0076.204] GetTickCount () returned 0x115364f [0076.205] GetTickCount () returned 0x115364f [0076.205] GetTickCount () returned 0x115364f [0076.205] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.205] GetProcessHeap () returned 0x3a00000 [0076.205] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.205] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.227] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.227] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.227] GetProcessHeap () returned 0x3a00000 [0076.227] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.227] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.227] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.227] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.227] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.228] CloseHandle (hObject=0x440) returned 1 [0076.228] GetProcessHeap () returned 0x3a00000 [0076.228] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.228] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0076.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\650__connections_cellular_shebang - 3 (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\650__Connections_Cellular_Shebang - 3 (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\650__connections_cellular_shebang - 3 (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.229] GetProcessHeap () returned 0x3a00000 [0076.229] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.229] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917251dd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917251dd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917251dd, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", cAlternateFileName="651__C~1.PRO")) returned 1 [0076.229] lstrcmpiW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.229] lstrcmpiW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.229] lstrcmpiW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.229] lstrcmpiW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.229] lstrcmpiW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.229] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml") returned 172 [0076.229] StrStrIW (lpFirst="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.229] lstrcmpW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.229] lstrcmpW (lpString1="651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.229] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\651__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.229] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\651__connections_cellular_shebang - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.230] GetTickCount () returned 0x115365e [0076.230] GetTickCount () returned 0x115365e [0076.230] GetTickCount () returned 0x115365e [0076.230] GetTickCount () returned 0x115365e [0076.230] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.230] GetProcessHeap () returned 0x3a00000 [0076.230] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.230] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.232] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.232] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.232] GetProcessHeap () returned 0x3a00000 [0076.232] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.232] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.232] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.232] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.233] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.233] CloseHandle (hObject=0x440) returned 1 [0076.233] GetProcessHeap () returned 0x3a00000 [0076.233] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.233] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0076.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\651__connections_cellular_shebang - 3 (united kingdom)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\651__Connections_Cellular_Shebang - 3 (United Kingdom)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\651__connections_cellular_shebang - 3 (united kingdom)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.234] GetProcessHeap () returned 0x3a00000 [0076.234] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.234] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9174b44d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9174b44d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9174b44d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="652__C~1.PRO")) returned 1 [0076.234] lstrcmpiW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.234] lstrcmpiW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.234] lstrcmpiW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.234] lstrcmpiW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.234] lstrcmpiW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.234] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml") returned 158 [0076.234] StrStrIW (lpFirst="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.234] lstrcmpW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.234] lstrcmpW (lpString1="652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.234] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\652__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.234] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\652__connections_cellular_3roi (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.235] GetTickCount () returned 0x115366e [0076.235] GetTickCount () returned 0x115366e [0076.235] GetTickCount () returned 0x115366e [0076.235] GetTickCount () returned 0x115366e [0076.235] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.235] GetProcessHeap () returned 0x3a00000 [0076.235] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.235] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.237] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.237] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.237] GetProcessHeap () returned 0x3a00000 [0076.237] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.237] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.237] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.237] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.238] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.238] CloseHandle (hObject=0x440) returned 1 [0076.238] GetProcessHeap () returned 0x3a00000 [0076.238] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.238] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.238] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\652__connections_cellular_3roi (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\652__Connections_Cellular_3RoI (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\652__connections_cellular_3roi (ireland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.239] GetProcessHeap () returned 0x3a00000 [0076.239] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.239] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9174b44d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9174b44d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9174b44d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="653__C~1.PRO")) returned 1 [0076.239] lstrcmpiW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.239] lstrcmpiW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.239] lstrcmpiW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.239] lstrcmpiW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.239] lstrcmpiW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.239] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml") returned 158 [0076.239] StrStrIW (lpFirst="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.239] lstrcmpW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.239] lstrcmpW (lpString1="653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.239] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\653__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.239] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\653__connections_cellular_3roi (ireland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.239] GetTickCount () returned 0x115366e [0076.239] GetTickCount () returned 0x115366e [0076.239] GetTickCount () returned 0x115366e [0076.239] GetTickCount () returned 0x115366e [0076.239] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.240] GetProcessHeap () returned 0x3a00000 [0076.240] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.240] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0076.243] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.243] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c3, lpOverlapped=0x0) returned 1 [0076.243] GetProcessHeap () returned 0x3a00000 [0076.243] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.243] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.243] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.243] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.243] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.243] CloseHandle (hObject=0x440) returned 1 [0076.243] GetProcessHeap () returned 0x3a00000 [0076.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.243] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.244] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\653__connections_cellular_3roi (ireland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\653__Connections_Cellular_3RoI (Ireland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\653__connections_cellular_3roi (ireland)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.244] GetProcessHeap () returned 0x3a00000 [0076.244] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.244] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9174b44d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9174b44d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9174b44d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="654__C~1.PRO")) returned 1 [0076.244] lstrcmpiW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.244] lstrcmpiW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.245] lstrcmpiW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.245] lstrcmpiW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.245] lstrcmpiW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.245] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml") returned 171 [0076.245] StrStrIW (lpFirst="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.245] lstrcmpW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.245] lstrcmpW (lpString1="654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.245] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\654__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.245] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\654__connections_cellular_x-mobility - 3roi (ireland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.245] GetTickCount () returned 0x115366e [0076.245] GetTickCount () returned 0x115366e [0076.245] GetTickCount () returned 0x115366e [0076.245] GetTickCount () returned 0x115366e [0076.245] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.245] GetProcessHeap () returned 0x3a00000 [0076.245] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.245] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0076.247] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.247] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0076.247] GetProcessHeap () returned 0x3a00000 [0076.247] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.247] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.247] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.247] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.247] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.248] CloseHandle (hObject=0x440) returned 1 [0076.248] GetProcessHeap () returned 0x3a00000 [0076.248] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.248] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.248] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\654__connections_cellular_x-mobility - 3roi (ireland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\654__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\654__connections_cellular_x-mobility - 3roi (ireland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.248] GetProcessHeap () returned 0x3a00000 [0076.248] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.248] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9174b44d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9174b44d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9174b44d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", cAlternateFileName="655__C~1.PRO")) returned 1 [0076.249] lstrcmpiW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.249] lstrcmpiW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.249] lstrcmpiW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.249] lstrcmpiW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.249] lstrcmpiW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.249] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml") returned 171 [0076.249] StrStrIW (lpFirst="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.249] lstrcmpW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.249] lstrcmpW (lpString1="655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.249] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\655__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.249] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\655__connections_cellular_x-mobility - 3roi (ireland)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.249] GetTickCount () returned 0x115367d [0076.249] GetTickCount () returned 0x115367d [0076.249] GetTickCount () returned 0x115367d [0076.249] GetTickCount () returned 0x115367d [0076.249] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.249] GetProcessHeap () returned 0x3a00000 [0076.249] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.249] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0076.251] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.251] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d5, lpOverlapped=0x0) returned 1 [0076.254] GetProcessHeap () returned 0x3a00000 [0076.254] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.254] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.254] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.255] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.255] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.255] CloseHandle (hObject=0x440) returned 1 [0076.255] GetProcessHeap () returned 0x3a00000 [0076.255] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.255] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.255] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\655__connections_cellular_x-mobility - 3roi (ireland)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\655__Connections_Cellular_X-Mobility - 3RoI (Ireland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\655__connections_cellular_x-mobility - 3roi (ireland)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.256] GetProcessHeap () returned 0x3a00000 [0076.256] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.256] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917716b4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917716b4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917716b4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ba, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", cAlternateFileName="656__C~1.PRO")) returned 1 [0076.256] lstrcmpiW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.256] lstrcmpiW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.256] lstrcmpiW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.256] lstrcmpiW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.256] lstrcmpiW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.256] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml") returned 158 [0076.256] StrStrIW (lpFirst="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.256] lstrcmpW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.256] lstrcmpW (lpString1="656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.256] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\656__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.256] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\656__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.257] GetTickCount () returned 0x115367d [0076.257] GetTickCount () returned 0x115367d [0076.257] GetTickCount () returned 0x115367d [0076.257] GetTickCount () returned 0x115367d [0076.257] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.257] GetProcessHeap () returned 0x3a00000 [0076.257] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.257] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ba, lpOverlapped=0x0) returned 1 [0076.258] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd46, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.258] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ba, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ba, lpOverlapped=0x0) returned 1 [0076.258] GetProcessHeap () returned 0x3a00000 [0076.258] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.259] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.259] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.259] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.259] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.259] CloseHandle (hObject=0x440) returned 1 [0076.259] GetProcessHeap () returned 0x3a00000 [0076.259] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.259] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\656__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\656__Connections_Cellular_AIS (Thailand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\656__connections_cellular_ais (thailand)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.260] GetProcessHeap () returned 0x3a00000 [0076.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.260] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917716b4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917716b4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917716b4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="657__C~1.PRO")) returned 1 [0076.260] lstrcmpiW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.260] lstrcmpiW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.260] lstrcmpiW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.260] lstrcmpiW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.260] lstrcmpiW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.260] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.260] StrStrIW (lpFirst="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.260] lstrcmpW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.260] lstrcmpW (lpString1="657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.260] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\657__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\657__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.261] GetTickCount () returned 0x115367d [0076.261] GetTickCount () returned 0x115367d [0076.261] GetTickCount () returned 0x115367d [0076.261] GetTickCount () returned 0x115367d [0076.261] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.261] GetProcessHeap () returned 0x3a00000 [0076.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.261] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d9, lpOverlapped=0x0) returned 1 [0076.263] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.263] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d9, lpOverlapped=0x0) returned 1 [0076.264] GetProcessHeap () returned 0x3a00000 [0076.264] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.264] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.264] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.265] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.265] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.265] CloseHandle (hObject=0x440) returned 1 [0076.265] GetProcessHeap () returned 0x3a00000 [0076.265] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.265] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\657__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\657__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\657__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.266] GetProcessHeap () returned 0x3a00000 [0076.266] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.266] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917716b4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917716b4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917716b4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="658__C~1.PRO")) returned 1 [0076.266] lstrcmpiW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.266] lstrcmpiW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.266] lstrcmpiW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.266] lstrcmpiW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.266] lstrcmpiW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.266] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml") returned 157 [0076.266] StrStrIW (lpFirst="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.266] lstrcmpW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.266] lstrcmpW (lpString1="658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.266] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\658__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\658__connections_cellular_fido (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.267] GetTickCount () returned 0x115368d [0076.267] GetTickCount () returned 0x115368d [0076.267] GetTickCount () returned 0x115368d [0076.267] GetTickCount () returned 0x115368d [0076.267] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.267] GetProcessHeap () returned 0x3a00000 [0076.267] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.267] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0076.268] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.268] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0076.269] GetProcessHeap () returned 0x3a00000 [0076.269] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.269] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.269] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.269] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.269] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.269] CloseHandle (hObject=0x440) returned 1 [0076.269] GetProcessHeap () returned 0x3a00000 [0076.269] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.269] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0076.269] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\658__connections_cellular_fido (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\658__Connections_Cellular_Fido (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\658__connections_cellular_fido (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.270] GetProcessHeap () returned 0x3a00000 [0076.270] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.270] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917716b4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917716b4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917716b4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", cAlternateFileName="659__C~1.PRO")) returned 1 [0076.270] lstrcmpiW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.270] lstrcmpiW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.270] lstrcmpiW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.270] lstrcmpiW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.270] lstrcmpiW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.270] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml") returned 157 [0076.270] StrStrIW (lpFirst="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.270] lstrcmpW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.270] lstrcmpW (lpString1="659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.270] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\659__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\659__connections_cellular_fido (canada)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.271] GetTickCount () returned 0x115368d [0076.271] GetTickCount () returned 0x115368d [0076.271] GetTickCount () returned 0x115368d [0076.271] GetTickCount () returned 0x115368d [0076.271] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.271] GetProcessHeap () returned 0x3a00000 [0076.271] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.271] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.274] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.274] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.274] GetProcessHeap () returned 0x3a00000 [0076.274] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.274] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.274] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.275] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.275] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.275] CloseHandle (hObject=0x440) returned 1 [0076.275] GetProcessHeap () returned 0x3a00000 [0076.275] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.275] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0076.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\659__connections_cellular_fido (canada)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\659__Connections_Cellular_Fido (Canada)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\659__connections_cellular_fido (canada)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.276] GetProcessHeap () returned 0x3a00000 [0076.276] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.276] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90306b27, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90306b27, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9032cd93, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2f9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", cAlternateFileName="65__CO~1.PRO")) returned 1 [0076.276] lstrcmpiW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.276] lstrcmpiW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.276] lstrcmpiW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.276] lstrcmpiW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.276] lstrcmpiW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.276] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml") returned 156 [0076.276] StrStrIW (lpFirst="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.276] lstrcmpW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.276] lstrcmpW (lpString1="65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.276] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\65__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\65__connections_cellular_claro (chile)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.277] GetTickCount () returned 0x115368d [0076.277] GetTickCount () returned 0x115368d [0076.277] GetTickCount () returned 0x115368d [0076.277] GetTickCount () returned 0x115368d [0076.277] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.277] GetProcessHeap () returned 0x3a00000 [0076.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.277] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2f9, lpOverlapped=0x0) returned 1 [0076.280] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd07, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.280] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2f9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2f9, lpOverlapped=0x0) returned 1 [0076.280] GetProcessHeap () returned 0x3a00000 [0076.280] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.281] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.281] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.281] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.281] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.281] CloseHandle (hObject=0x440) returned 1 [0076.281] GetProcessHeap () returned 0x3a00000 [0076.281] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.281] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 175 [0076.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\65__connections_cellular_claro (chile)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\65__Connections_Cellular_Claro (Chile)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\65__connections_cellular_claro (chile)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.282] GetProcessHeap () returned 0x3a00000 [0076.282] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.282] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917716b4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917716b4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917716b4, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="660__C~1.PRO")) returned 1 [0076.282] lstrcmpiW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.282] lstrcmpiW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.282] lstrcmpiW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.282] lstrcmpiW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.282] lstrcmpiW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.282] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml") returned 158 [0076.282] StrStrIW (lpFirst="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.282] lstrcmpW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.282] lstrcmpW (lpString1="660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.282] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\660__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.282] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\660__connections_cellular_chatr (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.283] GetTickCount () returned 0x115369d [0076.283] GetTickCount () returned 0x115369d [0076.283] GetTickCount () returned 0x115369d [0076.283] GetTickCount () returned 0x115369d [0076.283] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.283] GetProcessHeap () returned 0x3a00000 [0076.283] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.283] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.287] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.287] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.287] GetProcessHeap () returned 0x3a00000 [0076.287] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.287] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.287] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.287] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.287] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.288] CloseHandle (hObject=0x440) returned 1 [0076.288] GetProcessHeap () returned 0x3a00000 [0076.288] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.288] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\660__connections_cellular_chatr (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\660__Connections_Cellular_Chatr (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\660__connections_cellular_chatr (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.288] GetProcessHeap () returned 0x3a00000 [0076.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.289] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="661__C~1.PRO")) returned 1 [0076.289] lstrcmpiW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.289] lstrcmpiW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.289] lstrcmpiW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.289] lstrcmpiW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.289] lstrcmpiW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.289] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml") returned 161 [0076.289] StrStrIW (lpFirst="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.289] lstrcmpW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.289] lstrcmpW (lpString1="661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.289] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\661__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.289] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\661__connections_cellular_cityfone (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.289] GetTickCount () returned 0x115369d [0076.289] GetTickCount () returned 0x115369d [0076.289] GetTickCount () returned 0x115369d [0076.289] GetTickCount () returned 0x115369d [0076.289] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.290] GetProcessHeap () returned 0x3a00000 [0076.290] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.290] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.304] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.304] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.304] GetProcessHeap () returned 0x3a00000 [0076.304] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.304] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.304] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.304] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.304] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.305] CloseHandle (hObject=0x440) returned 1 [0076.305] GetProcessHeap () returned 0x3a00000 [0076.305] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.305] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0076.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\661__connections_cellular_cityfone (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\661__Connections_Cellular_Cityfone (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\661__connections_cellular_cityfone (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.306] GetProcessHeap () returned 0x3a00000 [0076.306] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.306] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x369, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="662__C~1.PRO")) returned 1 [0076.306] lstrcmpiW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.306] lstrcmpiW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.306] lstrcmpiW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.306] lstrcmpiW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.306] lstrcmpiW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.306] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml") returned 171 [0076.306] StrStrIW (lpFirst="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.306] lstrcmpW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.306] lstrcmpW (lpString1="662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.306] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\662__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\662__connections_cellular_hp datapass (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.307] GetTickCount () returned 0x11536ac [0076.307] GetTickCount () returned 0x11536ac [0076.307] GetTickCount () returned 0x11536ac [0076.307] GetTickCount () returned 0x11536ac [0076.307] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.307] GetProcessHeap () returned 0x3a00000 [0076.307] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.307] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x369, lpOverlapped=0x0) returned 1 [0076.310] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc97, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.310] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x369, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x369, lpOverlapped=0x0) returned 1 [0076.310] GetProcessHeap () returned 0x3a00000 [0076.310] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.310] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.310] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.310] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.310] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.311] CloseHandle (hObject=0x440) returned 1 [0076.311] GetProcessHeap () returned 0x3a00000 [0076.311] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.311] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.311] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\662__connections_cellular_hp datapass (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\662__Connections_Cellular_HP DataPass (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\662__connections_cellular_hp datapass (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.312] GetProcessHeap () returned 0x3a00000 [0076.312] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.312] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="663__C~1.PRO")) returned 1 [0076.312] lstrcmpiW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.312] lstrcmpiW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.312] lstrcmpiW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.312] lstrcmpiW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.312] lstrcmpiW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.312] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.312] StrStrIW (lpFirst="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.312] lstrcmpW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.312] lstrcmpW (lpString1="663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.312] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\663__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.312] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\663__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.324] GetTickCount () returned 0x11536bc [0076.324] GetTickCount () returned 0x11536bc [0076.324] GetTickCount () returned 0x11536bc [0076.324] GetTickCount () returned 0x11536bc [0076.324] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.324] GetProcessHeap () returned 0x3a00000 [0076.324] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.324] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d4, lpOverlapped=0x0) returned 1 [0076.326] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.326] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d4, lpOverlapped=0x0) returned 1 [0076.326] GetProcessHeap () returned 0x3a00000 [0076.326] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.326] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.326] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.327] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.327] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.327] CloseHandle (hObject=0x440) returned 1 [0076.327] GetProcessHeap () returned 0x3a00000 [0076.327] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.327] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\663__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\663__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\663__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.328] GetProcessHeap () returned 0x3a00000 [0076.328] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.328] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="664__C~1.PRO")) returned 1 [0076.328] lstrcmpiW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.328] lstrcmpiW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.328] lstrcmpiW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.328] lstrcmpiW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.329] lstrcmpiW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.329] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.329] StrStrIW (lpFirst="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.329] lstrcmpW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.329] lstrcmpW (lpString1="664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.329] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\664__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.329] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\664__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.329] GetTickCount () returned 0x11536cc [0076.329] GetTickCount () returned 0x11536cc [0076.329] GetTickCount () returned 0x11536cc [0076.329] GetTickCount () returned 0x11536cc [0076.329] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.329] GetProcessHeap () returned 0x3a00000 [0076.329] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.329] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.330] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.330] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.331] GetProcessHeap () returned 0x3a00000 [0076.331] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.331] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.331] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.331] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.331] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.331] CloseHandle (hObject=0x440) returned 1 [0076.332] GetProcessHeap () returned 0x3a00000 [0076.332] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.332] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.332] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\664__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\664__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\664__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.333] GetProcessHeap () returned 0x3a00000 [0076.333] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.333] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x36a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="665__C~1.PRO")) returned 1 [0076.333] lstrcmpiW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.333] lstrcmpiW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.333] lstrcmpiW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.333] lstrcmpiW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.333] lstrcmpiW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.333] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 172 [0076.333] StrStrIW (lpFirst="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.333] lstrcmpW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.333] lstrcmpW (lpString1="665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.333] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\665__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\665__connections_cellular_hp datapass (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.334] GetTickCount () returned 0x11536cc [0076.334] GetTickCount () returned 0x11536cc [0076.334] GetTickCount () returned 0x11536cc [0076.334] GetTickCount () returned 0x11536cc [0076.334] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.334] GetProcessHeap () returned 0x3a00000 [0076.334] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.334] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x36a, lpOverlapped=0x0) returned 1 [0076.335] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc96, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.335] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x36a, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x36a, lpOverlapped=0x0) returned 1 [0076.336] GetProcessHeap () returned 0x3a00000 [0076.336] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.336] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.336] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.336] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.336] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.336] CloseHandle (hObject=0x440) returned 1 [0076.336] GetProcessHeap () returned 0x3a00000 [0076.336] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.336] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0076.336] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\665__connections_cellular_hp datapass (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\665__Connections_Cellular_HP DataPass (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\665__connections_cellular_hp datapass (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.337] GetProcessHeap () returned 0x3a00000 [0076.337] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.337] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="666__C~1.PRO")) returned 1 [0076.339] lstrcmpiW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.339] lstrcmpiW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.339] lstrcmpiW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.339] lstrcmpiW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.339] lstrcmpiW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.339] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.340] StrStrIW (lpFirst="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.340] lstrcmpW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.340] lstrcmpW (lpString1="666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.340] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\666__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.340] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\666__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.340] GetTickCount () returned 0x11536cc [0076.340] GetTickCount () returned 0x11536cc [0076.340] GetTickCount () returned 0x11536cc [0076.340] GetTickCount () returned 0x11536cc [0076.340] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.340] GetProcessHeap () returned 0x3a00000 [0076.340] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.340] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d4, lpOverlapped=0x0) returned 1 [0076.342] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.342] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d4, lpOverlapped=0x0) returned 1 [0076.342] GetProcessHeap () returned 0x3a00000 [0076.342] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.342] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.342] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.343] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.344] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.344] CloseHandle (hObject=0x440) returned 1 [0076.344] GetProcessHeap () returned 0x3a00000 [0076.344] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.344] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.344] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\666__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\666__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\666__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.345] GetProcessHeap () returned 0x3a00000 [0076.345] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.345] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91797924, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91797924, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91797924, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="667__C~1.PRO")) returned 1 [0076.345] lstrcmpiW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.345] lstrcmpiW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.345] lstrcmpiW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.345] lstrcmpiW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.345] lstrcmpiW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.345] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.345] StrStrIW (lpFirst="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.345] lstrcmpW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.345] lstrcmpW (lpString1="667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.345] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\667__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.345] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\667__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.345] GetTickCount () returned 0x11536db [0076.345] GetTickCount () returned 0x11536db [0076.346] GetTickCount () returned 0x11536db [0076.346] GetTickCount () returned 0x11536db [0076.346] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.346] GetProcessHeap () returned 0x3a00000 [0076.346] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.346] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.347] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.347] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.347] GetProcessHeap () returned 0x3a00000 [0076.347] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.347] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.347] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.348] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.348] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.348] CloseHandle (hObject=0x440) returned 1 [0076.348] GetProcessHeap () returned 0x3a00000 [0076.348] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.348] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.348] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\667__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\667__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\667__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.349] GetProcessHeap () returned 0x3a00000 [0076.349] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.349] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917bdb8f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917bdb8f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917bdb8f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x362, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="668__C~1.PRO")) returned 1 [0076.349] lstrcmpiW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.349] lstrcmpiW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.349] lstrcmpiW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.349] lstrcmpiW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.349] lstrcmpiW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.349] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml") returned 164 [0076.349] StrStrIW (lpFirst="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.349] lstrcmpW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.349] lstrcmpW (lpString1="668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.349] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\668__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.349] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\668__connections_cellular_hp datapass (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.350] GetTickCount () returned 0x11536db [0076.350] GetTickCount () returned 0x11536db [0076.350] GetTickCount () returned 0x11536db [0076.350] GetTickCount () returned 0x11536db [0076.350] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.350] GetProcessHeap () returned 0x3a00000 [0076.350] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.350] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x362, lpOverlapped=0x0) returned 1 [0076.351] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc9e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.351] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x362, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x362, lpOverlapped=0x0) returned 1 [0076.352] GetProcessHeap () returned 0x3a00000 [0076.352] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.352] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.352] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.352] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.352] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.352] CloseHandle (hObject=0x440) returned 1 [0076.352] GetProcessHeap () returned 0x3a00000 [0076.352] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.352] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0076.352] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\668__connections_cellular_hp datapass (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\668__Connections_Cellular_HP DataPass (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\668__connections_cellular_hp datapass (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.353] GetProcessHeap () returned 0x3a00000 [0076.353] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.353] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917bdb8f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917bdb8f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917bdb8f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="669__C~1.PRO")) returned 1 [0076.353] lstrcmpiW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.353] lstrcmpiW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.353] lstrcmpiW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.353] lstrcmpiW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.353] lstrcmpiW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.353] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.353] StrStrIW (lpFirst="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.353] lstrcmpW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.353] lstrcmpW (lpString1="669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.353] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\669__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.353] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\669__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.354] GetTickCount () returned 0x11536db [0076.354] GetTickCount () returned 0x11536db [0076.354] GetTickCount () returned 0x11536db [0076.354] GetTickCount () returned 0x11536db [0076.354] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.354] GetProcessHeap () returned 0x3a00000 [0076.354] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.354] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d4, lpOverlapped=0x0) returned 1 [0076.355] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.355] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d4, lpOverlapped=0x0) returned 1 [0076.355] GetProcessHeap () returned 0x3a00000 [0076.355] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.355] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.355] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.356] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.356] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.356] CloseHandle (hObject=0x440) returned 1 [0076.356] GetProcessHeap () returned 0x3a00000 [0076.356] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.356] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\669__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\669__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\669__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.357] GetProcessHeap () returned 0x3a00000 [0076.357] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.357] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9032cd93, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9032cd93, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9032cd93, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x353, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", cAlternateFileName="66__CO~1.PRO")) returned 1 [0076.357] lstrcmpiW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.357] lstrcmpiW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.357] lstrcmpiW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.357] lstrcmpiW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.357] lstrcmpiW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.357] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml") returned 160 [0076.357] StrStrIW (lpFirst="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.357] lstrcmpW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.357] lstrcmpW (lpString1="66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.357] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\66__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.358] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\66__connections_cellular_entel pcs (chile)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.358] GetTickCount () returned 0x11536eb [0076.358] GetTickCount () returned 0x11536eb [0076.358] GetTickCount () returned 0x11536eb [0076.358] GetTickCount () returned 0x11536eb [0076.358] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.358] GetProcessHeap () returned 0x3a00000 [0076.358] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.358] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0076.359] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcad, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.360] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x353, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x353, lpOverlapped=0x0) returned 1 [0076.360] GetProcessHeap () returned 0x3a00000 [0076.360] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.360] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.360] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.360] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.360] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.360] CloseHandle (hObject=0x440) returned 1 [0076.360] GetProcessHeap () returned 0x3a00000 [0076.360] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.360] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0076.360] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\66__connections_cellular_entel pcs (chile)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\66__Connections_Cellular_Entel PCS (Chile)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\66__connections_cellular_entel pcs (chile)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.361] GetProcessHeap () returned 0x3a00000 [0076.361] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.361] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917bdb8f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917bdb8f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917bdb8f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="670__C~1.PRO")) returned 1 [0076.361] lstrcmpiW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.361] lstrcmpiW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.361] lstrcmpiW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.361] lstrcmpiW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.361] lstrcmpiW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.361] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.361] StrStrIW (lpFirst="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.361] lstrcmpW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.361] lstrcmpW (lpString1="670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.361] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\670__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.362] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\670__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.362] GetTickCount () returned 0x11536eb [0076.362] GetTickCount () returned 0x11536eb [0076.362] GetTickCount () returned 0x11536eb [0076.362] GetTickCount () returned 0x11536eb [0076.362] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.362] GetProcessHeap () returned 0x3a00000 [0076.362] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.362] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.390] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.390] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.390] GetProcessHeap () returned 0x3a00000 [0076.390] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.390] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.391] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.391] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.391] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.392] CloseHandle (hObject=0x440) returned 1 [0076.392] GetProcessHeap () returned 0x3a00000 [0076.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.392] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.392] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\670__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\670__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\670__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.393] GetProcessHeap () returned 0x3a00000 [0076.393] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.393] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917bdb8f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917bdb8f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917bdb8f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="671__C~1.PRO")) returned 1 [0076.393] lstrcmpiW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.393] lstrcmpiW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.393] lstrcmpiW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.393] lstrcmpiW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.393] lstrcmpiW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.393] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml") returned 158 [0076.393] StrStrIW (lpFirst="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.393] lstrcmpW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.393] lstrcmpW (lpString1="671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.393] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\671__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.393] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\671__connections_cellular_dell (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.394] GetTickCount () returned 0x115370a [0076.394] GetTickCount () returned 0x115370a [0076.394] GetTickCount () returned 0x115370a [0076.394] GetTickCount () returned 0x115370a [0076.394] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.394] GetProcessHeap () returned 0x3a00000 [0076.394] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.394] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.396] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.396] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.396] GetProcessHeap () returned 0x3a00000 [0076.396] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.396] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.396] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.396] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.396] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.396] CloseHandle (hObject=0x440) returned 1 [0076.396] GetProcessHeap () returned 0x3a00000 [0076.396] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.396] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.396] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\671__connections_cellular_dell (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\671__Connections_Cellular_Dell (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\671__connections_cellular_dell (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.397] GetProcessHeap () returned 0x3a00000 [0076.397] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.397] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917bdb8f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917bdb8f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917bdb8f, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="672__C~1.PRO")) returned 1 [0076.397] lstrcmpiW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.397] lstrcmpiW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.397] lstrcmpiW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.397] lstrcmpiW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.397] lstrcmpiW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.397] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 165 [0076.397] StrStrIW (lpFirst="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.397] lstrcmpW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.397] lstrcmpW (lpString1="672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.398] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\672__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.398] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\672__connections_cellular_dell (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.398] GetTickCount () returned 0x115370a [0076.398] GetTickCount () returned 0x115370a [0076.398] GetTickCount () returned 0x115370a [0076.398] GetTickCount () returned 0x115370a [0076.398] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.398] GetProcessHeap () returned 0x3a00000 [0076.398] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.398] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0076.400] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.400] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d8, lpOverlapped=0x0) returned 1 [0076.400] GetProcessHeap () returned 0x3a00000 [0076.400] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.400] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.400] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.400] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.400] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.400] CloseHandle (hObject=0x440) returned 1 [0076.400] GetProcessHeap () returned 0x3a00000 [0076.400] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.400] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0076.400] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\672__connections_cellular_dell (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\672__Connections_Cellular_Dell (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\672__connections_cellular_dell (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.401] GetProcessHeap () returned 0x3a00000 [0076.401] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.401] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917e3dfb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917e3dfb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917e3dfb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="673__C~1.PRO")) returned 1 [0076.401] lstrcmpiW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.401] lstrcmpiW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.401] lstrcmpiW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.401] lstrcmpiW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.401] lstrcmpiW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.401] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml") returned 157 [0076.401] StrStrIW (lpFirst="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.401] lstrcmpW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.401] lstrcmpW (lpString1="673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.401] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\673__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.401] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\673__connections_cellular_lg u+ (korea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.402] GetTickCount () returned 0x115370a [0076.402] GetTickCount () returned 0x115370a [0076.402] GetTickCount () returned 0x115370a [0076.402] GetTickCount () returned 0x115370a [0076.402] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.402] GetProcessHeap () returned 0x3a00000 [0076.402] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.402] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.404] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.404] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.404] GetProcessHeap () returned 0x3a00000 [0076.404] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.404] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.404] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.404] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.405] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.405] CloseHandle (hObject=0x440) returned 1 [0076.405] GetProcessHeap () returned 0x3a00000 [0076.405] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.405] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0076.405] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\673__connections_cellular_lg u+ (korea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\673__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\673__connections_cellular_lg u+ (korea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.406] GetProcessHeap () returned 0x3a00000 [0076.406] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.406] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917e3dfb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917e3dfb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917e3dfb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", cAlternateFileName="674__C~1.PRO")) returned 1 [0076.406] lstrcmpiW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.406] lstrcmpiW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.406] lstrcmpiW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.406] lstrcmpiW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.406] lstrcmpiW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.406] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml") returned 157 [0076.406] StrStrIW (lpFirst="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.406] lstrcmpW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.406] lstrcmpW (lpString1="674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.406] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\674__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.406] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\674__connections_cellular_lg u+ (korea)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.407] GetTickCount () returned 0x115371a [0076.407] GetTickCount () returned 0x115371a [0076.407] GetTickCount () returned 0x115371a [0076.407] GetTickCount () returned 0x115371a [0076.407] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.407] GetProcessHeap () returned 0x3a00000 [0076.407] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.407] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0076.408] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.408] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d2, lpOverlapped=0x0) returned 1 [0076.408] GetProcessHeap () returned 0x3a00000 [0076.408] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.409] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.409] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.409] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.409] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.409] CloseHandle (hObject=0x440) returned 1 [0076.409] GetProcessHeap () returned 0x3a00000 [0076.409] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.409] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0076.409] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\674__connections_cellular_lg u+ (korea)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\674__Connections_Cellular_LG U+ (Korea)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\674__connections_cellular_lg u+ (korea)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.410] GetProcessHeap () returned 0x3a00000 [0076.410] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.410] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917e3dfb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917e3dfb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917e3dfb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="675__C~1.PRO")) returned 1 [0076.410] lstrcmpiW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.410] lstrcmpiW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.410] lstrcmpiW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.410] lstrcmpiW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.410] lstrcmpiW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.410] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml") returned 157 [0076.410] StrStrIW (lpFirst="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.410] lstrcmpW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.410] lstrcmpW (lpString1="675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.410] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\675__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.410] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\675__connections_cellular_lg u+ (korea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.410] GetTickCount () returned 0x115371a [0076.410] GetTickCount () returned 0x115371a [0076.410] GetTickCount () returned 0x115371a [0076.410] GetTickCount () returned 0x115371a [0076.410] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.411] GetProcessHeap () returned 0x3a00000 [0076.411] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.411] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.412] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.412] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.412] GetProcessHeap () returned 0x3a00000 [0076.412] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.412] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.412] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.412] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.412] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.413] CloseHandle (hObject=0x440) returned 1 [0076.413] GetProcessHeap () returned 0x3a00000 [0076.413] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.413] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0076.413] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\675__connections_cellular_lg u+ (korea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\675__Connections_Cellular_LG U+ (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\675__connections_cellular_lg u+ (korea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.413] GetProcessHeap () returned 0x3a00000 [0076.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.413] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x917e3dfb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x917e3dfb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x917e3dfb, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", cAlternateFileName="676__C~1.PRO")) returned 1 [0076.413] lstrcmpiW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.413] lstrcmpiW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.413] lstrcmpiW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.413] lstrcmpiW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.414] lstrcmpiW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.414] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml") returned 160 [0076.414] StrStrIW (lpFirst="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.414] lstrcmpW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.414] lstrcmpW (lpString1="676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\676__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\676__connections_cellular_lenovo (germany)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.414] GetTickCount () returned 0x115371a [0076.414] GetTickCount () returned 0x115371a [0076.414] GetTickCount () returned 0x115371a [0076.414] GetTickCount () returned 0x115371a [0076.414] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.414] GetProcessHeap () returned 0x3a00000 [0076.414] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.414] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.416] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.416] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.416] GetProcessHeap () returned 0x3a00000 [0076.416] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.416] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.416] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.416] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.416] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.416] CloseHandle (hObject=0x440) returned 1 [0076.416] GetProcessHeap () returned 0x3a00000 [0076.417] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.417] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0076.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\676__connections_cellular_lenovo (germany)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\676__Connections_Cellular_Lenovo (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\676__connections_cellular_lenovo (germany)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.417] GetProcessHeap () returned 0x3a00000 [0076.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.417] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9180a066, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9180a066, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9180a066, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", cAlternateFileName="677__C~1.PRO")) returned 1 [0076.417] lstrcmpiW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.418] lstrcmpiW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.418] lstrcmpiW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.418] lstrcmpiW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.418] lstrcmpiW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.418] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml") returned 167 [0076.418] StrStrIW (lpFirst="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.418] lstrcmpW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.418] lstrcmpW (lpString1="677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.418] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\677__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.418] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\677__connections_cellular_lenovo (united kingdom)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.418] GetTickCount () returned 0x115371a [0076.418] GetTickCount () returned 0x115371a [0076.418] GetTickCount () returned 0x115371a [0076.418] GetTickCount () returned 0x115371a [0076.418] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.418] GetProcessHeap () returned 0x3a00000 [0076.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.419] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0076.420] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.420] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0076.420] GetProcessHeap () returned 0x3a00000 [0076.420] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.420] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.421] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.421] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.421] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.421] CloseHandle (hObject=0x440) returned 1 [0076.421] GetProcessHeap () returned 0x3a00000 [0076.421] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.421] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0076.421] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\677__connections_cellular_lenovo (united kingdom)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\677__Connections_Cellular_Lenovo (United Kingdom)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\677__connections_cellular_lenovo (united kingdom)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.422] GetProcessHeap () returned 0x3a00000 [0076.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.422] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9180a066, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9180a066, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9180a066, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="678__C~1.PRO")) returned 1 [0076.422] lstrcmpiW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.422] lstrcmpiW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.422] lstrcmpiW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.422] lstrcmpiW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.422] lstrcmpiW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.422] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml") returned 154 [0076.422] StrStrIW (lpFirst="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.422] lstrcmpW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.422] lstrcmpW (lpString1="678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.422] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\678__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.422] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\678__connections_cellular_kt (korea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.423] GetTickCount () returned 0x1153729 [0076.423] GetTickCount () returned 0x1153729 [0076.423] GetTickCount () returned 0x1153729 [0076.423] GetTickCount () returned 0x1153729 [0076.423] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.423] GetProcessHeap () returned 0x3a00000 [0076.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.423] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0076.424] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.425] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bf, lpOverlapped=0x0) returned 1 [0076.425] GetProcessHeap () returned 0x3a00000 [0076.425] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.425] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.425] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.425] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.425] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.425] CloseHandle (hObject=0x440) returned 1 [0076.425] GetProcessHeap () returned 0x3a00000 [0076.425] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.425] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0076.425] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\678__connections_cellular_kt (korea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\678__Connections_Cellular_kt (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\678__connections_cellular_kt (korea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.426] GetProcessHeap () returned 0x3a00000 [0076.426] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.426] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9180a066, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9180a066, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9180a066, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x381, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="679__C~1.PRO")) returned 1 [0076.426] lstrcmpiW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.426] lstrcmpiW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.426] lstrcmpiW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.426] lstrcmpiW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.426] lstrcmpiW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.426] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml") returned 160 [0076.426] StrStrIW (lpFirst="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.426] lstrcmpW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.427] lstrcmpW (lpString1="679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.427] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\679__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.427] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\679__connections_cellular_y!mobile (japan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.427] GetTickCount () returned 0x1153729 [0076.427] GetTickCount () returned 0x1153729 [0076.427] GetTickCount () returned 0x1153729 [0076.427] GetTickCount () returned 0x1153729 [0076.427] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.427] GetProcessHeap () returned 0x3a00000 [0076.427] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.427] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x381, lpOverlapped=0x0) returned 1 [0076.430] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc7f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.430] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x381, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x381, lpOverlapped=0x0) returned 1 [0076.430] GetProcessHeap () returned 0x3a00000 [0076.430] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.430] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.430] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.430] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.431] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.431] CloseHandle (hObject=0x440) returned 1 [0076.431] GetProcessHeap () returned 0x3a00000 [0076.431] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.431] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0076.431] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\679__connections_cellular_y!mobile (japan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\679__Connections_Cellular_Y!mobile (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\679__connections_cellular_y!mobile (japan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.432] GetProcessHeap () returned 0x3a00000 [0076.432] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.432] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9032cd93, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9032cd93, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9032cd93, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", cAlternateFileName="67__CO~1.PRO")) returned 1 [0076.432] lstrcmpiW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.432] lstrcmpiW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.432] lstrcmpiW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.432] lstrcmpiW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.432] lstrcmpiW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.432] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml") returned 161 [0076.432] StrStrIW (lpFirst="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.432] lstrcmpW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.432] lstrcmpW (lpString1="67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.432] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\67__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.432] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\67__connections_cellular_telefonica (chile)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.432] GetTickCount () returned 0x1153729 [0076.432] GetTickCount () returned 0x1153729 [0076.433] GetTickCount () returned 0x1153729 [0076.433] GetTickCount () returned 0x1153729 [0076.433] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.433] GetProcessHeap () returned 0x3a00000 [0076.433] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.433] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0076.434] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.434] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0076.435] GetProcessHeap () returned 0x3a00000 [0076.435] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.435] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.435] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.435] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.435] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.435] CloseHandle (hObject=0x440) returned 1 [0076.435] GetProcessHeap () returned 0x3a00000 [0076.435] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.435] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0076.435] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\67__connections_cellular_telefonica (chile)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\67__Connections_Cellular_Telefonica (Chile)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\67__connections_cellular_telefonica (chile)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.436] GetProcessHeap () returned 0x3a00000 [0076.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.436] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9180a066, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9180a066, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9180a066, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="680__C~1.PRO")) returned 1 [0076.436] lstrcmpiW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.436] lstrcmpiW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.436] lstrcmpiW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.436] lstrcmpiW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.436] lstrcmpiW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.436] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.436] StrStrIW (lpFirst="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.436] lstrcmpW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.436] lstrcmpW (lpString1="680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.436] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\680__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.436] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\680__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.437] GetTickCount () returned 0x1153739 [0076.437] GetTickCount () returned 0x1153739 [0076.437] GetTickCount () returned 0x1153739 [0076.437] GetTickCount () returned 0x1153739 [0076.437] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.437] GetProcessHeap () returned 0x3a00000 [0076.437] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.437] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0076.438] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.438] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0076.438] GetProcessHeap () returned 0x3a00000 [0076.438] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.438] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.438] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.439] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.439] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.439] CloseHandle (hObject=0x440) returned 1 [0076.439] GetProcessHeap () returned 0x3a00000 [0076.439] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.439] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\680__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\680__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\680__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.440] GetProcessHeap () returned 0x3a00000 [0076.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.440] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9180a066, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9180a066, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9180a066, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x29b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", cAlternateFileName="681__C~1.PRO")) returned 1 [0076.440] lstrcmpiW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.440] lstrcmpiW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.440] lstrcmpiW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.440] lstrcmpiW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.440] lstrcmpiW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.440] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml") returned 167 [0076.440] StrStrIW (lpFirst="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.440] lstrcmpW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.440] lstrcmpW (lpString1="681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.440] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\681__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\681__connections_cellular_sk telecom ltd. (korea)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.441] GetTickCount () returned 0x1153739 [0076.441] GetTickCount () returned 0x1153739 [0076.441] GetTickCount () returned 0x1153739 [0076.441] GetTickCount () returned 0x1153739 [0076.441] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.441] GetProcessHeap () returned 0x3a00000 [0076.441] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.441] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x29b, lpOverlapped=0x0) returned 1 [0076.443] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd65, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.443] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x29b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x29b, lpOverlapped=0x0) returned 1 [0076.443] GetProcessHeap () returned 0x3a00000 [0076.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.443] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.443] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.443] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.443] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.443] CloseHandle (hObject=0x440) returned 1 [0076.443] GetProcessHeap () returned 0x3a00000 [0076.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.443] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0076.443] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\681__connections_cellular_sk telecom ltd. (korea)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\681__Connections_Cellular_SK Telecom Ltd. (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\681__connections_cellular_sk telecom ltd. (korea)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.444] GetProcessHeap () returned 0x3a00000 [0076.444] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.444] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918302ce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918302ce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918302ce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x345, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", cAlternateFileName="682__C~1.PRO")) returned 1 [0076.446] lstrcmpiW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.446] lstrcmpiW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.446] lstrcmpiW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.446] lstrcmpiW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.447] lstrcmpiW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.447] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml") returned 158 [0076.447] StrStrIW (lpFirst="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.447] lstrcmpW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.447] lstrcmpW (lpString1="682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.447] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\682__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.447] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\682__connections_cellular_claro (brazil)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.447] GetTickCount () returned 0x1153739 [0076.447] GetTickCount () returned 0x1153739 [0076.447] GetTickCount () returned 0x1153739 [0076.447] GetTickCount () returned 0x1153739 [0076.447] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.447] GetProcessHeap () returned 0x3a00000 [0076.447] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.447] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x345, lpOverlapped=0x0) returned 1 [0076.449] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcbb, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.449] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x345, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x345, lpOverlapped=0x0) returned 1 [0076.449] GetProcessHeap () returned 0x3a00000 [0076.449] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.449] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.449] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.449] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.449] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.449] CloseHandle (hObject=0x440) returned 1 [0076.449] GetProcessHeap () returned 0x3a00000 [0076.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.449] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.449] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\682__connections_cellular_claro (brazil)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\682__Connections_Cellular_Claro (Brazil)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\682__connections_cellular_claro (brazil)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.456] GetProcessHeap () returned 0x3a00000 [0076.456] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.456] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918302ce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918302ce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918302ce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="683__C~1.PRO")) returned 1 [0076.456] lstrcmpiW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.456] lstrcmpiW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.456] lstrcmpiW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.456] lstrcmpiW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.456] lstrcmpiW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.456] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml") returned 168 [0076.456] StrStrIW (lpFirst="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.456] lstrcmpW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.456] lstrcmpW (lpString1="683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.456] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\683__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.456] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\683__connections_cellular_kddi corporation (japan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.457] GetTickCount () returned 0x1153749 [0076.457] GetTickCount () returned 0x1153749 [0076.457] GetTickCount () returned 0x1153749 [0076.457] GetTickCount () returned 0x1153749 [0076.457] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.457] GetProcessHeap () returned 0x3a00000 [0076.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.457] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x3ea, lpOverlapped=0x0) returned 1 [0076.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc16, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x3ea, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x3ea, lpOverlapped=0x0) returned 1 [0076.459] GetProcessHeap () returned 0x3a00000 [0076.459] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.459] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.459] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.459] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.459] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.459] CloseHandle (hObject=0x440) returned 1 [0076.459] GetProcessHeap () returned 0x3a00000 [0076.459] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.459] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0076.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\683__connections_cellular_kddi corporation (japan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\683__Connections_Cellular_KDDI Corporation (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\683__connections_cellular_kddi corporation (japan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.460] GetProcessHeap () returned 0x3a00000 [0076.460] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.460] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918302ce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918302ce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918302ce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="684__C~1.PRO")) returned 1 [0076.460] lstrcmpiW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.460] lstrcmpiW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.461] lstrcmpiW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.461] lstrcmpiW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.461] lstrcmpiW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.461] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.461] StrStrIW (lpFirst="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.461] lstrcmpW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.461] lstrcmpW (lpString1="684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.461] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\684__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.461] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\684__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.461] GetTickCount () returned 0x1153749 [0076.461] GetTickCount () returned 0x1153749 [0076.461] GetTickCount () returned 0x1153749 [0076.461] GetTickCount () returned 0x1153749 [0076.461] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.461] GetProcessHeap () returned 0x3a00000 [0076.461] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.461] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1be, lpOverlapped=0x0) returned 1 [0076.463] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.463] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1be, lpOverlapped=0x0) returned 1 [0076.463] GetProcessHeap () returned 0x3a00000 [0076.463] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.463] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.463] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.464] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.464] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.464] CloseHandle (hObject=0x440) returned 1 [0076.464] GetProcessHeap () returned 0x3a00000 [0076.464] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.464] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.464] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\684__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\684__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\684__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.465] GetProcessHeap () returned 0x3a00000 [0076.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.465] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918302ce, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918302ce, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918302ce, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", cAlternateFileName="685__C~1.PRO")) returned 1 [0076.465] lstrcmpiW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.465] lstrcmpiW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.465] lstrcmpiW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.465] lstrcmpiW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.465] lstrcmpiW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.465] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml") returned 180 [0076.465] StrStrIW (lpFirst="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.465] lstrcmpW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.465] lstrcmpW (lpString1="685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.465] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\685__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.465] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\685__connections_cellular_bharat sanchar nigam limited (india)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.465] GetTickCount () returned 0x1153749 [0076.465] GetTickCount () returned 0x1153749 [0076.465] GetTickCount () returned 0x1153749 [0076.466] GetTickCount () returned 0x1153749 [0076.478] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.478] GetProcessHeap () returned 0x3a00000 [0076.478] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.478] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.479] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.480] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.480] GetProcessHeap () returned 0x3a00000 [0076.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.480] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.480] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.480] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.480] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.480] CloseHandle (hObject=0x440) returned 1 [0076.480] GetProcessHeap () returned 0x3a00000 [0076.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.480] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0076.480] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\685__connections_cellular_bharat sanchar nigam limited (india)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\685__Connections_Cellular_Bharat Sanchar Nigam Limited (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\685__connections_cellular_bharat sanchar nigam limited (india)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.494] GetProcessHeap () returned 0x3a00000 [0076.494] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.494] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9185653d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9185653d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9185653d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", cAlternateFileName="686__C~1.PRO")) returned 1 [0076.494] lstrcmpiW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.494] lstrcmpiW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.494] lstrcmpiW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.494] lstrcmpiW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.494] lstrcmpiW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.494] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml") returned 164 [0076.495] StrStrIW (lpFirst="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.495] lstrcmpW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.495] lstrcmpW (lpString1="686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.495] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\686__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.495] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\686__connections_cellular_t-mobile.pl (poland)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.495] GetTickCount () returned 0x1153768 [0076.495] GetTickCount () returned 0x1153768 [0076.495] GetTickCount () returned 0x1153768 [0076.495] GetTickCount () returned 0x1153768 [0076.495] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.495] GetProcessHeap () returned 0x3a00000 [0076.496] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.496] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x357, lpOverlapped=0x0) returned 1 [0076.497] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffca9, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.497] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x357, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x357, lpOverlapped=0x0) returned 1 [0076.497] GetProcessHeap () returned 0x3a00000 [0076.497] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.497] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.497] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.498] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.498] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.498] CloseHandle (hObject=0x440) returned 1 [0076.498] GetProcessHeap () returned 0x3a00000 [0076.498] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.498] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0076.498] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\686__connections_cellular_t-mobile.pl (poland)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\686__Connections_Cellular_T-Mobile.pl (Poland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\686__connections_cellular_t-mobile.pl (poland)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.499] GetProcessHeap () returned 0x3a00000 [0076.499] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.499] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9185653d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9185653d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9185653d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="687__C~1.PRO")) returned 1 [0076.499] lstrcmpiW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.499] lstrcmpiW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.499] lstrcmpiW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.499] lstrcmpiW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.499] lstrcmpiW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.499] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml") returned 163 [0076.499] StrStrIW (lpFirst="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.499] lstrcmpW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.499] lstrcmpW (lpString1="687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.499] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\687__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.499] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\687__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.500] GetTickCount () returned 0x1153777 [0076.500] GetTickCount () returned 0x1153777 [0076.500] GetTickCount () returned 0x1153777 [0076.500] GetTickCount () returned 0x1153777 [0076.500] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.500] GetProcessHeap () returned 0x3a00000 [0076.500] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.500] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.503] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.503] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.503] GetProcessHeap () returned 0x3a00000 [0076.503] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.503] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.503] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.504] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.504] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.504] CloseHandle (hObject=0x440) returned 1 [0076.504] GetProcessHeap () returned 0x3a00000 [0076.504] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.504] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.504] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\687__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\687__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\687__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.505] GetProcessHeap () returned 0x3a00000 [0076.505] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.505] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9185653d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9185653d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9185653d, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="688__C~1.PRO")) returned 1 [0076.505] lstrcmpiW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.505] lstrcmpiW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.505] lstrcmpiW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.505] lstrcmpiW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.505] lstrcmpiW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.505] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml") returned 163 [0076.505] StrStrIW (lpFirst="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.505] lstrcmpW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.505] lstrcmpW (lpString1="688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.505] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\688__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.505] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\688__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.505] GetTickCount () returned 0x1153777 [0076.506] GetTickCount () returned 0x1153777 [0076.506] GetTickCount () returned 0x1153777 [0076.506] GetTickCount () returned 0x1153777 [0076.506] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.506] GetProcessHeap () returned 0x3a00000 [0076.506] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.506] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.507] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.507] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.507] GetProcessHeap () returned 0x3a00000 [0076.507] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.507] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.507] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.508] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.508] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.508] CloseHandle (hObject=0x440) returned 1 [0076.508] GetProcessHeap () returned 0x3a00000 [0076.508] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.508] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.508] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\688__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\688__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\688__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.509] GetProcessHeap () returned 0x3a00000 [0076.509] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.509] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9187c7a9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9187c7a9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9187c7a9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="689__C~1.PRO")) returned 1 [0076.509] lstrcmpiW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.509] lstrcmpiW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.509] lstrcmpiW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.509] lstrcmpiW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.509] lstrcmpiW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.509] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml") returned 163 [0076.509] StrStrIW (lpFirst="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.509] lstrcmpW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.509] lstrcmpW (lpString1="689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.509] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\689__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\689__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.510] GetTickCount () returned 0x1153777 [0076.510] GetTickCount () returned 0x1153777 [0076.510] GetTickCount () returned 0x1153777 [0076.510] GetTickCount () returned 0x1153777 [0076.510] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.510] GetProcessHeap () returned 0x3a00000 [0076.510] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.510] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.511] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.511] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.511] GetProcessHeap () returned 0x3a00000 [0076.511] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.512] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.512] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.512] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.512] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.512] CloseHandle (hObject=0x440) returned 1 [0076.512] GetProcessHeap () returned 0x3a00000 [0076.512] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.512] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\689__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\689__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\689__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.513] GetProcessHeap () returned 0x3a00000 [0076.513] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.513] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9032cd93, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9032cd93, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9032cd93, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", cAlternateFileName="68__CO~1.PRO")) returned 1 [0076.513] lstrcmpiW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.513] lstrcmpiW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.513] lstrcmpiW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.513] lstrcmpiW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.513] lstrcmpiW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.513] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml") returned 163 [0076.513] StrStrIW (lpFirst="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.513] lstrcmpW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.513] lstrcmpW (lpString1="68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.514] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\68__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.514] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\68__connections_cellular_china mobile (china)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.514] GetTickCount () returned 0x1153787 [0076.514] GetTickCount () returned 0x1153787 [0076.514] GetTickCount () returned 0x1153787 [0076.514] GetTickCount () returned 0x1153787 [0076.514] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.514] GetProcessHeap () returned 0x3a00000 [0076.514] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.514] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.515] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.516] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.516] GetProcessHeap () returned 0x3a00000 [0076.516] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.516] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.516] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.516] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.516] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.516] CloseHandle (hObject=0x440) returned 1 [0076.516] GetProcessHeap () returned 0x3a00000 [0076.516] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.516] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.516] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\68__connections_cellular_china mobile (china)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\68__Connections_Cellular_China Mobile (China)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\68__connections_cellular_china mobile (china)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.517] GetProcessHeap () returned 0x3a00000 [0076.517] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.517] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9187c7a9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9187c7a9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9187c7a9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="690__C~1.PRO")) returned 1 [0076.517] lstrcmpiW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.517] lstrcmpiW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.517] lstrcmpiW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.517] lstrcmpiW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.517] lstrcmpiW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.517] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml") returned 163 [0076.517] StrStrIW (lpFirst="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.517] lstrcmpW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.517] lstrcmpW (lpString1="690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.517] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\690__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.517] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\690__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.518] GetTickCount () returned 0x1153787 [0076.518] GetTickCount () returned 0x1153787 [0076.518] GetTickCount () returned 0x1153787 [0076.518] GetTickCount () returned 0x1153787 [0076.518] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.518] GetProcessHeap () returned 0x3a00000 [0076.518] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.518] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.519] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.519] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.520] GetProcessHeap () returned 0x3a00000 [0076.520] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.520] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.520] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.520] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.520] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.520] CloseHandle (hObject=0x440) returned 1 [0076.520] GetProcessHeap () returned 0x3a00000 [0076.520] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.520] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\690__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\690__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\690__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.521] GetProcessHeap () returned 0x3a00000 [0076.521] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.521] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9187c7a9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9187c7a9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9187c7a9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="691__C~1.PRO")) returned 1 [0076.521] lstrcmpiW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.521] lstrcmpiW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.521] lstrcmpiW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.521] lstrcmpiW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.521] lstrcmpiW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.521] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml") returned 163 [0076.521] StrStrIW (lpFirst="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.521] lstrcmpW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.521] lstrcmpW (lpString1="691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.521] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\691__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.521] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\691__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.522] GetTickCount () returned 0x1153787 [0076.522] GetTickCount () returned 0x1153787 [0076.522] GetTickCount () returned 0x1153787 [0076.522] GetTickCount () returned 0x1153787 [0076.522] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.522] GetProcessHeap () returned 0x3a00000 [0076.522] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.522] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.523] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd32, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.523] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ce, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ce, lpOverlapped=0x0) returned 1 [0076.523] GetProcessHeap () returned 0x3a00000 [0076.523] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.523] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.523] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.524] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.524] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.524] CloseHandle (hObject=0x440) returned 1 [0076.524] GetProcessHeap () returned 0x3a00000 [0076.524] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.524] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.524] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\691__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\691__Connections_Cellular_FarEasTone (Taiwan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\691__connections_cellular_fareastone (taiwan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.525] GetProcessHeap () returned 0x3a00000 [0076.525] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.525] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9187c7a9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9187c7a9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9187c7a9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", cAlternateFileName="692__C~1.PRO")) returned 1 [0076.525] lstrcmpiW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.525] lstrcmpiW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.525] lstrcmpiW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.525] lstrcmpiW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.525] lstrcmpiW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.525] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml") returned 163 [0076.525] StrStrIW (lpFirst="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.525] lstrcmpW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.525] lstrcmpW (lpString1="692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.525] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\692__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.525] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\692__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.526] GetTickCount () returned 0x1153787 [0076.526] GetTickCount () returned 0x1153787 [0076.526] GetTickCount () returned 0x1153787 [0076.526] GetTickCount () returned 0x1153787 [0076.526] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.526] GetProcessHeap () returned 0x3a00000 [0076.526] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.526] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0076.527] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.527] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0076.527] GetProcessHeap () returned 0x3a00000 [0076.527] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.528] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.528] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.528] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.528] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.528] CloseHandle (hObject=0x440) returned 1 [0076.528] GetProcessHeap () returned 0x3a00000 [0076.528] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.528] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.528] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\692__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\692__Connections_Cellular_FarEasTone (Taiwan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\692__connections_cellular_fareastone (taiwan)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.529] GetProcessHeap () returned 0x3a00000 [0076.529] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.529] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918a2a15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918a2a15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918a2a15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", cAlternateFileName="693__C~1.PRO")) returned 1 [0076.529] lstrcmpiW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.529] lstrcmpiW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.529] lstrcmpiW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.529] lstrcmpiW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.529] lstrcmpiW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.529] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml") returned 162 [0076.529] StrStrIW (lpFirst="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.529] lstrcmpW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.529] lstrcmpW (lpString1="693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.529] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\693__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.529] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\693__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.530] GetTickCount () returned 0x1153797 [0076.530] GetTickCount () returned 0x1153797 [0076.530] GetTickCount () returned 0x1153797 [0076.530] GetTickCount () returned 0x1153797 [0076.530] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.530] GetProcessHeap () returned 0x3a00000 [0076.530] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.530] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0076.557] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.558] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0076.558] GetProcessHeap () returned 0x3a00000 [0076.558] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.558] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.558] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.558] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.558] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.558] CloseHandle (hObject=0x440) returned 1 [0076.558] GetProcessHeap () returned 0x3a00000 [0076.558] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.558] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.558] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\693__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\693__Connections_Cellular_Kyivstar (Ukraine)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\693__connections_cellular_kyivstar (ukraine)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.560] GetProcessHeap () returned 0x3a00000 [0076.560] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.560] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918a2a15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918a2a15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918a2a15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", cAlternateFileName="694__C~1.PRO")) returned 1 [0076.560] lstrcmpiW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.560] lstrcmpiW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.560] lstrcmpiW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.560] lstrcmpiW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.560] lstrcmpiW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.560] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml") returned 162 [0076.560] StrStrIW (lpFirst="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.560] lstrcmpW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.560] lstrcmpW (lpString1="694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.560] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\694__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\694__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.561] GetTickCount () returned 0x11537b6 [0076.561] GetTickCount () returned 0x11537b6 [0076.561] GetTickCount () returned 0x11537b6 [0076.561] GetTickCount () returned 0x11537b6 [0076.561] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.561] GetProcessHeap () returned 0x3a00000 [0076.561] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.561] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.563] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.563] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d4, lpOverlapped=0x0) returned 1 [0076.563] GetProcessHeap () returned 0x3a00000 [0076.563] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.563] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.563] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.563] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.563] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.563] CloseHandle (hObject=0x440) returned 1 [0076.564] GetProcessHeap () returned 0x3a00000 [0076.564] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.564] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\694__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\694__Connections_Cellular_Kyivstar (Ukraine)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\694__connections_cellular_kyivstar (ukraine)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.565] GetProcessHeap () returned 0x3a00000 [0076.565] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.565] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918a2a15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918a2a15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918a2a15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", cAlternateFileName="695__C~1.PRO")) returned 1 [0076.565] lstrcmpiW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.565] lstrcmpiW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.565] lstrcmpiW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.565] lstrcmpiW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.565] lstrcmpiW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.565] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml") returned 162 [0076.565] StrStrIW (lpFirst="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.565] lstrcmpW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.565] lstrcmpW (lpString1="695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.565] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\695__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.565] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\695__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.566] GetTickCount () returned 0x11537b6 [0076.566] GetTickCount () returned 0x11537b6 [0076.566] GetTickCount () returned 0x11537b6 [0076.566] GetTickCount () returned 0x11537b6 [0076.566] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.566] GetProcessHeap () returned 0x3a00000 [0076.566] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.566] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.568] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.568] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d3, lpOverlapped=0x0) returned 1 [0076.569] GetProcessHeap () returned 0x3a00000 [0076.569] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.569] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.569] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.569] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.569] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.569] CloseHandle (hObject=0x440) returned 1 [0076.569] GetProcessHeap () returned 0x3a00000 [0076.569] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.569] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\695__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\695__Connections_Cellular_Kyivstar (Ukraine)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\695__connections_cellular_kyivstar (ukraine)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.570] GetProcessHeap () returned 0x3a00000 [0076.570] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.570] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918a2a15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918a2a15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918a2a15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", cAlternateFileName="696__C~1.PRO")) returned 1 [0076.570] lstrcmpiW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.570] lstrcmpiW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.570] lstrcmpiW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.570] lstrcmpiW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.570] lstrcmpiW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.570] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml") returned 162 [0076.571] StrStrIW (lpFirst="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.571] lstrcmpW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.571] lstrcmpW (lpString1="696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.571] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\696__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.571] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\696__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] GetTickCount () returned 0x11537b6 [0076.571] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.571] GetProcessHeap () returned 0x3a00000 [0076.571] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.571] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.573] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.573] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.573] GetProcessHeap () returned 0x3a00000 [0076.573] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.573] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.573] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.573] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.573] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.573] CloseHandle (hObject=0x440) returned 1 [0076.573] GetProcessHeap () returned 0x3a00000 [0076.574] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.574] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.574] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\696__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\696__Connections_Cellular_Kyivstar (Ukraine)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\696__connections_cellular_kyivstar (ukraine)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.574] GetProcessHeap () returned 0x3a00000 [0076.574] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.575] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918a2a15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918a2a15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918a2a15, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", cAlternateFileName="697__C~1.PRO")) returned 1 [0076.575] lstrcmpiW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.575] lstrcmpiW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.575] lstrcmpiW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.575] lstrcmpiW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.575] lstrcmpiW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.575] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml") returned 162 [0076.575] StrStrIW (lpFirst="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.575] lstrcmpW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.575] lstrcmpW (lpString1="697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.575] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\697__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.575] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\697__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.575] GetTickCount () returned 0x11537c6 [0076.575] GetTickCount () returned 0x11537c6 [0076.575] GetTickCount () returned 0x11537c6 [0076.575] GetTickCount () returned 0x11537c6 [0076.575] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.576] GetProcessHeap () returned 0x3a00000 [0076.576] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.576] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.577] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.577] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.578] GetProcessHeap () returned 0x3a00000 [0076.578] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.578] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.578] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.578] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.578] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.578] CloseHandle (hObject=0x440) returned 1 [0076.578] GetProcessHeap () returned 0x3a00000 [0076.578] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.578] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.578] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\697__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\697__Connections_Cellular_Kyivstar (Ukraine)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\697__connections_cellular_kyivstar (ukraine)_i4$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.579] GetProcessHeap () returned 0x3a00000 [0076.579] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.579] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918a2a15, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918a2a15, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918c8c7c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", cAlternateFileName="698__C~1.PRO")) returned 1 [0076.581] lstrcmpiW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.581] lstrcmpiW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.581] lstrcmpiW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.581] lstrcmpiW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.581] lstrcmpiW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.581] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml") returned 155 [0076.581] StrStrIW (lpFirst="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.581] lstrcmpW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.581] lstrcmpW (lpString1="698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.581] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\698__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.581] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\698__connections_cellular_3 (austria)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.581] GetTickCount () returned 0x11537c6 [0076.581] GetTickCount () returned 0x11537c6 [0076.581] GetTickCount () returned 0x11537c6 [0076.581] GetTickCount () returned 0x11537c6 [0076.581] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.582] GetProcessHeap () returned 0x3a00000 [0076.582] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.582] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0076.583] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.583] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bc, lpOverlapped=0x0) returned 1 [0076.583] GetProcessHeap () returned 0x3a00000 [0076.583] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.583] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.583] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.583] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.583] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.584] CloseHandle (hObject=0x440) returned 1 [0076.584] GetProcessHeap () returned 0x3a00000 [0076.584] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.584] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 174 [0076.584] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\698__connections_cellular_3 (austria)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\698__Connections_Cellular_3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\698__connections_cellular_3 (austria)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.584] GetProcessHeap () returned 0x3a00000 [0076.584] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.584] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918c8c7c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918c8c7c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918c8c7c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="699__C~1.PRO")) returned 1 [0076.585] lstrcmpiW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.585] lstrcmpiW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.585] lstrcmpiW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.585] lstrcmpiW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.585] lstrcmpiW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.585] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.585] StrStrIW (lpFirst="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.585] lstrcmpW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.585] lstrcmpW (lpString1="699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.585] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\699__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.585] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\699__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.585] GetTickCount () returned 0x11537c6 [0076.585] GetTickCount () returned 0x11537c6 [0076.585] GetTickCount () returned 0x11537c6 [0076.585] GetTickCount () returned 0x11537c6 [0076.585] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.585] GetProcessHeap () returned 0x3a00000 [0076.585] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.585] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.586] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.587] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.587] GetProcessHeap () returned 0x3a00000 [0076.587] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.587] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.587] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.588] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.588] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.588] CloseHandle (hObject=0x440) returned 1 [0076.588] GetProcessHeap () returned 0x3a00000 [0076.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.589] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.589] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\699__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\699__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\699__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.589] GetProcessHeap () returned 0x3a00000 [0076.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.589] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9032cd93, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9032cd93, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9032cd93, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="69__CE~1.PRO")) returned 1 [0076.589] lstrcmpiW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.589] lstrcmpiW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.589] lstrcmpiW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.589] lstrcmpiW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.590] lstrcmpiW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.590] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0076.590] StrStrIW (lpFirst="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.590] lstrcmpW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.590] lstrcmpW (lpString1="69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.590] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\69__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.590] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\69__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.590] GetTickCount () returned 0x11537c6 [0076.590] GetTickCount () returned 0x11537c6 [0076.590] GetTickCount () returned 0x11537c6 [0076.590] GetTickCount () returned 0x11537c6 [0076.590] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.590] GetProcessHeap () returned 0x3a00000 [0076.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.590] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1db, lpOverlapped=0x0) returned 1 [0076.592] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe25, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.592] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1db, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1db, lpOverlapped=0x0) returned 1 [0076.592] GetProcessHeap () returned 0x3a00000 [0076.592] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.592] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.592] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.593] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.593] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.593] CloseHandle (hObject=0x440) returned 1 [0076.593] GetProcessHeap () returned 0x3a00000 [0076.593] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.593] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 180 [0076.594] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\69__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\69__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\69__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.594] GetProcessHeap () returned 0x3a00000 [0076.594] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.594] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900f0949, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900f0949, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900f0949, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", cAlternateFileName="6__CON~1.PRO")) returned 1 [0076.594] lstrcmpiW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.594] lstrcmpiW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.594] lstrcmpiW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.594] lstrcmpiW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.594] lstrcmpiW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.595] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml") returned 164 [0076.595] StrStrIW (lpFirst="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.595] lstrcmpW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.595] lstrcmpW (lpString1="6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.595] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\6__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.595] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\6__connections_cellular_telefonica (argentina)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.595] GetTickCount () returned 0x11537d5 [0076.595] GetTickCount () returned 0x11537d5 [0076.595] GetTickCount () returned 0x11537d5 [0076.595] GetTickCount () returned 0x11537d5 [0076.595] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.595] GetProcessHeap () returned 0x3a00000 [0076.595] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.595] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.609] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd35, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.609] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cb, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cb, lpOverlapped=0x0) returned 1 [0076.609] GetProcessHeap () returned 0x3a00000 [0076.609] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.609] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.609] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.609] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.609] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.610] CloseHandle (hObject=0x440) returned 1 [0076.610] GetProcessHeap () returned 0x3a00000 [0076.610] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.610] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0076.610] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\6__connections_cellular_telefonica (argentina)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\6__Connections_Cellular_Telefonica (Argentina)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\6__connections_cellular_telefonica (argentina)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.611] GetProcessHeap () returned 0x3a00000 [0076.611] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.611] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918c8c7c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918c8c7c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918c8c7c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="700__C~1.PRO")) returned 1 [0076.611] lstrcmpiW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.611] lstrcmpiW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.611] lstrcmpiW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.611] lstrcmpiW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.611] lstrcmpiW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.611] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml") returned 157 [0076.611] StrStrIW (lpFirst="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.611] lstrcmpW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.611] lstrcmpW (lpString1="700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.611] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\700__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.611] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\700__connections_cellular_3 (indonesia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] GetTickCount () returned 0x11537e5 [0076.612] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.612] GetProcessHeap () returned 0x3a00000 [0076.612] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.612] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0076.614] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd42, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.614] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2be, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2be, lpOverlapped=0x0) returned 1 [0076.614] GetProcessHeap () returned 0x3a00000 [0076.614] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.614] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.614] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.614] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.614] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.615] CloseHandle (hObject=0x440) returned 1 [0076.615] GetProcessHeap () returned 0x3a00000 [0076.615] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.615] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 176 [0076.615] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\700__connections_cellular_3 (indonesia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\700__Connections_Cellular_3 (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\700__connections_cellular_3 (indonesia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.616] GetProcessHeap () returned 0x3a00000 [0076.616] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.616] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918c8c7c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918c8c7c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918c8c7c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="701__C~1.PRO")) returned 1 [0076.616] lstrcmpiW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.616] lstrcmpiW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.616] lstrcmpiW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.616] lstrcmpiW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.616] lstrcmpiW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.616] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.616] StrStrIW (lpFirst="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.616] lstrcmpW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.616] lstrcmpW (lpString1="701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\701__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\701__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.617] GetTickCount () returned 0x11537e5 [0076.617] GetTickCount () returned 0x11537e5 [0076.617] GetTickCount () returned 0x11537e5 [0076.617] GetTickCount () returned 0x11537e5 [0076.617] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.617] GetProcessHeap () returned 0x3a00000 [0076.617] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.617] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.618] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.618] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c6, lpOverlapped=0x0) returned 1 [0076.618] GetProcessHeap () returned 0x3a00000 [0076.618] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.618] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.618] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.619] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.619] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.619] CloseHandle (hObject=0x440) returned 1 [0076.619] GetProcessHeap () returned 0x3a00000 [0076.619] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.619] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.619] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\701__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\701__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\701__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.620] GetProcessHeap () returned 0x3a00000 [0076.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.620] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918c8c7c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918c8c7c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918c8c7c, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="702__C~1.PRO")) returned 1 [0076.620] lstrcmpiW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.620] lstrcmpiW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.620] lstrcmpiW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.620] lstrcmpiW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.620] lstrcmpiW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.621] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml") returned 153 [0076.621] StrStrIW (lpFirst="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.621] lstrcmpW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.621] lstrcmpW (lpString1="702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.621] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\702__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.621] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\702__connections_cellular_3 (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.622] GetTickCount () returned 0x11537e5 [0076.622] GetTickCount () returned 0x11537e5 [0076.622] GetTickCount () returned 0x11537e5 [0076.622] GetTickCount () returned 0x11537e5 [0076.622] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.622] GetProcessHeap () returned 0x3a00000 [0076.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.622] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0076.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0076.624] GetProcessHeap () returned 0x3a00000 [0076.624] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.624] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.624] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.624] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.624] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.624] CloseHandle (hObject=0x440) returned 1 [0076.624] GetProcessHeap () returned 0x3a00000 [0076.624] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.624] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 172 [0076.624] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\702__connections_cellular_3 (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\702__Connections_Cellular_3 (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\702__connections_cellular_3 (italy)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.625] GetProcessHeap () returned 0x3a00000 [0076.625] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.625] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918c8c7c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918c8c7c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918eeee8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", cAlternateFileName="703__C~1.PRO")) returned 1 [0076.625] lstrcmpiW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.625] lstrcmpiW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.625] lstrcmpiW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.625] lstrcmpiW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.625] lstrcmpiW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.625] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml") returned 153 [0076.625] StrStrIW (lpFirst="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.625] lstrcmpW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.625] lstrcmpW (lpString1="703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.626] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\703__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.626] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\703__connections_cellular_3 (italy)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.626] GetTickCount () returned 0x11537f4 [0076.626] GetTickCount () returned 0x11537f4 [0076.626] GetTickCount () returned 0x11537f4 [0076.626] GetTickCount () returned 0x11537f4 [0076.626] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.626] GetProcessHeap () returned 0x3a00000 [0076.626] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.626] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.628] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.628] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c1, lpOverlapped=0x0) returned 1 [0076.628] GetProcessHeap () returned 0x3a00000 [0076.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.628] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.628] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.628] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.628] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.628] CloseHandle (hObject=0x440) returned 1 [0076.629] GetProcessHeap () returned 0x3a00000 [0076.629] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.629] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 172 [0076.629] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\703__connections_cellular_3 (italy)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\703__Connections_Cellular_3 (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\703__connections_cellular_3 (italy)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.629] GetProcessHeap () returned 0x3a00000 [0076.630] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.630] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918eeee8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918eeee8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918eeee8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="704__C~1.PRO")) returned 1 [0076.630] lstrcmpiW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.630] lstrcmpiW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.630] lstrcmpiW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.630] lstrcmpiW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.630] lstrcmpiW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.630] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.630] StrStrIW (lpFirst="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.630] lstrcmpW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.630] lstrcmpW (lpString1="704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.630] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\704__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.630] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\704__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.630] GetTickCount () returned 0x11537f4 [0076.630] GetTickCount () returned 0x11537f4 [0076.630] GetTickCount () returned 0x11537f4 [0076.630] GetTickCount () returned 0x11537f4 [0076.630] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.630] GetProcessHeap () returned 0x3a00000 [0076.631] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.631] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0076.631] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.632] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0076.632] GetProcessHeap () returned 0x3a00000 [0076.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.632] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.632] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.633] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.633] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.633] CloseHandle (hObject=0x440) returned 1 [0076.634] GetProcessHeap () returned 0x3a00000 [0076.634] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.634] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.634] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\704__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\704__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\704__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.634] GetProcessHeap () returned 0x3a00000 [0076.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.634] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918eeee8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918eeee8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918eeee8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", cAlternateFileName="705__C~1.PRO")) returned 1 [0076.634] lstrcmpiW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.635] lstrcmpiW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.635] lstrcmpiW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.635] lstrcmpiW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.635] lstrcmpiW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.635] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml") returned 159 [0076.635] StrStrIW (lpFirst="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.635] lstrcmpW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.635] lstrcmpW (lpString1="705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.635] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\705__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.635] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\705__connections_cellular_fastweb (italy)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.635] GetTickCount () returned 0x11537f4 [0076.635] GetTickCount () returned 0x11537f4 [0076.635] GetTickCount () returned 0x11537f4 [0076.635] GetTickCount () returned 0x11537f4 [0076.635] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.635] GetProcessHeap () returned 0x3a00000 [0076.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.635] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.637] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.637] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.637] GetProcessHeap () returned 0x3a00000 [0076.637] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.637] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.637] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.637] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.637] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.637] CloseHandle (hObject=0x440) returned 1 [0076.638] GetProcessHeap () returned 0x3a00000 [0076.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.638] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0076.638] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\705__connections_cellular_fastweb (italy)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\705__Connections_Cellular_FASTWEB (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\705__connections_cellular_fastweb (italy)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.638] GetProcessHeap () returned 0x3a00000 [0076.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.638] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918eeee8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918eeee8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918eeee8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", cAlternateFileName="706__C~1.PRO")) returned 1 [0076.638] lstrcmpiW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.638] lstrcmpiW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.638] lstrcmpiW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.638] lstrcmpiW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.639] lstrcmpiW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.639] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml") returned 159 [0076.639] StrStrIW (lpFirst="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.639] lstrcmpW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.639] lstrcmpW (lpString1="706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.639] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\706__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.639] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\706__connections_cellular_fastweb (italy)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.639] GetTickCount () returned 0x1153804 [0076.639] GetTickCount () returned 0x1153804 [0076.639] GetTickCount () returned 0x1153804 [0076.639] GetTickCount () returned 0x1153804 [0076.639] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.639] GetProcessHeap () returned 0x3a00000 [0076.639] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.639] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0076.641] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.641] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0076.641] GetProcessHeap () returned 0x3a00000 [0076.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.641] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.641] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.641] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.641] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.641] CloseHandle (hObject=0x440) returned 1 [0076.641] GetProcessHeap () returned 0x3a00000 [0076.641] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.641] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0076.641] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\706__connections_cellular_fastweb (italy)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\706__Connections_Cellular_FASTWEB (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\706__connections_cellular_fastweb (italy)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.642] GetProcessHeap () returned 0x3a00000 [0076.642] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.642] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918eeee8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918eeee8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918eeee8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", cAlternateFileName="707__C~1.PRO")) returned 1 [0076.642] lstrcmpiW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.642] lstrcmpiW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.642] lstrcmpiW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.642] lstrcmpiW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.642] lstrcmpiW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.643] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml") returned 162 [0076.643] StrStrIW (lpFirst="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.643] lstrcmpW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.643] lstrcmpW (lpString1="707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.643] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\707__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.643] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\707__connections_cellular_transatel (france)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.643] GetTickCount () returned 0x1153804 [0076.643] GetTickCount () returned 0x1153804 [0076.643] GetTickCount () returned 0x1153804 [0076.643] GetTickCount () returned 0x1153804 [0076.643] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.643] GetProcessHeap () returned 0x3a00000 [0076.643] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.643] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0076.651] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd39, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.651] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c7, lpOverlapped=0x0) returned 1 [0076.651] GetProcessHeap () returned 0x3a00000 [0076.651] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.651] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.651] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.651] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.651] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.651] CloseHandle (hObject=0x440) returned 1 [0076.652] GetProcessHeap () returned 0x3a00000 [0076.652] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.652] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.652] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\707__connections_cellular_transatel (france)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\707__Connections_Cellular_Transatel (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\707__connections_cellular_transatel (france)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.657] GetProcessHeap () returned 0x3a00000 [0076.657] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.657] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x918eeee8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x918eeee8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x918eeee8, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", cAlternateFileName="708__C~1.PRO")) returned 1 [0076.657] lstrcmpiW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.657] lstrcmpiW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.657] lstrcmpiW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.657] lstrcmpiW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.657] lstrcmpiW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.657] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml") returned 162 [0076.657] StrStrIW (lpFirst="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.657] lstrcmpW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.657] lstrcmpW (lpString1="708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.657] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\708__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.657] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\708__connections_cellular_transatel (france)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.658] GetTickCount () returned 0x1153814 [0076.658] GetTickCount () returned 0x1153814 [0076.658] GetTickCount () returned 0x1153814 [0076.658] GetTickCount () returned 0x1153814 [0076.658] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.658] GetProcessHeap () returned 0x3a00000 [0076.658] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.658] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.659] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.659] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.660] GetProcessHeap () returned 0x3a00000 [0076.660] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.660] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.660] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.660] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.660] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.660] CloseHandle (hObject=0x440) returned 1 [0076.660] GetProcessHeap () returned 0x3a00000 [0076.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.660] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.660] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\708__connections_cellular_transatel (france)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\708__Connections_Cellular_Transatel (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\708__connections_cellular_transatel (france)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.661] GetProcessHeap () returned 0x3a00000 [0076.661] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.661] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91915157, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91915157, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91915157, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", cAlternateFileName="709__C~1.PRO")) returned 1 [0076.661] lstrcmpiW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.661] lstrcmpiW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.661] lstrcmpiW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.661] lstrcmpiW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.661] lstrcmpiW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.661] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml") returned 165 [0076.661] StrStrIW (lpFirst="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.661] lstrcmpW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.661] lstrcmpW (lpString1="709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.661] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\709__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.661] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\709__connections_cellular_transatel (worldwide)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.662] GetTickCount () returned 0x1153814 [0076.662] GetTickCount () returned 0x1153814 [0076.662] GetTickCount () returned 0x1153814 [0076.662] GetTickCount () returned 0x1153814 [0076.662] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.662] GetProcessHeap () returned 0x3a00000 [0076.662] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.662] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.664] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.664] GetProcessHeap () returned 0x3a00000 [0076.664] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.664] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.664] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.664] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.664] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.664] CloseHandle (hObject=0x440) returned 1 [0076.664] GetProcessHeap () returned 0x3a00000 [0076.664] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.664] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0076.664] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\709__connections_cellular_transatel (worldwide)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\709__Connections_Cellular_Transatel (Worldwide)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\709__connections_cellular_transatel (worldwide)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.665] GetProcessHeap () returned 0x3a00000 [0076.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.665] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90353002, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90353002, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90353002, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", cAlternateFileName="70__CO~1.PRO")) returned 1 [0076.665] lstrcmpiW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.665] lstrcmpiW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.665] lstrcmpiW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.665] lstrcmpiW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.665] lstrcmpiW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml") returned 163 [0076.665] StrStrIW (lpFirst="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.665] lstrcmpW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.666] lstrcmpW (lpString1="70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.666] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\70__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.666] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\70__connections_cellular_china unicom (china)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.666] GetTickCount () returned 0x1153814 [0076.666] GetTickCount () returned 0x1153814 [0076.666] GetTickCount () returned 0x1153814 [0076.666] GetTickCount () returned 0x1153814 [0076.667] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.667] GetProcessHeap () returned 0x3a00000 [0076.667] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.667] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.668] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.668] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.668] GetProcessHeap () returned 0x3a00000 [0076.668] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.669] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.669] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.669] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.669] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.669] CloseHandle (hObject=0x440) returned 1 [0076.669] GetProcessHeap () returned 0x3a00000 [0076.669] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.669] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0076.669] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\70__connections_cellular_china unicom (china)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\70__Connections_Cellular_China Unicom (China)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\70__connections_cellular_china unicom (china)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.670] GetProcessHeap () returned 0x3a00000 [0076.670] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.670] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91915157, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91915157, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91915157, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x309, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", cAlternateFileName="710__C~1.PRO")) returned 1 [0076.670] lstrcmpiW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.670] lstrcmpiW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.670] lstrcmpiW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.670] lstrcmpiW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.670] lstrcmpiW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.670] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml") returned 171 [0076.670] StrStrIW (lpFirst="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.670] lstrcmpW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.670] lstrcmpW (lpString1="710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.670] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\710__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\710__connections_cellular_transatel (datamarketplace)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.671] GetTickCount () returned 0x1153823 [0076.671] GetTickCount () returned 0x1153823 [0076.671] GetTickCount () returned 0x1153823 [0076.671] GetTickCount () returned 0x1153823 [0076.671] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.671] GetProcessHeap () returned 0x3a00000 [0076.671] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.671] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x309, lpOverlapped=0x0) returned 1 [0076.672] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcf7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.672] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x309, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x309, lpOverlapped=0x0) returned 1 [0076.672] GetProcessHeap () returned 0x3a00000 [0076.672] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.672] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.673] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.673] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.673] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.673] CloseHandle (hObject=0x440) returned 1 [0076.673] GetProcessHeap () returned 0x3a00000 [0076.673] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.673] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.673] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\710__connections_cellular_transatel (datamarketplace)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\710__Connections_Cellular_Transatel (DataMarketplace)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\710__connections_cellular_transatel (datamarketplace)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.674] GetProcessHeap () returned 0x3a00000 [0076.674] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.674] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91915157, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91915157, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91915157, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", cAlternateFileName="711__D~1.PRO")) returned 1 [0076.674] lstrcmpiW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="Windows") returned -1 [0076.674] lstrcmpiW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="$Recycle.bin") returned 1 [0076.674] lstrcmpiW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="System Volume Information") returned -1 [0076.674] lstrcmpiW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="Program Files") returned -1 [0076.674] lstrcmpiW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="Program Files (x86)") returned -1 [0076.674] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml") returned 180 [0076.674] StrStrIW (lpFirst="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpSrch=".ebal") returned 0x0 [0076.674] lstrcmpW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.674] lstrcmpW (lpString1="711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="taridd") returned -1 [0076.674] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\711__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\711__datamarketplace_persimsettings_$(__iccid)_datamarketplaceroaminguienabled.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.675] GetTickCount () returned 0x1153823 [0076.675] GetTickCount () returned 0x1153823 [0076.675] GetTickCount () returned 0x1153823 [0076.675] GetTickCount () returned 0x1153823 [0076.675] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.675] GetProcessHeap () returned 0x3a00000 [0076.675] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.675] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0076.676] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.676] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0076.677] GetProcessHeap () returned 0x3a00000 [0076.677] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.677] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.677] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.677] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.677] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.677] CloseHandle (hObject=0x440) returned 1 [0076.677] GetProcessHeap () returned 0x3a00000 [0076.677] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.677] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml_r00t_{8ew5f6}.ebal") returned 199 [0076.677] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\711__datamarketplace_persimsettings_$(__iccid)_datamarketplaceroaminguienabled.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\711__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\711__datamarketplace_persimsettings_$(__iccid)_datamarketplaceroaminguienabled.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.678] GetProcessHeap () returned 0x3a00000 [0076.678] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.678] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91915157, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91915157, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91915157, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", cAlternateFileName="712__D~1.PRO")) returned 1 [0076.680] lstrcmpiW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="Windows") returned -1 [0076.680] lstrcmpiW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="$Recycle.bin") returned 1 [0076.680] lstrcmpiW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="System Volume Information") returned -1 [0076.680] lstrcmpiW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="Program Files") returned -1 [0076.680] lstrcmpiW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="Program Files (x86)") returned -1 [0076.680] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml") returned 171 [0076.680] StrStrIW (lpFirst="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpSrch=".ebal") returned 0x0 [0076.680] lstrcmpW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.680] lstrcmpW (lpString1="712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="taridd") returned -1 [0076.680] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\712__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.680] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\712__datamarketplace_persimsettings_$(__iccid)_supportdatamarketplace.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.681] GetTickCount () returned 0x1153823 [0076.681] GetTickCount () returned 0x1153823 [0076.681] GetTickCount () returned 0x1153823 [0076.681] GetTickCount () returned 0x1153823 [0076.681] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.681] GetProcessHeap () returned 0x3a00000 [0076.681] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.681] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1bf, lpOverlapped=0x0) returned 1 [0076.682] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.682] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1bf, lpOverlapped=0x0) returned 1 [0076.682] GetProcessHeap () returned 0x3a00000 [0076.682] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.682] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.682] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.683] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.683] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.683] CloseHandle (hObject=0x440) returned 1 [0076.683] GetProcessHeap () returned 0x3a00000 [0076.683] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.683] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\712__datamarketplace_persimsettings_$(__iccid)_supportdatamarketplace.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\712__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\712__datamarketplace_persimsettings_$(__iccid)_supportdatamarketplace.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.684] GetProcessHeap () returned 0x3a00000 [0076.684] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.684] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91915157, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91915157, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91915157, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", cAlternateFileName="713__C~1.PRO")) returned 1 [0076.684] lstrcmpiW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.684] lstrcmpiW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.684] lstrcmpiW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.684] lstrcmpiW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.685] lstrcmpiW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.685] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml") returned 164 [0076.685] StrStrIW (lpFirst="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.685] lstrcmpW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.685] lstrcmpW (lpString1="713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.685] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\713__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.685] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\713__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.686] GetTickCount () returned 0x1153833 [0076.686] GetTickCount () returned 0x1153833 [0076.686] GetTickCount () returned 0x1153833 [0076.686] GetTickCount () returned 0x1153833 [0076.686] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.686] GetProcessHeap () returned 0x3a00000 [0076.686] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.686] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0076.696] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd43, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.696] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2bd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2bd, lpOverlapped=0x0) returned 1 [0076.697] GetProcessHeap () returned 0x3a00000 [0076.697] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.697] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.697] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.697] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.697] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.697] CloseHandle (hObject=0x440) returned 1 [0076.697] GetProcessHeap () returned 0x3a00000 [0076.697] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.697] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0076.697] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\713__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\713__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\713__connections_cellular_cmhk (hong kong sar)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.698] GetProcessHeap () returned 0x3a00000 [0076.698] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.698] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9193b3c3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9193b3c3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9193b3c3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x399, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="714__C~1.PRO")) returned 1 [0076.698] lstrcmpiW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.698] lstrcmpiW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.698] lstrcmpiW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.698] lstrcmpiW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.698] lstrcmpiW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml") returned 160 [0076.698] StrStrIW (lpFirst="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.698] lstrcmpW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.698] lstrcmpW (lpString1="714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.698] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\714__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.698] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\714__connections_cellular_softbank (japan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.699] GetTickCount () returned 0x1153833 [0076.699] GetTickCount () returned 0x1153833 [0076.699] GetTickCount () returned 0x1153833 [0076.699] GetTickCount () returned 0x1153833 [0076.699] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.699] GetProcessHeap () returned 0x3a00000 [0076.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.699] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x399, lpOverlapped=0x0) returned 1 [0076.701] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc67, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.701] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x399, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x399, lpOverlapped=0x0) returned 1 [0076.701] GetProcessHeap () returned 0x3a00000 [0076.701] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.701] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.701] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.701] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.701] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.701] CloseHandle (hObject=0x440) returned 1 [0076.701] GetProcessHeap () returned 0x3a00000 [0076.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.701] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0076.701] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\714__connections_cellular_softbank (japan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\714__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\714__connections_cellular_softbank (japan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.702] GetProcessHeap () returned 0x3a00000 [0076.702] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.702] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9193b3c3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9193b3c3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9193b3c3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="715__C~1.PRO")) returned 1 [0076.702] lstrcmpiW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.702] lstrcmpiW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.702] lstrcmpiW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.702] lstrcmpiW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.702] lstrcmpiW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 147 [0076.702] StrStrIW (lpFirst="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.702] lstrcmpW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.702] lstrcmpW (lpString1="715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.702] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\715__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\715__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.703] GetTickCount () returned 0x1153843 [0076.703] GetTickCount () returned 0x1153843 [0076.703] GetTickCount () returned 0x1153843 [0076.703] GetTickCount () returned 0x1153843 [0076.703] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.703] GetProcessHeap () returned 0x3a00000 [0076.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.703] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c9, lpOverlapped=0x0) returned 1 [0076.704] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.704] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c9, lpOverlapped=0x0) returned 1 [0076.705] GetProcessHeap () returned 0x3a00000 [0076.705] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.705] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.705] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.705] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.705] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.705] CloseHandle (hObject=0x440) returned 1 [0076.706] GetProcessHeap () returned 0x3a00000 [0076.706] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.706] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 166 [0076.706] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\715__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\715__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\715__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.706] GetProcessHeap () returned 0x3a00000 [0076.706] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.706] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9193b3c3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9193b3c3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9193b3c3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x387, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", cAlternateFileName="716__C~1.PRO")) returned 1 [0076.706] lstrcmpiW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.706] lstrcmpiW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.706] lstrcmpiW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.706] lstrcmpiW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.706] lstrcmpiW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.706] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml") returned 160 [0076.707] StrStrIW (lpFirst="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.707] lstrcmpW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.707] lstrcmpW (lpString1="716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.707] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\716__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.707] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\716__connections_cellular_softbank (japan)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.707] GetTickCount () returned 0x1153843 [0076.707] GetTickCount () returned 0x1153843 [0076.707] GetTickCount () returned 0x1153843 [0076.707] GetTickCount () returned 0x1153843 [0076.707] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.707] GetProcessHeap () returned 0x3a00000 [0076.707] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.707] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x387, lpOverlapped=0x0) returned 1 [0076.709] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffc79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.709] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x387, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x387, lpOverlapped=0x0) returned 1 [0076.709] GetProcessHeap () returned 0x3a00000 [0076.709] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.709] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.709] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.709] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.709] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.709] CloseHandle (hObject=0x440) returned 1 [0076.709] GetProcessHeap () returned 0x3a00000 [0076.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.709] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0076.709] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\716__connections_cellular_softbank (japan)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\716__Connections_Cellular_SoftBank (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\716__connections_cellular_softbank (japan)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.710] GetProcessHeap () returned 0x3a00000 [0076.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.710] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9193b3c3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9193b3c3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9193b3c3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", cAlternateFileName="717__C~1.PRO")) returned 1 [0076.710] lstrcmpiW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.710] lstrcmpiW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.710] lstrcmpiW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.710] lstrcmpiW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.710] lstrcmpiW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.710] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml") returned 188 [0076.710] StrStrIW (lpFirst="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.710] lstrcmpW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.710] lstrcmpW (lpString1="717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.710] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\717__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.710] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\717__connections_cellular_northern michigan university (united states)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.711] GetTickCount () returned 0x1153843 [0076.711] GetTickCount () returned 0x1153843 [0076.711] GetTickCount () returned 0x1153843 [0076.711] GetTickCount () returned 0x1153843 [0076.711] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.711] GetProcessHeap () returned 0x3a00000 [0076.711] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.711] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0076.713] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.713] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d6, lpOverlapped=0x0) returned 1 [0076.713] GetProcessHeap () returned 0x3a00000 [0076.713] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.713] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.713] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.713] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.713] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.713] CloseHandle (hObject=0x440) returned 1 [0076.713] GetProcessHeap () returned 0x3a00000 [0076.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 207 [0076.714] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\717__connections_cellular_northern michigan university (united states)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\717__Connections_Cellular_Northern Michigan University (United States)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\717__connections_cellular_northern michigan university (united states)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.714] GetProcessHeap () returned 0x3a00000 [0076.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.714] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9193b3c3, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9193b3c3, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9193b3c3, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="718__C~1.PRO")) returned 1 [0076.714] lstrcmpiW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.714] lstrcmpiW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.714] lstrcmpiW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.714] lstrcmpiW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.715] lstrcmpiW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.715] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.715] StrStrIW (lpFirst="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.715] lstrcmpW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.715] lstrcmpW (lpString1="718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.715] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\718__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.715] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\718__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.715] GetTickCount () returned 0x1153843 [0076.715] GetTickCount () returned 0x1153843 [0076.715] GetTickCount () returned 0x1153843 [0076.715] GetTickCount () returned 0x1153843 [0076.715] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.715] GetProcessHeap () returned 0x3a00000 [0076.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.715] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1ca, lpOverlapped=0x0) returned 1 [0076.717] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.718] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1ca, lpOverlapped=0x0) returned 1 [0076.718] GetProcessHeap () returned 0x3a00000 [0076.718] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.718] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.718] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.719] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.719] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.719] CloseHandle (hObject=0x440) returned 1 [0076.719] GetProcessHeap () returned 0x3a00000 [0076.719] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.719] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.719] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\718__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\718__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\718__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.720] GetProcessHeap () returned 0x3a00000 [0076.720] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.720] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91961627, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91961627, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91961627, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", cAlternateFileName="719__C~1.PRO")) returned 1 [0076.720] lstrcmpiW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.720] lstrcmpiW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.720] lstrcmpiW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.720] lstrcmpiW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.720] lstrcmpiW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.720] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml") returned 160 [0076.720] StrStrIW (lpFirst="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.720] lstrcmpW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.720] lstrcmpW (lpString1="719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.720] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\719__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.720] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\719__connections_cellular_sasktel (canada)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.721] GetTickCount () returned 0x1153852 [0076.721] GetTickCount () returned 0x1153852 [0076.721] GetTickCount () returned 0x1153852 [0076.721] GetTickCount () returned 0x1153852 [0076.721] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.721] GetProcessHeap () returned 0x3a00000 [0076.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.721] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0076.722] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.722] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c5, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c5, lpOverlapped=0x0) returned 1 [0076.722] GetProcessHeap () returned 0x3a00000 [0076.722] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.722] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.723] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.723] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.723] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.723] CloseHandle (hObject=0x440) returned 1 [0076.723] GetProcessHeap () returned 0x3a00000 [0076.723] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.723] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0076.723] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\719__connections_cellular_sasktel (canada)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\719__Connections_Cellular_SaskTel (Canada)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\719__connections_cellular_sasktel (canada)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.724] GetProcessHeap () returned 0x3a00000 [0076.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.724] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90353002, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90353002, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90353002, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="71__CE~1.PRO")) returned 1 [0076.724] lstrcmpiW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.724] lstrcmpiW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.724] lstrcmpiW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.724] lstrcmpiW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.724] lstrcmpiW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.724] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0076.724] StrStrIW (lpFirst="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.724] lstrcmpW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.724] lstrcmpW (lpString1="71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.724] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\71__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.724] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\71__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.725] GetTickCount () returned 0x1153852 [0076.725] GetTickCount () returned 0x1153852 [0076.725] GetTickCount () returned 0x1153852 [0076.725] GetTickCount () returned 0x1153852 [0076.725] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.725] GetProcessHeap () returned 0x3a00000 [0076.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.725] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0076.726] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.726] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0076.726] GetProcessHeap () returned 0x3a00000 [0076.726] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.726] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.726] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.727] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.727] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.727] CloseHandle (hObject=0x440) returned 1 [0076.727] GetProcessHeap () returned 0x3a00000 [0076.727] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 180 [0076.727] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\71__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\71__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\71__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.728] GetProcessHeap () returned 0x3a00000 [0076.728] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.728] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91961627, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91961627, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91961627, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x300, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", cAlternateFileName="720__C~1.PRO")) returned 1 [0076.728] lstrcmpiW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.728] lstrcmpiW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.728] lstrcmpiW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.728] lstrcmpiW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.728] lstrcmpiW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.728] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml") returned 168 [0076.728] StrStrIW (lpFirst="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.728] lstrcmpW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.728] lstrcmpW (lpString1="720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.728] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\720__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.728] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\720__connections_cellular_gigsky (datamarketplace)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.729] GetTickCount () returned 0x1153852 [0076.729] GetTickCount () returned 0x1153852 [0076.729] GetTickCount () returned 0x1153852 [0076.729] GetTickCount () returned 0x1153852 [0076.729] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.729] GetProcessHeap () returned 0x3a00000 [0076.729] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.729] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.730] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.730] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.731] GetProcessHeap () returned 0x3a00000 [0076.731] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.731] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.731] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.732] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.732] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.732] CloseHandle (hObject=0x440) returned 1 [0076.732] GetProcessHeap () returned 0x3a00000 [0076.732] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0076.732] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\720__connections_cellular_gigsky (datamarketplace)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\720__Connections_Cellular_GigSky (DataMarketplace)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\720__connections_cellular_gigsky (datamarketplace)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.733] GetProcessHeap () returned 0x3a00000 [0076.733] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.733] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91961627, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91961627, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91961627, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="721__C~1.PRO")) returned 1 [0076.733] lstrcmpiW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.733] lstrcmpiW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.733] lstrcmpiW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.733] lstrcmpiW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.733] lstrcmpiW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.733] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 162 [0076.733] StrStrIW (lpFirst="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.733] lstrcmpW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.733] lstrcmpW (lpString1="721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.733] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\721__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.733] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\721__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.733] GetTickCount () returned 0x1153862 [0076.734] GetTickCount () returned 0x1153862 [0076.734] GetTickCount () returned 0x1153862 [0076.734] GetTickCount () returned 0x1153862 [0076.734] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.734] GetProcessHeap () returned 0x3a00000 [0076.734] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.734] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0076.737] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe2d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.737] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d3, lpOverlapped=0x0) returned 1 [0076.737] GetProcessHeap () returned 0x3a00000 [0076.737] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.737] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.737] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.738] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.738] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.738] CloseHandle (hObject=0x440) returned 1 [0076.738] GetProcessHeap () returned 0x3a00000 [0076.738] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.738] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\721__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\721__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\721__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.739] GetProcessHeap () returned 0x3a00000 [0076.739] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.739] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91961627, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91961627, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91961627, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", cAlternateFileName="722__D~1.PRO")) returned 1 [0076.739] lstrcmpiW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="Windows") returned -1 [0076.739] lstrcmpiW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="$Recycle.bin") returned 1 [0076.739] lstrcmpiW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="System Volume Information") returned -1 [0076.739] lstrcmpiW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="Program Files") returned -1 [0076.739] lstrcmpiW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="Program Files (x86)") returned -1 [0076.739] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml") returned 180 [0076.739] StrStrIW (lpFirst="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpSrch=".ebal") returned 0x0 [0076.739] lstrcmpW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.739] lstrcmpW (lpString1="722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml", lpString2="taridd") returned -1 [0076.739] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\722__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.739] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\722__datamarketplace_persimsettings_$(__iccid)_datamarketplaceroaminguienabled.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.739] GetTickCount () returned 0x1153862 [0076.739] GetTickCount () returned 0x1153862 [0076.739] GetTickCount () returned 0x1153862 [0076.739] GetTickCount () returned 0x1153862 [0076.740] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.740] GetProcessHeap () returned 0x3a00000 [0076.740] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.740] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0076.741] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.741] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c8, lpOverlapped=0x0) returned 1 [0076.741] GetProcessHeap () returned 0x3a00000 [0076.741] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.741] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.741] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.741] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.741] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.742] CloseHandle (hObject=0x440) returned 1 [0076.742] GetProcessHeap () returned 0x3a00000 [0076.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml_r00t_{8ew5f6}.ebal") returned 199 [0076.742] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\722__datamarketplace_persimsettings_$(__iccid)_datamarketplaceroaminguienabled.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\722__DataMarketplace_PerSimSettings_$(__ICCID)_DataMarketplaceRoamingUIEnabled.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\722__datamarketplace_persimsettings_$(__iccid)_datamarketplaceroaminguienabled.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.742] GetProcessHeap () returned 0x3a00000 [0076.742] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.742] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91961627, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x91961627, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x91961627, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", cAlternateFileName="723__D~1.PRO")) returned 1 [0076.743] lstrcmpiW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="Windows") returned -1 [0076.743] lstrcmpiW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="$Recycle.bin") returned 1 [0076.743] lstrcmpiW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="System Volume Information") returned -1 [0076.743] lstrcmpiW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="Program Files") returned -1 [0076.743] lstrcmpiW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="Program Files (x86)") returned -1 [0076.743] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml") returned 171 [0076.743] StrStrIW (lpFirst="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpSrch=".ebal") returned 0x0 [0076.743] lstrcmpW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.743] lstrcmpW (lpString1="723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml", lpString2="taridd") returned -1 [0076.743] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\723__", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.743] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\723__datamarketplace_persimsettings_$(__iccid)_supportdatamarketplace.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.743] GetTickCount () returned 0x1153862 [0076.743] GetTickCount () returned 0x1153862 [0076.743] GetTickCount () returned 0x1153862 [0076.743] GetTickCount () returned 0x1153862 [0076.743] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.743] GetProcessHeap () returned 0x3a00000 [0076.743] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.743] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1bf, lpOverlapped=0x0) returned 1 [0076.745] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe41, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.745] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1bf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1bf, lpOverlapped=0x0) returned 1 [0076.745] GetProcessHeap () returned 0x3a00000 [0076.745] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.745] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.745] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.748] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.748] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.748] CloseHandle (hObject=0x440) returned 1 [0076.748] GetProcessHeap () returned 0x3a00000 [0076.748] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.748] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\723__datamarketplace_persimsettings_$(__iccid)_supportdatamarketplace.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\723__DataMarketplace_PerSimSettings_$(__ICCID)_SupportDataMarketplace.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\723__datamarketplace_persimsettings_$(__iccid)_supportdatamarketplace.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.749] GetProcessHeap () returned 0x3a00000 [0076.749] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.749] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90353002, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90353002, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90353002, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x316, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="72__CO~1.PRO")) returned 1 [0076.749] lstrcmpiW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.749] lstrcmpiW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.749] lstrcmpiW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.749] lstrcmpiW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.749] lstrcmpiW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml") returned 159 [0076.749] StrStrIW (lpFirst="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.749] lstrcmpW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.749] lstrcmpW (lpString1="72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.749] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\72__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.750] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\72__connections_cellular_claro (colombia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.752] GetTickCount () returned 0x1153871 [0076.752] GetTickCount () returned 0x1153871 [0076.752] GetTickCount () returned 0x1153871 [0076.752] GetTickCount () returned 0x1153871 [0076.753] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.753] GetProcessHeap () returned 0x3a00000 [0076.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.753] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x316, lpOverlapped=0x0) returned 1 [0076.757] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffcea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.757] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x316, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x316, lpOverlapped=0x0) returned 1 [0076.757] GetProcessHeap () returned 0x3a00000 [0076.757] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.757] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.757] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.757] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.757] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.757] CloseHandle (hObject=0x440) returned 1 [0076.758] GetProcessHeap () returned 0x3a00000 [0076.758] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.758] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0076.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\72__connections_cellular_claro (colombia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\72__Connections_Cellular_Claro (Colombia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\72__connections_cellular_claro (colombia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.758] GetProcessHeap () returned 0x3a00000 [0076.759] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.759] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90353002, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90353002, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90353002, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="73__CO~1.PRO")) returned 1 [0076.759] lstrcmpiW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.759] lstrcmpiW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.759] lstrcmpiW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.759] lstrcmpiW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.759] lstrcmpiW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.759] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml") returned 164 [0076.759] StrStrIW (lpFirst="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.759] lstrcmpW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.759] lstrcmpW (lpString1="73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.759] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\73__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.759] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\73__connections_cellular_telefonica (colombia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.759] GetTickCount () returned 0x1153871 [0076.759] GetTickCount () returned 0x1153871 [0076.759] GetTickCount () returned 0x1153871 [0076.759] GetTickCount () returned 0x1153871 [0076.760] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.760] GetProcessHeap () returned 0x3a00000 [0076.760] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.760] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0076.765] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd26, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.765] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2da, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2da, lpOverlapped=0x0) returned 1 [0076.765] GetProcessHeap () returned 0x3a00000 [0076.765] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.765] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.765] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.766] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.766] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.766] CloseHandle (hObject=0x440) returned 1 [0076.766] GetProcessHeap () returned 0x3a00000 [0076.766] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.766] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0076.766] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\73__connections_cellular_telefonica (colombia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\73__Connections_Cellular_Telefonica (Colombia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\73__connections_cellular_telefonica (colombia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.767] GetProcessHeap () returned 0x3a00000 [0076.767] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.767] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90353002, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90353002, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90353002, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="74__CE~1.PRO")) returned 1 [0076.767] lstrcmpiW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.767] lstrcmpiW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.767] lstrcmpiW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.767] lstrcmpiW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.767] lstrcmpiW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.767] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0076.767] StrStrIW (lpFirst="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.767] lstrcmpW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.767] lstrcmpW (lpString1="74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.767] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\74__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.767] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\74__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.768] GetTickCount () returned 0x1153881 [0076.768] GetTickCount () returned 0x1153881 [0076.768] GetTickCount () returned 0x1153881 [0076.768] GetTickCount () returned 0x1153881 [0076.768] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.768] GetProcessHeap () returned 0x3a00000 [0076.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.768] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e2, lpOverlapped=0x0) returned 1 [0076.769] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe1e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.769] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e2, lpOverlapped=0x0) returned 1 [0076.769] GetProcessHeap () returned 0x3a00000 [0076.769] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.769] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.769] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.770] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.770] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.770] CloseHandle (hObject=0x440) returned 1 [0076.770] GetProcessHeap () returned 0x3a00000 [0076.770] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.770] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0076.770] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\74__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\74__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\74__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.771] GetProcessHeap () returned 0x3a00000 [0076.771] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.771] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9037926e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9037926e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9037926e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x291, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="75__CO~1.PRO")) returned 1 [0076.771] lstrcmpiW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.771] lstrcmpiW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.771] lstrcmpiW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.771] lstrcmpiW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.771] lstrcmpiW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.771] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml") returned 158 [0076.771] StrStrIW (lpFirst="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.771] lstrcmpW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.772] lstrcmpW (lpString1="75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.772] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\75__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.772] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\75__connections_cellular_tigo (colombia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.772] GetTickCount () returned 0x1153881 [0076.772] GetTickCount () returned 0x1153881 [0076.772] GetTickCount () returned 0x1153881 [0076.772] GetTickCount () returned 0x1153881 [0076.772] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.772] GetProcessHeap () returned 0x3a00000 [0076.772] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.772] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0076.774] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd6f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.774] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x291, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x291, lpOverlapped=0x0) returned 1 [0076.774] GetProcessHeap () returned 0x3a00000 [0076.774] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.774] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.774] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.774] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.774] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.774] CloseHandle (hObject=0x440) returned 1 [0076.774] GetProcessHeap () returned 0x3a00000 [0076.774] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.774] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.774] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\75__connections_cellular_tigo (colombia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\75__Connections_Cellular_TIGO (Colombia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\75__connections_cellular_tigo (colombia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.775] GetProcessHeap () returned 0x3a00000 [0076.775] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.775] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9037926e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9037926e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9037926e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", cAlternateFileName="76__CO~1.PRO")) returned 1 [0076.777] lstrcmpiW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.777] lstrcmpiW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.777] lstrcmpiW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.777] lstrcmpiW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.777] lstrcmpiW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.777] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml") returned 170 [0076.777] StrStrIW (lpFirst="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.777] lstrcmpW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.778] lstrcmpW (lpString1="76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.778] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\76__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.778] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\76__connections_cellular_vodacom congo (congo (drc))_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.779] GetTickCount () returned 0x1153891 [0076.779] GetTickCount () returned 0x1153891 [0076.779] GetTickCount () returned 0x1153891 [0076.779] GetTickCount () returned 0x1153891 [0076.779] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.779] GetProcessHeap () returned 0x3a00000 [0076.779] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.779] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.780] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.780] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.780] GetProcessHeap () returned 0x3a00000 [0076.780] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.780] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.780] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.781] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.781] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.781] CloseHandle (hObject=0x440) returned 1 [0076.781] GetProcessHeap () returned 0x3a00000 [0076.781] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.781] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0076.781] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\76__connections_cellular_vodacom congo (congo (drc))_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\76__Connections_Cellular_Vodacom Congo (Congo (DRC))_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\76__connections_cellular_vodacom congo (congo (drc))_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.782] GetProcessHeap () returned 0x3a00000 [0076.782] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.782] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9037926e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9037926e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9037926e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", cAlternateFileName="77__CO~1.PRO")) returned 1 [0076.782] lstrcmpiW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.782] lstrcmpiW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.782] lstrcmpiW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.782] lstrcmpiW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.782] lstrcmpiW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.782] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml") returned 167 [0076.782] StrStrIW (lpFirst="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.782] lstrcmpW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.782] lstrcmpW (lpString1="77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.782] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\77__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.782] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\77__connections_cellular_ice celular (costa rica)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.783] GetTickCount () returned 0x1153891 [0076.783] GetTickCount () returned 0x1153891 [0076.783] GetTickCount () returned 0x1153891 [0076.783] GetTickCount () returned 0x1153891 [0076.783] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.783] GetProcessHeap () returned 0x3a00000 [0076.783] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.783] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28c, lpOverlapped=0x0) returned 1 [0076.793] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd74, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.793] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28c, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28c, lpOverlapped=0x0) returned 1 [0076.793] GetProcessHeap () returned 0x3a00000 [0076.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.793] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.793] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.793] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.793] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.794] CloseHandle (hObject=0x440) returned 1 [0076.794] GetProcessHeap () returned 0x3a00000 [0076.794] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.794] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0076.794] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\77__connections_cellular_ice celular (costa rica)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\77__Connections_Cellular_Ice Celular (Costa Rica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\77__connections_cellular_ice celular (costa rica)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.795] GetProcessHeap () returned 0x3a00000 [0076.795] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.795] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9037926e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9037926e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9037926e, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x290, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="78__CO~1.PRO")) returned 1 [0076.795] lstrcmpiW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.795] lstrcmpiW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.795] lstrcmpiW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.795] lstrcmpiW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.795] lstrcmpiW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.795] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml") returned 158 [0076.795] StrStrIW (lpFirst="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.795] lstrcmpW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.795] lstrcmpW (lpString1="78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.795] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\78__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.795] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\78__connections_cellular_tele2 (croatia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.796] GetTickCount () returned 0x11538a0 [0076.796] GetTickCount () returned 0x11538a0 [0076.796] GetTickCount () returned 0x11538a0 [0076.796] GetTickCount () returned 0x11538a0 [0076.796] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.796] GetProcessHeap () returned 0x3a00000 [0076.796] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.796] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0076.798] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd70, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.798] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x290, lpOverlapped=0x0) returned 1 [0076.798] GetProcessHeap () returned 0x3a00000 [0076.798] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.798] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.798] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.798] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.798] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.798] CloseHandle (hObject=0x440) returned 1 [0076.798] GetProcessHeap () returned 0x3a00000 [0076.798] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.799] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\78__connections_cellular_tele2 (croatia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\78__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\78__connections_cellular_tele2 (croatia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.799] GetProcessHeap () returned 0x3a00000 [0076.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.799] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9039f4d9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9039f4d9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9039f4d9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x286, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="79__CO~1.PRO")) returned 1 [0076.799] lstrcmpiW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.799] lstrcmpiW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.799] lstrcmpiW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.799] lstrcmpiW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.799] lstrcmpiW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.800] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml") returned 158 [0076.800] StrStrIW (lpFirst="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.800] lstrcmpW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.800] lstrcmpW (lpString1="79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.800] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\79__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.800] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\79__connections_cellular_tele2 (croatia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.801] GetTickCount () returned 0x11538a0 [0076.801] GetTickCount () returned 0x11538a0 [0076.801] GetTickCount () returned 0x11538a0 [0076.801] GetTickCount () returned 0x11538a0 [0076.801] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.801] GetProcessHeap () returned 0x3a00000 [0076.801] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.801] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0076.802] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd7a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.802] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x286, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x286, lpOverlapped=0x0) returned 1 [0076.802] GetProcessHeap () returned 0x3a00000 [0076.802] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.802] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.802] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.803] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.803] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.803] CloseHandle (hObject=0x440) returned 1 [0076.803] GetProcessHeap () returned 0x3a00000 [0076.803] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.803] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 177 [0076.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\79__connections_cellular_tele2 (croatia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\79__Connections_Cellular_Tele2 (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\79__connections_cellular_tele2 (croatia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.804] GetProcessHeap () returned 0x3a00000 [0076.804] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.804] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900f0949, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900f0949, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x900f0949, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="7__CON~1.PRO")) returned 1 [0076.804] lstrcmpiW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.804] lstrcmpiW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.804] lstrcmpiW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.804] lstrcmpiW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.804] lstrcmpiW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.804] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml") returned 167 [0076.804] StrStrIW (lpFirst="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.804] lstrcmpW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.804] lstrcmpW (lpString1="7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.804] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\7__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\7__connections_cellular_hutchison - 3 (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.804] GetTickCount () returned 0x11538a0 [0076.804] GetTickCount () returned 0x11538a0 [0076.804] GetTickCount () returned 0x11538a0 [0076.805] GetTickCount () returned 0x11538a0 [0076.805] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.805] GetProcessHeap () returned 0x3a00000 [0076.805] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.805] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0076.806] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd29, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.806] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d7, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d7, lpOverlapped=0x0) returned 1 [0076.806] GetProcessHeap () returned 0x3a00000 [0076.806] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.806] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.807] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.807] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.807] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.807] CloseHandle (hObject=0x440) returned 1 [0076.807] GetProcessHeap () returned 0x3a00000 [0076.807] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.807] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0076.807] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\7__connections_cellular_hutchison - 3 (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\7__Connections_Cellular_Hutchison - 3 (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\7__connections_cellular_hutchison - 3 (australia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.808] GetProcessHeap () returned 0x3a00000 [0076.808] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.808] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9039f4d9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9039f4d9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9039f4d9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="80__CO~1.PRO")) returned 1 [0076.808] lstrcmpiW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.808] lstrcmpiW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.808] lstrcmpiW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.808] lstrcmpiW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.808] lstrcmpiW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.808] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml") returned 169 [0076.808] StrStrIW (lpFirst="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.808] lstrcmpW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.808] lstrcmpW (lpString1="80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.808] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\80__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.808] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\80__connections_cellular_hrvatski telekom (croatia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.809] GetTickCount () returned 0x11538a0 [0076.809] GetTickCount () returned 0x11538a0 [0076.809] GetTickCount () returned 0x11538a0 [0076.809] GetTickCount () returned 0x11538a0 [0076.809] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.809] GetProcessHeap () returned 0x3a00000 [0076.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.809] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.810] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd2f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.810] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d1, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d1, lpOverlapped=0x0) returned 1 [0076.810] GetProcessHeap () returned 0x3a00000 [0076.810] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.811] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.811] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.811] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.811] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.811] CloseHandle (hObject=0x440) returned 1 [0076.811] GetProcessHeap () returned 0x3a00000 [0076.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.811] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0076.811] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\80__connections_cellular_hrvatski telekom (croatia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\80__Connections_Cellular_Hrvatski Telekom (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\80__connections_cellular_hrvatski telekom (croatia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.812] GetProcessHeap () returned 0x3a00000 [0076.812] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.812] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9039f4d9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9039f4d9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9039f4d9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="81__CO~1.PRO")) returned 1 [0076.812] lstrcmpiW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.812] lstrcmpiW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.812] lstrcmpiW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.812] lstrcmpiW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.812] lstrcmpiW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.812] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml") returned 159 [0076.812] StrStrIW (lpFirst="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.812] lstrcmpW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.812] lstrcmpW (lpString1="81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.812] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\81__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.812] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\81__connections_cellular_vipnet (croatia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.813] GetTickCount () returned 0x11538b0 [0076.813] GetTickCount () returned 0x11538b0 [0076.813] GetTickCount () returned 0x11538b0 [0076.813] GetTickCount () returned 0x11538b0 [0076.813] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.813] GetProcessHeap () returned 0x3a00000 [0076.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.813] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0076.814] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.814] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c2, lpOverlapped=0x0) returned 1 [0076.814] GetProcessHeap () returned 0x3a00000 [0076.814] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.814] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.814] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.814] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.815] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.815] CloseHandle (hObject=0x440) returned 1 [0076.815] GetProcessHeap () returned 0x3a00000 [0076.815] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.815] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0076.815] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\81__connections_cellular_vipnet (croatia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\81__Connections_Cellular_Vipnet (Croatia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\81__connections_cellular_vipnet (croatia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.815] GetProcessHeap () returned 0x3a00000 [0076.816] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.816] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9039f4d9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9039f4d9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9039f4d9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="82__CE~1.PRO")) returned 1 [0076.816] lstrcmpiW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.816] lstrcmpiW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.816] lstrcmpiW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.816] lstrcmpiW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.816] lstrcmpiW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.816] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0076.816] StrStrIW (lpFirst="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.816] lstrcmpW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.816] lstrcmpW (lpString1="82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.816] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\82__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.816] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\82__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.816] GetTickCount () returned 0x11538b0 [0076.816] GetTickCount () returned 0x11538b0 [0076.816] GetTickCount () returned 0x11538b0 [0076.816] GetTickCount () returned 0x11538b0 [0076.816] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.816] GetProcessHeap () returned 0x3a00000 [0076.816] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.816] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0076.817] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.817] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0076.818] GetProcessHeap () returned 0x3a00000 [0076.818] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.818] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.818] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.818] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.818] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.818] CloseHandle (hObject=0x440) returned 1 [0076.819] GetProcessHeap () returned 0x3a00000 [0076.819] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.819] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0076.819] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\82__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\82__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\82__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.820] GetProcessHeap () returned 0x3a00000 [0076.820] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.820] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9039f4d9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9039f4d9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x9039f4d9, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="83__CO~1.PRO")) returned 1 [0076.820] lstrcmpiW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.820] lstrcmpiW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.820] lstrcmpiW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.820] lstrcmpiW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.820] lstrcmpiW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.820] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml") returned 162 [0076.820] StrStrIW (lpFirst="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.820] lstrcmpW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.820] lstrcmpW (lpString1="83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.820] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\83__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.820] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\83__connections_cellular_areeba ltd (cyprus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.820] GetTickCount () returned 0x11538b0 [0076.820] GetTickCount () returned 0x11538b0 [0076.820] GetTickCount () returned 0x11538b0 [0076.820] GetTickCount () returned 0x11538b0 [0076.820] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.821] GetProcessHeap () returned 0x3a00000 [0076.821] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.821] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.822] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.822] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.822] GetProcessHeap () returned 0x3a00000 [0076.822] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.822] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.822] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.825] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.825] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.826] CloseHandle (hObject=0x440) returned 1 [0076.826] GetProcessHeap () returned 0x3a00000 [0076.826] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.826] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.826] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\83__connections_cellular_areeba ltd (cyprus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\83__Connections_Cellular_Areeba LTD (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\83__connections_cellular_areeba ltd (cyprus)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.826] GetProcessHeap () returned 0x3a00000 [0076.826] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.826] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903c5745, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903c5745, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903c5745, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", cAlternateFileName="84__CO~1.PRO")) returned 1 [0076.827] lstrcmpiW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.827] lstrcmpiW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.827] lstrcmpiW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.827] lstrcmpiW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.827] lstrcmpiW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.827] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml") returned 171 [0076.827] StrStrIW (lpFirst="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.827] lstrcmpW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.827] lstrcmpW (lpString1="84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.827] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\84__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.827] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\84__connections_cellular_cytamobile-vodafone (cyprus)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.827] GetTickCount () returned 0x11538c0 [0076.827] GetTickCount () returned 0x11538c0 [0076.827] GetTickCount () returned 0x11538c0 [0076.827] GetTickCount () returned 0x11538c0 [0076.827] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.828] GetProcessHeap () returned 0x3a00000 [0076.828] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.828] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.830] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.830] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.830] GetProcessHeap () returned 0x3a00000 [0076.830] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.830] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.830] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.830] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.830] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.831] CloseHandle (hObject=0x440) returned 1 [0076.831] GetProcessHeap () returned 0x3a00000 [0076.831] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.831] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\84__connections_cellular_cytamobile-vodafone (cyprus)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\84__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\84__connections_cellular_cytamobile-vodafone (cyprus)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.831] GetProcessHeap () returned 0x3a00000 [0076.832] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.832] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903c5745, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903c5745, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903c5745, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", cAlternateFileName="85__CO~1.PRO")) returned 1 [0076.832] lstrcmpiW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.832] lstrcmpiW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.832] lstrcmpiW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.832] lstrcmpiW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.832] lstrcmpiW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.832] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml") returned 171 [0076.832] StrStrIW (lpFirst="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.832] lstrcmpW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.832] lstrcmpW (lpString1="85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.832] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\85__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.832] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\85__connections_cellular_cytamobile-vodafone (cyprus)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.832] GetTickCount () returned 0x11538c0 [0076.832] GetTickCount () returned 0x11538c0 [0076.832] GetTickCount () returned 0x11538c0 [0076.832] GetTickCount () returned 0x11538c0 [0076.832] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.833] GetProcessHeap () returned 0x3a00000 [0076.833] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.833] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.834] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.834] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.834] GetProcessHeap () returned 0x3a00000 [0076.834] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.834] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.834] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.834] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.834] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.834] CloseHandle (hObject=0x440) returned 1 [0076.835] GetProcessHeap () returned 0x3a00000 [0076.835] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.835] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.835] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\85__connections_cellular_cytamobile-vodafone (cyprus)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\85__Connections_Cellular_Cytamobile-Vodafone (Cyprus)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\85__connections_cellular_cytamobile-vodafone (cyprus)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.836] GetProcessHeap () returned 0x3a00000 [0076.836] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.836] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903c5745, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903c5745, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903c5745, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1e0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="86__CE~1.PRO")) returned 1 [0076.836] lstrcmpiW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.836] lstrcmpiW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.836] lstrcmpiW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.836] lstrcmpiW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.836] lstrcmpiW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.836] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0076.836] StrStrIW (lpFirst="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.836] lstrcmpW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.836] lstrcmpW (lpString1="86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.836] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\86__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.836] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\86__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.836] GetTickCount () returned 0x11538c0 [0076.836] GetTickCount () returned 0x11538c0 [0076.837] GetTickCount () returned 0x11538c0 [0076.837] GetTickCount () returned 0x11538c0 [0076.837] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.837] GetProcessHeap () returned 0x3a00000 [0076.837] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.837] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.838] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe20, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.838] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1e0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1e0, lpOverlapped=0x0) returned 1 [0076.838] GetProcessHeap () returned 0x3a00000 [0076.838] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.838] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.838] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.839] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.839] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.839] CloseHandle (hObject=0x440) returned 1 [0076.839] GetProcessHeap () returned 0x3a00000 [0076.839] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.839] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0076.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\86__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\86__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\86__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.840] GetProcessHeap () returned 0x3a00000 [0076.840] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.840] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903c5745, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903c5745, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903c5745, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="87__CO~1.PRO")) returned 1 [0076.840] lstrcmpiW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.840] lstrcmpiW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.840] lstrcmpiW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.840] lstrcmpiW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.840] lstrcmpiW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.840] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml") returned 162 [0076.840] StrStrIW (lpFirst="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.840] lstrcmpW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.840] lstrcmpW (lpString1="87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.840] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\87__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.840] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\87__connections_cellular_o2 (czech republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.840] GetTickCount () returned 0x11538c0 [0076.840] GetTickCount () returned 0x11538c0 [0076.840] GetTickCount () returned 0x11538c0 [0076.840] GetTickCount () returned 0x11538c0 [0076.840] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.841] GetProcessHeap () returned 0x3a00000 [0076.841] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.841] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0076.842] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd38, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.842] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c8, lpOverlapped=0x0) returned 1 [0076.842] GetProcessHeap () returned 0x3a00000 [0076.842] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.842] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.843] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.843] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.843] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.843] CloseHandle (hObject=0x440) returned 1 [0076.843] GetProcessHeap () returned 0x3a00000 [0076.843] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.843] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0076.843] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\87__connections_cellular_o2 (czech republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\87__Connections_Cellular_O2 (Czech Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\87__connections_cellular_o2 (czech republic)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.844] GetProcessHeap () returned 0x3a00000 [0076.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.844] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903eb9ac, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903eb9ac, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903eb9ac, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="88__CO~1.PRO")) returned 1 [0076.844] lstrcmpiW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.844] lstrcmpiW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.844] lstrcmpiW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.844] lstrcmpiW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.844] lstrcmpiW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.844] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml") returned 183 [0076.844] StrStrIW (lpFirst="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.844] lstrcmpW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.844] lstrcmpW (lpString1="88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.844] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\88__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.844] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\88__connections_cellular_t-mobile czech republic (czech republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.844] GetTickCount () returned 0x11538cf [0076.844] GetTickCount () returned 0x11538cf [0076.844] GetTickCount () returned 0x11538cf [0076.845] GetTickCount () returned 0x11538cf [0076.845] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.845] GetProcessHeap () returned 0x3a00000 [0076.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.845] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ee, lpOverlapped=0x0) returned 1 [0076.846] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.846] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ee, lpOverlapped=0x0) returned 1 [0076.846] GetProcessHeap () returned 0x3a00000 [0076.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.846] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.846] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.846] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.846] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.847] CloseHandle (hObject=0x440) returned 1 [0076.847] GetProcessHeap () returned 0x3a00000 [0076.847] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.847] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 202 [0076.847] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\88__connections_cellular_t-mobile czech republic (czech republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\88__Connections_Cellular_T-Mobile Czech Republic (Czech Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\88__connections_cellular_t-mobile czech republic (czech republic)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.848] GetProcessHeap () returned 0x3a00000 [0076.848] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.848] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903eb9ac, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903eb9ac, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903eb9ac, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", cAlternateFileName="89__CO~1.PRO")) returned 1 [0076.848] lstrcmpiW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.848] lstrcmpiW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.848] lstrcmpiW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.848] lstrcmpiW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.848] lstrcmpiW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.848] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml") returned 171 [0076.848] StrStrIW (lpFirst="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.848] lstrcmpW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.848] lstrcmpW (lpString1="89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.848] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\89__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.848] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\89__connections_cellular_vodafone cz (czech republic)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.848] GetTickCount () returned 0x11538cf [0076.848] GetTickCount () returned 0x11538cf [0076.848] GetTickCount () returned 0x11538cf [0076.848] GetTickCount () returned 0x11538cf [0076.848] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.849] GetProcessHeap () returned 0x3a00000 [0076.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.849] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.850] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd30, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.850] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2d0, lpOverlapped=0x0) returned 1 [0076.850] GetProcessHeap () returned 0x3a00000 [0076.850] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.850] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.850] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.850] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.850] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.850] CloseHandle (hObject=0x440) returned 1 [0076.851] GetProcessHeap () returned 0x3a00000 [0076.851] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.851] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0076.851] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\89__connections_cellular_vodafone cz (czech republic)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\89__Connections_Cellular_Vodafone CZ (Czech Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\89__connections_cellular_vodafone cz (czech republic)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.852] GetProcessHeap () returned 0x3a00000 [0076.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.852] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90116bb1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90116bb1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90116bb1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", cAlternateFileName="8__CON~1.PRO")) returned 1 [0076.852] lstrcmpiW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.852] lstrcmpiW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.852] lstrcmpiW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.852] lstrcmpiW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.852] lstrcmpiW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.852] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml") returned 167 [0076.852] StrStrIW (lpFirst="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.852] lstrcmpW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.852] lstrcmpW (lpString1="8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.852] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\8__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.852] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\8__connections_cellular_hutchison - 3 (australia)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.853] GetTickCount () returned 0x11538cf [0076.853] GetTickCount () returned 0x11538cf [0076.853] GetTickCount () returned 0x11538cf [0076.853] GetTickCount () returned 0x11538cf [0076.853] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.853] GetProcessHeap () returned 0x3a00000 [0076.853] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.853] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.854] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd31, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.854] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cf, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cf, lpOverlapped=0x0) returned 1 [0076.854] GetProcessHeap () returned 0x3a00000 [0076.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.855] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.855] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.855] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.855] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.855] CloseHandle (hObject=0x440) returned 1 [0076.855] GetProcessHeap () returned 0x3a00000 [0076.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.855] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0076.855] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\8__connections_cellular_hutchison - 3 (australia)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\8__Connections_Cellular_Hutchison - 3 (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\8__connections_cellular_hutchison - 3 (australia)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.856] GetProcessHeap () returned 0x3a00000 [0076.856] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.856] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903eb9ac, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903eb9ac, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x903eb9ac, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", cAlternateFileName="90__CO~1.PRO")) returned 1 [0076.856] lstrcmpiW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.856] lstrcmpiW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.856] lstrcmpiW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.856] lstrcmpiW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.856] lstrcmpiW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.856] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml") returned 154 [0076.856] StrStrIW (lpFirst="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.856] lstrcmpW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.856] lstrcmpW (lpString1="90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.856] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\90__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.856] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\90__connections_cellular_3 (denmark)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.857] GetTickCount () returned 0x11538df [0076.857] GetTickCount () returned 0x11538df [0076.857] GetTickCount () returned 0x11538df [0076.857] GetTickCount () returned 0x11538df [0076.857] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.857] GetProcessHeap () returned 0x3a00000 [0076.857] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.857] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.858] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd33, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.858] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cd, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cd, lpOverlapped=0x0) returned 1 [0076.858] GetProcessHeap () returned 0x3a00000 [0076.858] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.858] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.858] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.859] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.859] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.859] CloseHandle (hObject=0x440) returned 1 [0076.859] GetProcessHeap () returned 0x3a00000 [0076.859] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.859] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0076.859] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\90__connections_cellular_3 (denmark)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\90__Connections_Cellular_3 (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\90__connections_cellular_3 (denmark)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.860] GetProcessHeap () returned 0x3a00000 [0076.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.860] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x903eb9ac, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x903eb9ac, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", cAlternateFileName="91__CO~1.PRO")) returned 1 [0076.860] lstrcmpiW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.860] lstrcmpiW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.860] lstrcmpiW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.860] lstrcmpiW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.860] lstrcmpiW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.860] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml") returned 154 [0076.860] StrStrIW (lpFirst="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.861] lstrcmpW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.861] lstrcmpW (lpString1="91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.861] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\91__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.861] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\91__connections_cellular_3 (denmark)_i1$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.861] GetTickCount () returned 0x11538df [0076.861] GetTickCount () returned 0x11538df [0076.861] GetTickCount () returned 0x11538df [0076.861] GetTickCount () returned 0x11538df [0076.861] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.861] GetProcessHeap () returned 0x3a00000 [0076.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.861] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0076.863] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3a, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.863] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c6, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c6, lpOverlapped=0x0) returned 1 [0076.863] GetProcessHeap () returned 0x3a00000 [0076.863] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.863] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.863] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.863] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.863] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.863] CloseHandle (hObject=0x440) returned 1 [0076.863] GetProcessHeap () returned 0x3a00000 [0076.864] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.864] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0076.864] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\91__connections_cellular_3 (denmark)_i1$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\91__Connections_Cellular_3 (Denmark)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\91__connections_cellular_3 (denmark)_i1$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.864] GetProcessHeap () returned 0x3a00000 [0076.864] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.864] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", cAlternateFileName="92__CO~1.PRO")) returned 1 [0076.864] lstrcmpiW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.864] lstrcmpiW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.864] lstrcmpiW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.865] lstrcmpiW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.865] lstrcmpiW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.865] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml") returned 154 [0076.865] StrStrIW (lpFirst="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.865] lstrcmpW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.865] lstrcmpW (lpString1="92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.865] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\92__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\92__connections_cellular_3 (denmark)_i2$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.865] GetTickCount () returned 0x11538df [0076.865] GetTickCount () returned 0x11538df [0076.865] GetTickCount () returned 0x11538df [0076.865] GetTickCount () returned 0x11538df [0076.865] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.865] GetProcessHeap () returned 0x3a00000 [0076.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.865] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0076.884] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.884] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2cc, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2cc, lpOverlapped=0x0) returned 1 [0076.884] GetProcessHeap () returned 0x3a00000 [0076.884] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.884] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.884] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.884] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.885] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.885] CloseHandle (hObject=0x440) returned 1 [0076.885] GetProcessHeap () returned 0x3a00000 [0076.885] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.885] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0076.885] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\92__connections_cellular_3 (denmark)_i2$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\92__Connections_Cellular_3 (Denmark)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\92__connections_cellular_3 (denmark)_i2$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.886] GetProcessHeap () returned 0x3a00000 [0076.886] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.886] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", cAlternateFileName="93__CO~1.PRO")) returned 1 [0076.886] lstrcmpiW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.886] lstrcmpiW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.886] lstrcmpiW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.886] lstrcmpiW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.886] lstrcmpiW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.886] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml") returned 154 [0076.886] StrStrIW (lpFirst="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.886] lstrcmpW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.886] lstrcmpW (lpString1="93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.887] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\93__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\93__connections_cellular_3 (denmark)_i3$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.887] GetTickCount () returned 0x11538ee [0076.887] GetTickCount () returned 0x11538ee [0076.887] GetTickCount () returned 0x11538ee [0076.887] GetTickCount () returned 0x11538ee [0076.887] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.888] GetProcessHeap () returned 0x3a00000 [0076.888] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.888] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0076.889] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd3c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.889] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c4, lpOverlapped=0x0) returned 1 [0076.890] GetProcessHeap () returned 0x3a00000 [0076.890] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.890] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.890] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.890] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.890] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.890] CloseHandle (hObject=0x440) returned 1 [0076.890] GetProcessHeap () returned 0x3a00000 [0076.890] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.890] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 173 [0076.890] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\93__connections_cellular_3 (denmark)_i3$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\93__Connections_Cellular_3 (Denmark)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\93__connections_cellular_3 (denmark)_i3$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.891] GetProcessHeap () returned 0x3a00000 [0076.891] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.891] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", cAlternateFileName="94__CE~1.PRO")) returned 1 [0076.891] lstrcmpiW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Windows") returned -1 [0076.891] lstrcmpiW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="$Recycle.bin") returned 1 [0076.891] lstrcmpiW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="System Volume Information") returned -1 [0076.891] lstrcmpiW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files") returned -1 [0076.892] lstrcmpiW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="Program Files (x86)") returned -1 [0076.892] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml") returned 161 [0076.892] StrStrIW (lpFirst="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpSrch=".ebal") returned 0x0 [0076.892] lstrcmpW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.892] lstrcmpW (lpString1="94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml", lpString2="taridd") returned -1 [0076.892] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\94__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.892] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\94__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.892] GetTickCount () returned 0x11538fe [0076.892] GetTickCount () returned 0x11538fe [0076.892] GetTickCount () returned 0x11538fe [0076.892] GetTickCount () returned 0x11538fe [0076.892] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.893] GetProcessHeap () returned 0x3a00000 [0076.893] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.893] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0076.894] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.894] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c3, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c3, lpOverlapped=0x0) returned 1 [0076.894] GetProcessHeap () returned 0x3a00000 [0076.894] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.894] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.894] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.895] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.895] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.895] CloseHandle (hObject=0x440) returned 1 [0076.895] GetProcessHeap () returned 0x3a00000 [0076.895] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.895] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 180 [0076.895] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\94__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\94__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\94__cellular_persimsettings_$(__iccid)_accountexperienceurl.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.896] GetProcessHeap () returned 0x3a00000 [0076.896] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.896] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="95__CE~1.PRO")) returned 1 [0076.896] lstrcmpiW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.896] lstrcmpiW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.896] lstrcmpiW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.896] lstrcmpiW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.896] lstrcmpiW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.896] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0076.896] StrStrIW (lpFirst="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.896] lstrcmpW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.896] lstrcmpW (lpString1="95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.896] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\95__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.896] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\95__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.897] GetTickCount () returned 0x11538fe [0076.897] GetTickCount () returned 0x11538fe [0076.897] GetTickCount () returned 0x11538fe [0076.897] GetTickCount () returned 0x11538fe [0076.897] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.898] GetProcessHeap () returned 0x3a00000 [0076.898] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.898] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1c2, lpOverlapped=0x0) returned 1 [0076.898] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe3e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.899] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1c2, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1c2, lpOverlapped=0x0) returned 1 [0076.899] GetProcessHeap () returned 0x3a00000 [0076.899] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.899] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.899] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.900] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.900] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.900] CloseHandle (hObject=0x440) returned 1 [0076.900] GetProcessHeap () returned 0x3a00000 [0076.900] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.900] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0076.900] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\95__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\95__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\95__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.901] GetProcessHeap () returned 0x3a00000 [0076.901] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.901] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x287, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", cAlternateFileName="96__CO~1.PRO")) returned 1 [0076.901] lstrcmpiW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.901] lstrcmpiW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.901] lstrcmpiW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.901] lstrcmpiW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.901] lstrcmpiW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.901] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml") returned 159 [0076.901] StrStrIW (lpFirst="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.901] lstrcmpW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.901] lstrcmpW (lpString1="96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.901] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\96__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\96__connections_cellular_orange (denmark)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.901] GetTickCount () returned 0x11538fe [0076.902] GetTickCount () returned 0x11538fe [0076.902] GetTickCount () returned 0x11538fe [0076.902] GetTickCount () returned 0x11538fe [0076.902] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.902] GetProcessHeap () returned 0x3a00000 [0076.902] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.902] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0076.903] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd79, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.904] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x287, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x287, lpOverlapped=0x0) returned 1 [0076.904] GetProcessHeap () returned 0x3a00000 [0076.904] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.904] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.904] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.904] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.904] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.904] CloseHandle (hObject=0x440) returned 1 [0076.904] GetProcessHeap () returned 0x3a00000 [0076.904] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.904] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0076.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\96__connections_cellular_orange (denmark)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\96__Connections_Cellular_Orange (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\96__connections_cellular_orange (denmark)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.905] GetProcessHeap () returned 0x3a00000 [0076.905] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.905] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x1d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", cAlternateFileName="97__CE~1.PRO")) returned 1 [0076.905] lstrcmpiW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Windows") returned -1 [0076.905] lstrcmpiW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="$Recycle.bin") returned 1 [0076.905] lstrcmpiW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="System Volume Information") returned -1 [0076.905] lstrcmpiW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files") returned -1 [0076.905] lstrcmpiW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="Program Files (x86)") returned -1 [0076.905] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml") returned 146 [0076.905] StrStrIW (lpFirst="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpSrch=".ebal") returned 0x0 [0076.905] lstrcmpW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.905] lstrcmpW (lpString1="97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml", lpString2="taridd") returned -1 [0076.905] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\97__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\97__cellular_persimsettings_$(__iccid)_appid.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.906] GetTickCount () returned 0x115390e [0076.906] GetTickCount () returned 0x115390e [0076.906] GetTickCount () returned 0x115390e [0076.906] GetTickCount () returned 0x115390e [0076.906] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.907] GetProcessHeap () returned 0x3a00000 [0076.907] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.907] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0076.908] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffe28, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.908] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1d8, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1d8, lpOverlapped=0x0) returned 1 [0076.908] GetProcessHeap () returned 0x3a00000 [0076.908] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.908] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.908] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.908] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.909] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.909] CloseHandle (hObject=0x440) returned 1 [0076.909] GetProcessHeap () returned 0x3a00000 [0076.909] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.909] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 165 [0076.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\97__cellular_persimsettings_$(__iccid)_appid.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\97__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\97__cellular_persimsettings_$(__iccid)_appid.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.910] GetProcessHeap () returned 0x3a00000 [0076.910] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.910] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90411c14, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90411c14, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90411c14, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2c9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", cAlternateFileName="98__CO~1.PRO")) returned 1 [0076.910] lstrcmpiW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.910] lstrcmpiW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.910] lstrcmpiW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.910] lstrcmpiW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.910] lstrcmpiW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.910] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml") returned 164 [0076.910] StrStrIW (lpFirst="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.910] lstrcmpW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.910] lstrcmpW (lpString1="98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.910] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\98__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.910] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\98__connections_cellular_tdc denmark (denmark)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.910] GetTickCount () returned 0x115390e [0076.910] GetTickCount () returned 0x115390e [0076.910] GetTickCount () returned 0x115390e [0076.910] GetTickCount () returned 0x115390e [0076.910] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.911] GetProcessHeap () returned 0x3a00000 [0076.911] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.911] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.912] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd37, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.912] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2c9, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2c9, lpOverlapped=0x0) returned 1 [0076.912] GetProcessHeap () returned 0x3a00000 [0076.912] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.912] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.912] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.913] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.913] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.913] CloseHandle (hObject=0x440) returned 1 [0076.913] GetProcessHeap () returned 0x3a00000 [0076.913] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.913] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0076.913] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\98__connections_cellular_tdc denmark (denmark)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\98__Connections_Cellular_TDC Denmark (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\98__connections_cellular_tdc denmark (denmark)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.914] GetProcessHeap () returned 0x3a00000 [0076.914] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.914] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90437e87, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x28b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", cAlternateFileName="99__CO~1.PRO")) returned 1 [0076.914] lstrcmpiW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.914] lstrcmpiW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.914] lstrcmpiW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.914] lstrcmpiW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.914] lstrcmpiW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.914] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml") returned 168 [0076.914] StrStrIW (lpFirst="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.914] lstrcmpW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.914] lstrcmpW (lpString1="99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.914] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\99__C", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\99__connections_cellular_telenor denmark (denmark)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.914] GetTickCount () returned 0x115390e [0076.914] GetTickCount () returned 0x115390e [0076.914] GetTickCount () returned 0x115390e [0076.914] GetTickCount () returned 0x115390e [0076.914] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.915] GetProcessHeap () returned 0x3a00000 [0076.915] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.915] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0076.916] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd75, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.916] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x28b, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x28b, lpOverlapped=0x0) returned 1 [0076.917] GetProcessHeap () returned 0x3a00000 [0076.917] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.917] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.917] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.917] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.917] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.917] CloseHandle (hObject=0x440) returned 1 [0076.917] GetProcessHeap () returned 0x3a00000 [0076.917] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.917] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0076.917] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\99__connections_cellular_telenor denmark (denmark)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\99__Connections_Cellular_Telenor Denmark (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\99__connections_cellular_telenor denmark (denmark)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.918] GetProcessHeap () returned 0x3a00000 [0076.918] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.918] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90116bb1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90116bb1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90116bb1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="9__CON~1.PRO")) returned 1 [0076.918] lstrcmpiW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Windows") returned -1 [0076.918] lstrcmpiW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="$Recycle.bin") returned 1 [0076.918] lstrcmpiW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="System Volume Information") returned -1 [0076.918] lstrcmpiW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files") returned -1 [0076.918] lstrcmpiW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="Program Files (x86)") returned -1 [0076.918] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml") returned 159 [0076.918] StrStrIW (lpFirst="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpSrch=".ebal") returned 0x0 [0076.918] lstrcmpW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.918] lstrcmpW (lpString1="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", lpString2="taridd") returned -1 [0076.918] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\9__Co", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.918] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\9__connections_cellular_optus (australia)_i0$(__mvid)@wap.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.922] GetTickCount () returned 0x115391d [0076.922] GetTickCount () returned 0x115391d [0076.922] GetTickCount () returned 0x115391d [0076.922] GetTickCount () returned 0x115391d [0076.922] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.923] GetProcessHeap () returned 0x3a00000 [0076.923] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.923] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.942] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffd36, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.942] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2ca, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x2ca, lpOverlapped=0x0) returned 1 [0076.943] GetProcessHeap () returned 0x3a00000 [0076.943] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.943] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.943] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.943] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.943] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.943] CloseHandle (hObject=0x440) returned 1 [0076.943] GetProcessHeap () returned 0x3a00000 [0076.943] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.943] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0076.943] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\9__connections_cellular_optus (australia)_i0$(__mvid)@wap.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\9__connections_cellular_optus (australia)_i0$(__mvid)@wap.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.945] GetProcessHeap () returned 0x3a00000 [0076.945] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.945] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90116bb1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90116bb1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x90116bb1, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x2ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9__Connections_Cellular_Optus (Australia)_i0$(__MVID)@WAP.provxml", cAlternateFileName="9__CON~1.PRO")) returned 0 [0076.945] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0076.945] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.945] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.946] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0076.947] CloseHandle (hObject=0x43c) returned 1 [0076.947] GetProcessHeap () returned 0x3a00000 [0076.947] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0076.947] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x919d3d65, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x919d3d65, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x919d3d65, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x4bf13, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.947] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.947] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.947] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.947] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.947] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.947] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime.xml") returned 97 [0076.947] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0076.947] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.947] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.947] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.948] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.948] GetTickCount () returned 0x115392d [0076.948] GetTickCount () returned 0x115392d [0076.948] GetTickCount () returned 0x115392d [0076.948] GetTickCount () returned 0x115392d [0076.948] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0076.948] GetProcessHeap () returned 0x3a00000 [0076.948] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.948] ReadFile (in: hFile=0x43c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0076.953] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.953] WriteFile (in: hFile=0x43c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0076.954] GetProcessHeap () returned 0x3a00000 [0076.954] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.954] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.954] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0076.961] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0076.961] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0076.961] CloseHandle (hObject=0x43c) returned 1 [0076.961] GetProcessHeap () returned 0x3a00000 [0076.961] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0076.961] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0076.961] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0076.962] GetProcessHeap () returned 0x3a00000 [0076.962] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0076.962] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x919d3d65, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x919d3d65, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0x919d3d65, ftLastWriteTime.dwHighDateTime=0x1d2e96f, nFileSizeHigh=0x0, nFileSizeLow=0x4bf13, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0076.962] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0076.962] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0076.962] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.963] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0076.964] CloseHandle (hObject=0x438) returned 1 [0076.964] GetProcessHeap () returned 0x3a00000 [0076.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0076.964] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x21b6e507, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x21b6e507, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0076.964] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0076.964] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0076.964] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0076.965] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0076.966] CloseHandle (hObject=0x434) returned 1 [0076.966] GetProcessHeap () returned 0x3a00000 [0076.966] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0076.966] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{ee4aac98-c174-4941-82b1-d121e493e4fb}", cAlternateFileName="{EE4AA~1")) returned 1 [0076.966] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="Windows") returned -1 [0076.966] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="$Recycle.bin") returned 1 [0076.966] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="System Volume Information") returned -1 [0076.966] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="Program Files") returned -1 [0076.966] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="Program Files (x86)") returned -1 [0076.966] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}") returned 80 [0076.966] lstrcmpW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2=".") returned 1 [0076.966] lstrcmpW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="..") returned 1 [0076.966] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.966] GetProcessHeap () returned 0x3a00000 [0076.966] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0076.966] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*") returned 82 [0076.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0076.967] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.967] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.967] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.967] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.967] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.967] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\.") returned 82 [0076.967] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.967] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.967] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.967] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.967] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.967] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.967] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.967] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\..") returned 83 [0076.967] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.967] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.967] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f66020, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0076.967] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0076.967] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0076.967] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0076.967] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0076.967] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0076.967] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml") returned 99 [0076.967] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0076.967] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.967] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0076.968] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.968] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.968] GetTickCount () returned 0x115394c [0076.968] GetTickCount () returned 0x115394c [0076.968] GetTickCount () returned 0x115394c [0076.968] GetTickCount () returned 0x115394c [0076.968] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0076.968] GetProcessHeap () returned 0x3a00000 [0076.968] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.968] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x732, lpOverlapped=0x0) returned 1 [0076.969] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff8ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.970] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x732, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x732, lpOverlapped=0x0) returned 1 [0076.970] GetProcessHeap () returned 0x3a00000 [0076.970] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.970] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.970] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.970] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.970] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.970] CloseHandle (hObject=0x438) returned 1 [0076.970] GetProcessHeap () returned 0x3a00000 [0076.970] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0076.970] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0076.970] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0076.971] GetProcessHeap () returned 0x3a00000 [0076.971] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0076.971] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f3fdc3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0076.971] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0076.971] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0076.971] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0076.971] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0076.971] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0076.971] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml") returned 100 [0076.971] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0076.971] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.971] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0076.971] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.971] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0076.972] GetTickCount () returned 0x115394c [0076.972] GetTickCount () returned 0x115394c [0076.972] GetTickCount () returned 0x115394c [0076.972] GetTickCount () returned 0x115394c [0076.972] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0076.972] GetProcessHeap () returned 0x3a00000 [0076.972] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.972] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.974] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.974] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0076.974] GetProcessHeap () returned 0x3a00000 [0076.974] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.974] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.974] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0076.975] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0076.975] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0076.975] CloseHandle (hObject=0x438) returned 1 [0076.975] GetProcessHeap () returned 0x3a00000 [0076.975] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0076.975] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0076.975] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0076.976] GetProcessHeap () returned 0x3a00000 [0076.976] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0076.976] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0076.976] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0076.976] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0076.976] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0076.976] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0076.976] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0076.976] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned 85 [0076.976] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0076.976] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0076.976] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.976] GetProcessHeap () returned 0x3a00000 [0076.976] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0076.976] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*") returned 87 [0076.976] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0076.976] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.976] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.976] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.976] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.976] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.976] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\.") returned 87 [0076.976] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.976] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.976] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.976] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.976] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.976] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.976] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.976] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\..") returned 88 [0076.977] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.977] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.977] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0076.977] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0076.977] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0076.977] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0076.977] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0076.977] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0076.977] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned 93 [0076.977] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0076.977] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0076.977] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0076.977] GetProcessHeap () returned 0x3a00000 [0076.977] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0076.977] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*") returned 95 [0076.977] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0076.977] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0076.977] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0076.977] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0076.977] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0076.977] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0076.977] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\.") returned 95 [0076.977] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0076.977] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0076.977] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0076.977] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0076.977] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0076.977] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0076.977] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0076.977] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\..") returned 96 [0076.977] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0076.978] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0076.978] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f19b66, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f19b66, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f3fdc3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 1 [0076.978] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Windows") returned -1 [0076.978] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="$Recycle.bin") returned 1 [0076.978] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="System Volume Information") returned -1 [0076.978] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files") returned -1 [0076.978] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="Program Files (x86)") returned -1 [0076.978] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml") returned 133 [0076.978] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml", lpSrch=".ebal") returned 0x0 [0076.978] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.978] lstrcmpW (lpString1="0__Power_EnergyEstimationEngine.provxml", lpString2="taridd") returned -1 [0076.978] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.978] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\0__power_energyestimationengine.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0076.978] GetTickCount () returned 0x115394c [0076.978] GetTickCount () returned 0x115394c [0076.978] GetTickCount () returned 0x115394c [0076.978] GetTickCount () returned 0x115394c [0076.978] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0076.978] GetProcessHeap () returned 0x3a00000 [0076.978] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.978] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x416, lpOverlapped=0x0) returned 1 [0076.989] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffffbea, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.989] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x416, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x416, lpOverlapped=0x0) returned 1 [0076.989] GetProcessHeap () returned 0x3a00000 [0076.989] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.989] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.989] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0076.989] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0076.989] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0076.989] CloseHandle (hObject=0x440) returned 1 [0076.989] GetProcessHeap () returned 0x3a00000 [0076.989] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0076.990] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 152 [0076.990] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\0__power_energyestimationengine.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\0__power_energyestimationengine.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0076.991] GetProcessHeap () returned 0x3a00000 [0076.991] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0076.991] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f19b66, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f19b66, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f3fdc3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x416, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml", cAlternateFileName="")) returned 0 [0076.991] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0076.991] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0076.991] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.991] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0076.992] CloseHandle (hObject=0x43c) returned 1 [0076.992] GetProcessHeap () returned 0x3a00000 [0076.992] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0076.992] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f3fdc3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0076.992] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0076.992] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0076.992] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0076.992] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0076.992] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0076.992] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml") returned 97 [0076.993] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0076.993] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0076.993] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0076.993] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0076.993] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0076.993] GetTickCount () returned 0x115395c [0076.993] GetTickCount () returned 0x115395c [0076.993] GetTickCount () returned 0x115395c [0076.993] GetTickCount () returned 0x115395c [0076.993] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0076.993] GetProcessHeap () returned 0x3a00000 [0076.993] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0076.993] ReadFile (in: hFile=0x43c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.994] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe34, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0076.994] WriteFile (in: hFile=0x43c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1cc, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af04c*=0x1cc, lpOverlapped=0x0) returned 1 [0076.994] GetProcessHeap () returned 0x3a00000 [0076.994] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0076.994] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.995] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0077.001] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0077.001] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0077.001] CloseHandle (hObject=0x43c) returned 1 [0077.001] GetProcessHeap () returned 0x3a00000 [0077.001] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.001] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0077.001] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.002] GetProcessHeap () returned 0x3a00000 [0077.002] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.002] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f3fdc3, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1cc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0077.002] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0077.002] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0077.002] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.002] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.003] CloseHandle (hObject=0x438) returned 1 [0077.003] GetProcessHeap () returned 0x3a00000 [0077.003] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.003] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d15f260, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d15f260, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0077.003] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0077.004] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0077.004] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.006] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.006] CloseHandle (hObject=0x434) returned 1 [0077.007] GetProcessHeap () returned 0x3a00000 [0077.007] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.007] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1 [0077.007] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="Windows") returned -1 [0077.007] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="$Recycle.bin") returned 1 [0077.007] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="System Volume Information") returned -1 [0077.007] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="Program Files") returned -1 [0077.007] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="Program Files (x86)") returned -1 [0077.007] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned 80 [0077.007] lstrcmpW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2=".") returned 1 [0077.007] lstrcmpW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="..") returned 1 [0077.007] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.007] GetProcessHeap () returned 0x3a00000 [0077.007] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.007] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*") returned 82 [0077.007] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0077.008] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.008] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.008] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.008] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\.") returned 82 [0077.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.008] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.008] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.008] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.008] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.008] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.008] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.008] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\..") returned 83 [0077.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.008] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f6a449, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f6a449, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f6a449, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x8a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="")) returned 1 [0077.008] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0077.008] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0077.008] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0077.008] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0077.008] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0077.008] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml") returned 99 [0077.008] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0077.009] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.009] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0077.009] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.009] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.009] GetTickCount () returned 0x115396b [0077.009] GetTickCount () returned 0x115396b [0077.009] GetTickCount () returned 0x115396b [0077.009] GetTickCount () returned 0x115396b [0077.009] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.009] GetProcessHeap () returned 0x3a00000 [0077.009] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.009] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x8a8, lpOverlapped=0x0) returned 1 [0077.011] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff758, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.011] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x8a8, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x8a8, lpOverlapped=0x0) returned 1 [0077.011] GetProcessHeap () returned 0x3a00000 [0077.011] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.012] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.012] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.012] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.012] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.012] CloseHandle (hObject=0x438) returned 1 [0077.012] GetProcessHeap () returned 0x3a00000 [0077.012] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.012] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0077.012] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.013] GetProcessHeap () returned 0x3a00000 [0077.013] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.013] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1df76, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1df76, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f1df76, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="")) returned 1 [0077.013] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0077.013] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0077.013] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0077.013] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0077.013] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0077.013] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml") returned 100 [0077.013] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0077.013] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.013] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0077.013] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.013] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.014] GetTickCount () returned 0x115397b [0077.014] GetTickCount () returned 0x115397b [0077.014] GetTickCount () returned 0x115397b [0077.014] GetTickCount () returned 0x115397b [0077.014] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.014] GetProcessHeap () returned 0x3a00000 [0077.014] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.014] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0077.015] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.015] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0077.015] GetProcessHeap () returned 0x3a00000 [0077.015] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.015] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.015] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.016] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.016] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.016] CloseHandle (hObject=0x438) returned 1 [0077.017] GetProcessHeap () returned 0x3a00000 [0077.017] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.017] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0077.017] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.017] GetProcessHeap () returned 0x3a00000 [0077.017] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.017] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0077.017] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0077.017] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0077.017] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0077.017] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0077.017] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0077.017] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned 85 [0077.017] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0077.018] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0077.018] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.018] GetProcessHeap () returned 0x3a00000 [0077.018] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.018] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*") returned 87 [0077.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d244069, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0077.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.019] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\.") returned 87 [0077.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.019] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d244069, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.019] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\..") returned 88 [0077.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.019] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d244069, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d244069, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0077.019] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0077.019] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0077.019] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0077.019] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0077.019] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0077.019] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned 93 [0077.019] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0077.019] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0077.019] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.019] GetProcessHeap () returned 0x3a00000 [0077.019] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.019] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*") returned 95 [0077.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d244069, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d244069, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0077.020] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.020] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.020] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.020] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.020] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.020] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\.") returned 95 [0077.020] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.020] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d244069, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d244069, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.020] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.020] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.020] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.020] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.020] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.020] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\..") returned 96 [0077.020] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.020] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.020] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef7d10, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef7d10, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f1df76, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 1 [0077.020] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.020] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.020] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.020] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.020] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.020] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0077.020] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.020] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.020] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.020] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.020] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.021] GetTickCount () returned 0x115397b [0077.021] GetTickCount () returned 0x115397b [0077.021] GetTickCount () returned 0x115397b [0077.021] GetTickCount () returned 0x115397b [0077.021] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.021] GetProcessHeap () returned 0x3a00000 [0077.021] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.021] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x732, lpOverlapped=0x0) returned 1 [0077.025] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff8ce, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.025] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x732, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x732, lpOverlapped=0x0) returned 1 [0077.025] GetProcessHeap () returned 0x3a00000 [0077.025] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.025] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.025] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.025] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.025] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.025] CloseHandle (hObject=0x440) returned 1 [0077.025] GetProcessHeap () returned 0x3a00000 [0077.025] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.026] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.026] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.026] GetProcessHeap () returned 0x3a00000 [0077.026] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.026] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef7d10, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef7d10, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f1df76, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x732, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="")) returned 0 [0077.026] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0077.026] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0077.026] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.027] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.028] CloseHandle (hObject=0x43c) returned 1 [0077.028] GetProcessHeap () returned 0x3a00000 [0077.028] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.028] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1df76, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1df76, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f1df76, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0077.028] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0077.028] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0077.028] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0077.028] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0077.028] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0077.028] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml") returned 97 [0077.028] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0077.028] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.028] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0077.029] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.029] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.029] GetTickCount () returned 0x115398b [0077.029] GetTickCount () returned 0x115398b [0077.029] GetTickCount () returned 0x115398b [0077.029] GetTickCount () returned 0x115398b [0077.029] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0077.029] GetProcessHeap () returned 0x3a00000 [0077.029] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.029] ReadFile (in: hFile=0x43c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0077.030] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffff05, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.030] WriteFile (in: hFile=0x43c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0xfb, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af04c*=0xfb, lpOverlapped=0x0) returned 1 [0077.030] GetProcessHeap () returned 0x3a00000 [0077.030] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.030] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.030] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0077.031] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0077.031] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0077.031] CloseHandle (hObject=0x43c) returned 1 [0077.031] GetProcessHeap () returned 0x3a00000 [0077.031] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.031] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0077.032] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.035] GetProcessHeap () returned 0x3a00000 [0077.035] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.035] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1df76, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1df76, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x53f1df76, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xfb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0077.035] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0077.035] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0077.035] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.036] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.036] CloseHandle (hObject=0x438) returned 1 [0077.037] GetProcessHeap () returned 0x3a00000 [0077.037] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.037] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1d21de20, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1d21de20, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0077.037] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0077.037] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0077.037] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.048] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.049] CloseHandle (hObject=0x434) returned 1 [0077.050] GetProcessHeap () returned 0x3a00000 [0077.050] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.050] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1 [0077.050] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="Windows") returned -1 [0077.050] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="$Recycle.bin") returned 1 [0077.050] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="System Volume Information") returned -1 [0077.050] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="Program Files") returned -1 [0077.050] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="Program Files (x86)") returned -1 [0077.050] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned 80 [0077.050] lstrcmpW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2=".") returned 1 [0077.050] lstrcmpW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="..") returned 1 [0077.050] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.050] GetProcessHeap () returned 0x3a00000 [0077.050] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.050] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*") returned 82 [0077.050] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0077.052] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.053] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.053] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.053] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.053] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.053] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\.") returned 82 [0077.053] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.053] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.053] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.053] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.053] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.053] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.053] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.053] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\..") returned 83 [0077.053] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.053] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.053] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x560ed25a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x560ed25a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x560ed25a, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x6274, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml", cAlternateFileName="CUSTOM~1.XML")) returned 1 [0077.053] lstrcmpiW (lpString1="customizations.xml", lpString2="Windows") returned -1 [0077.053] lstrcmpiW (lpString1="customizations.xml", lpString2="$Recycle.bin") returned 1 [0077.053] lstrcmpiW (lpString1="customizations.xml", lpString2="System Volume Information") returned -1 [0077.053] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files") returned -1 [0077.053] lstrcmpiW (lpString1="customizations.xml", lpString2="Program Files (x86)") returned -1 [0077.053] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml") returned 99 [0077.053] StrStrIW (lpFirst="customizations.xml", lpSrch=".ebal") returned 0x0 [0077.053] lstrcmpW (lpString1="customizations.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.053] lstrcmpW (lpString1="customizations.xml", lpString2="taridd") returned -1 [0077.053] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.053] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.054] GetTickCount () returned 0x115399a [0077.054] GetTickCount () returned 0x115399a [0077.054] GetTickCount () returned 0x115399a [0077.054] GetTickCount () returned 0x115399a [0077.054] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.054] GetProcessHeap () returned 0x3a00000 [0077.054] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.054] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0077.056] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.056] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0077.056] GetProcessHeap () returned 0x3a00000 [0077.056] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.056] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.056] CloseHandle (hObject=0x438) returned 1 [0077.057] GetProcessHeap () returned 0x3a00000 [0077.057] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.057] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 118 [0077.057] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.057] GetProcessHeap () returned 0x3a00000 [0077.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.057] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55d0d528, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55d0d528, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55d0d528, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x10f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml", cAlternateFileName="MASTER~1.XML")) returned 1 [0077.057] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Windows") returned -1 [0077.057] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="$Recycle.bin") returned 1 [0077.057] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="System Volume Information") returned -1 [0077.057] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files") returned -1 [0077.058] lstrcmpiW (lpString1="MasterDatastore.xml", lpString2="Program Files (x86)") returned -1 [0077.058] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml") returned 100 [0077.058] StrStrIW (lpFirst="MasterDatastore.xml", lpSrch=".ebal") returned 0x0 [0077.058] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.058] lstrcmpW (lpString1="MasterDatastore.xml", lpString2="taridd") returned -1 [0077.058] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.058] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.058] GetTickCount () returned 0x115399a [0077.058] GetTickCount () returned 0x115399a [0077.058] GetTickCount () returned 0x115399a [0077.058] GetTickCount () returned 0x115399a [0077.058] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.058] GetProcessHeap () returned 0x3a00000 [0077.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.058] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0077.059] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffef1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.059] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x10f, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x10f, lpOverlapped=0x0) returned 1 [0077.094] GetProcessHeap () returned 0x3a00000 [0077.095] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.095] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.095] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.095] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.095] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.096] CloseHandle (hObject=0x438) returned 1 [0077.096] GetProcessHeap () returned 0x3a00000 [0077.096] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.096] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 119 [0077.096] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\masterdatastore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.097] GetProcessHeap () returned 0x3a00000 [0077.097] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.097] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0077.097] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0077.097] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0077.097] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0077.097] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0077.097] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0077.097] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned 85 [0077.097] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0077.097] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0077.097] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.097] GetProcessHeap () returned 0x3a00000 [0077.097] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.097] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*") returned 87 [0077.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0077.098] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.098] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.098] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.098] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.098] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.098] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\.") returned 87 [0077.098] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.098] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.098] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.098] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.098] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.098] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.098] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.098] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\..") returned 88 [0077.098] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.098] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.098] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0077.098] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0077.098] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0077.098] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0077.098] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0077.098] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0077.098] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned 93 [0077.099] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0077.099] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0077.099] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.099] GetProcessHeap () returned 0x3a00000 [0077.099] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.099] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*") returned 95 [0077.099] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.101] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.101] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.101] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.101] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.101] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.101] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\.") returned 95 [0077.101] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.101] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x217b4a1a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x217b4a1a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.101] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.101] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.101] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.101] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.101] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.101] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\..") returned 96 [0077.101] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.102] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.102] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c4e960, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55c4e960, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55c4e960, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x93d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml", cAlternateFileName="0__POW~1.PRO")) returned 1 [0077.102] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.102] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.102] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.102] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.102] lstrcmpiW (lpString1="0__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.102] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Power_Policy.provxml") returned 117 [0077.102] StrStrIW (lpFirst="0__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.102] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.102] lstrcmpW (lpString1="0__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.102] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.102] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\0__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.102] GetTickCount () returned 0x11539c9 [0077.102] GetTickCount () returned 0x11539c9 [0077.102] GetTickCount () returned 0x11539c9 [0077.102] GetTickCount () returned 0x11539c9 [0077.102] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.103] GetProcessHeap () returned 0x3a00000 [0077.103] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.103] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x93d, lpOverlapped=0x0) returned 1 [0077.114] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff6c3, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.114] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x93d, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x93d, lpOverlapped=0x0) returned 1 [0077.114] GetProcessHeap () returned 0x3a00000 [0077.114] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.114] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.114] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.115] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.115] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.115] CloseHandle (hObject=0x440) returned 1 [0077.115] GetProcessHeap () returned 0x3a00000 [0077.115] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.115] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.115] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\0__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\0__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.116] GetProcessHeap () returned 0x3a00000 [0077.116] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.116] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c74bbc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55c74bbc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55c74bbc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1018, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml", cAlternateFileName="1__POW~1.PRO")) returned 1 [0077.116] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.116] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.116] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.116] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.116] lstrcmpiW (lpString1="1__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.116] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Power_Policy.provxml") returned 117 [0077.116] StrStrIW (lpFirst="1__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.116] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.116] lstrcmpW (lpString1="1__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.116] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.116] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\1__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.117] GetTickCount () returned 0x11539d9 [0077.117] GetTickCount () returned 0x11539d9 [0077.117] GetTickCount () returned 0x11539d9 [0077.117] GetTickCount () returned 0x11539d9 [0077.117] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.117] GetProcessHeap () returned 0x3a00000 [0077.117] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.117] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1018, lpOverlapped=0x0) returned 1 [0077.119] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffefe8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.119] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1018, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1018, lpOverlapped=0x0) returned 1 [0077.119] GetProcessHeap () returned 0x3a00000 [0077.119] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.119] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.119] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.119] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.119] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.119] CloseHandle (hObject=0x440) returned 1 [0077.120] GetProcessHeap () returned 0x3a00000 [0077.120] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.120] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.120] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\1__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\1__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.120] GetProcessHeap () returned 0x3a00000 [0077.120] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.120] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c9ae14, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55c9ae14, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55c9ae14, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2__Power_Policy.provxml", cAlternateFileName="2__POW~1.PRO")) returned 1 [0077.120] lstrcmpiW (lpString1="2__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.120] lstrcmpiW (lpString1="2__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.120] lstrcmpiW (lpString1="2__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.120] lstrcmpiW (lpString1="2__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.120] lstrcmpiW (lpString1="2__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.121] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Power_Policy.provxml") returned 117 [0077.121] StrStrIW (lpFirst="2__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.121] lstrcmpW (lpString1="2__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.121] lstrcmpW (lpString1="2__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.121] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.121] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\2__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] GetTickCount () returned 0x11539d9 [0077.121] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.121] GetProcessHeap () returned 0x3a00000 [0077.121] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.121] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1939, lpOverlapped=0x0) returned 1 [0077.123] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffe6c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.123] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1939, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1939, lpOverlapped=0x0) returned 1 [0077.123] GetProcessHeap () returned 0x3a00000 [0077.123] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.123] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.123] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.123] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.123] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.124] CloseHandle (hObject=0x440) returned 1 [0077.124] GetProcessHeap () returned 0x3a00000 [0077.124] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.124] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.124] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\2__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\2__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.124] GetProcessHeap () returned 0x3a00000 [0077.124] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.124] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cc1070, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55cc1070, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55cc1070, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x1939, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3__Power_Policy.provxml", cAlternateFileName="3__POW~1.PRO")) returned 1 [0077.124] lstrcmpiW (lpString1="3__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.124] lstrcmpiW (lpString1="3__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.124] lstrcmpiW (lpString1="3__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.124] lstrcmpiW (lpString1="3__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.124] lstrcmpiW (lpString1="3__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.125] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Power_Policy.provxml") returned 117 [0077.125] StrStrIW (lpFirst="3__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.125] lstrcmpW (lpString1="3__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.125] lstrcmpW (lpString1="3__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.125] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.125] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\3__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.125] GetTickCount () returned 0x11539e8 [0077.125] GetTickCount () returned 0x11539e8 [0077.125] GetTickCount () returned 0x11539e8 [0077.125] GetTickCount () returned 0x11539e8 [0077.125] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.125] GetProcessHeap () returned 0x3a00000 [0077.125] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.125] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x1939, lpOverlapped=0x0) returned 1 [0077.127] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffe6c7, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.127] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1939, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x1939, lpOverlapped=0x0) returned 1 [0077.127] GetProcessHeap () returned 0x3a00000 [0077.127] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.127] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.127] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.127] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.128] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.128] CloseHandle (hObject=0x440) returned 1 [0077.128] GetProcessHeap () returned 0x3a00000 [0077.128] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.128] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.128] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\3__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\3__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.128] GetProcessHeap () returned 0x3a00000 [0077.128] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.129] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cc1070, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55cc1070, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55cc1070, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4__Power_Policy.provxml", cAlternateFileName="4__POW~1.PRO")) returned 1 [0077.129] lstrcmpiW (lpString1="4__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.129] lstrcmpiW (lpString1="4__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.129] lstrcmpiW (lpString1="4__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.129] lstrcmpiW (lpString1="4__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.129] lstrcmpiW (lpString1="4__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.129] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Power_Policy.provxml") returned 117 [0077.129] StrStrIW (lpFirst="4__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.129] lstrcmpW (lpString1="4__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.129] lstrcmpW (lpString1="4__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.129] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.129] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\4__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.129] GetTickCount () returned 0x11539e8 [0077.129] GetTickCount () returned 0x11539e8 [0077.129] GetTickCount () returned 0x11539e8 [0077.129] GetTickCount () returned 0x11539e8 [0077.129] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.129] GetProcessHeap () returned 0x3a00000 [0077.129] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.129] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0xe63, lpOverlapped=0x0) returned 1 [0077.135] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff19d, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.135] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0xe63, lpOverlapped=0x0) returned 1 [0077.136] GetProcessHeap () returned 0x3a00000 [0077.136] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.136] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.136] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.136] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.136] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.136] CloseHandle (hObject=0x440) returned 1 [0077.136] GetProcessHeap () returned 0x3a00000 [0077.136] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.136] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.136] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\4__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\4__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.137] GetProcessHeap () returned 0x3a00000 [0077.137] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.137] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cc1070, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55cc1070, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55cc1070, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x822, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="5__Power_Policy.provxml", cAlternateFileName="5__POW~1.PRO")) returned 1 [0077.137] lstrcmpiW (lpString1="5__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.137] lstrcmpiW (lpString1="5__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.137] lstrcmpiW (lpString1="5__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.137] lstrcmpiW (lpString1="5__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.137] lstrcmpiW (lpString1="5__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.137] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Power_Policy.provxml") returned 117 [0077.137] StrStrIW (lpFirst="5__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.137] lstrcmpW (lpString1="5__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.137] lstrcmpW (lpString1="5__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.137] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.137] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\5__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.138] GetTickCount () returned 0x11539f8 [0077.138] GetTickCount () returned 0x11539f8 [0077.138] GetTickCount () returned 0x11539f8 [0077.138] GetTickCount () returned 0x11539f8 [0077.138] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.138] GetProcessHeap () returned 0x3a00000 [0077.138] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.138] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x822, lpOverlapped=0x0) returned 1 [0077.141] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff7de, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.142] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x822, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x822, lpOverlapped=0x0) returned 1 [0077.142] GetProcessHeap () returned 0x3a00000 [0077.142] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.142] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.142] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.142] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.142] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.142] CloseHandle (hObject=0x440) returned 1 [0077.142] GetProcessHeap () returned 0x3a00000 [0077.142] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.142] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.142] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\5__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\5__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.143] GetProcessHeap () returned 0x3a00000 [0077.143] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.143] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55ce72cc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="6__Power_Policy.provxml", cAlternateFileName="6__POW~1.PRO")) returned 1 [0077.143] lstrcmpiW (lpString1="6__Power_Policy.provxml", lpString2="Windows") returned -1 [0077.143] lstrcmpiW (lpString1="6__Power_Policy.provxml", lpString2="$Recycle.bin") returned 1 [0077.143] lstrcmpiW (lpString1="6__Power_Policy.provxml", lpString2="System Volume Information") returned -1 [0077.143] lstrcmpiW (lpString1="6__Power_Policy.provxml", lpString2="Program Files") returned -1 [0077.143] lstrcmpiW (lpString1="6__Power_Policy.provxml", lpString2="Program Files (x86)") returned -1 [0077.143] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Power_Policy.provxml") returned 117 [0077.143] StrStrIW (lpFirst="6__Power_Policy.provxml", lpSrch=".ebal") returned 0x0 [0077.143] lstrcmpW (lpString1="6__Power_Policy.provxml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.143] lstrcmpW (lpString1="6__Power_Policy.provxml", lpString2="taridd") returned -1 [0077.143] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Po", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.143] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\6__power_policy.provxml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.143] GetTickCount () returned 0x11539f8 [0077.144] GetTickCount () returned 0x11539f8 [0077.144] GetTickCount () returned 0x11539f8 [0077.144] GetTickCount () returned 0x11539f8 [0077.144] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0077.144] GetProcessHeap () returned 0x3a00000 [0077.144] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.144] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x93f, lpOverlapped=0x0) returned 1 [0077.148] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xfffff6c1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.148] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x93f, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x93f, lpOverlapped=0x0) returned 1 [0077.149] GetProcessHeap () returned 0x3a00000 [0077.149] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.149] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.149] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0077.149] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0077.149] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0077.149] CloseHandle (hObject=0x440) returned 1 [0077.149] GetProcessHeap () returned 0x3a00000 [0077.149] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.149] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 136 [0077.149] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Power_Policy.provxml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\6__power_policy.provxml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Power_Policy.provxml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\6__power_policy.provxml_r00t_{8ew5f6}.ebal")) returned 1 [0077.150] GetProcessHeap () returned 0x3a00000 [0077.150] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.150] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55ce72cc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x93f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="6__Power_Policy.provxml", cAlternateFileName="6__POW~1.PRO")) returned 0 [0077.150] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.150] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 125 [0077.150] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.150] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.151] CloseHandle (hObject=0x43c) returned 1 [0077.151] GetProcessHeap () returned 0x3a00000 [0077.151] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.151] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55ce72cc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x948, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 1 [0077.151] lstrcmpiW (lpString1="RunTime.xml", lpString2="Windows") returned -1 [0077.151] lstrcmpiW (lpString1="RunTime.xml", lpString2="$Recycle.bin") returned 1 [0077.151] lstrcmpiW (lpString1="RunTime.xml", lpString2="System Volume Information") returned -1 [0077.151] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files") returned 1 [0077.152] lstrcmpiW (lpString1="RunTime.xml", lpString2="Program Files (x86)") returned 1 [0077.152] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml") returned 97 [0077.152] StrStrIW (lpFirst="RunTime.xml", lpSrch=".ebal") returned 0x0 [0077.152] lstrcmpW (lpString1="RunTime.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.152] lstrcmpW (lpString1="RunTime.xml", lpString2="taridd") returned -1 [0077.152] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.152] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.152] GetTickCount () returned 0x11539f8 [0077.152] GetTickCount () returned 0x11539f8 [0077.152] GetTickCount () returned 0x11539f8 [0077.152] GetTickCount () returned 0x11539f8 [0077.152] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0077.152] GetProcessHeap () returned 0x3a00000 [0077.152] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.152] ReadFile (in: hFile=0x43c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af04c*=0x948, lpOverlapped=0x0) returned 1 [0077.160] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff6b8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.160] WriteFile (in: hFile=0x43c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x948, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af04c*=0x948, lpOverlapped=0x0) returned 1 [0077.160] GetProcessHeap () returned 0x3a00000 [0077.161] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.161] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.161] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0077.161] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0077.161] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0077.161] CloseHandle (hObject=0x43c) returned 1 [0077.161] GetProcessHeap () returned 0x3a00000 [0077.161] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.161] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 116 [0077.161] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime.xml_r00t_{8ew5f6}.ebal")) returned 1 [0077.162] GetProcessHeap () returned 0x3a00000 [0077.162] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.162] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0x55ce72cc, ftLastWriteTime.dwHighDateTime=0x1d29f93, nFileSizeHigh=0x0, nFileSizeLow=0x948, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml", cAlternateFileName="")) returned 0 [0077.162] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0077.162] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 117 [0077.162] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.165] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.166] CloseHandle (hObject=0x438) returned 1 [0077.166] GetProcessHeap () returned 0x3a00000 [0077.166] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.166] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0077.166] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0077.166] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0077.166] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.166] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.167] CloseHandle (hObject=0x434) returned 1 [0077.167] GetProcessHeap () returned 0x3a00000 [0077.167] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.167] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x2178e943, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x2178e943, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 0 [0077.167] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0077.167] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0077.167] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Provisioning\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\provisioning\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.168] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.169] CloseHandle (hObject=0x430) returned 1 [0077.169] GetProcessHeap () returned 0x3a00000 [0077.169] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.169] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb79dd84e, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb7a500e7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb7a500e7, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Search", cAlternateFileName="")) returned 1 [0077.169] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0077.169] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0077.169] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0077.169] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0077.169] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0077.169] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search") returned 35 [0077.169] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0077.169] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0077.170] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.170] GetProcessHeap () returned 0x3a00000 [0077.170] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.170] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*") returned 37 [0077.170] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb79dd84e, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb7a500e7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb7a500e7, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0077.174] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.174] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.174] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.174] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.174] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.174] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\.") returned 37 [0077.174] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.174] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb79dd84e, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb7a500e7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb7a500e7, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.174] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.174] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.174] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.174] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.174] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.174] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\..") returned 38 [0077.174] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.174] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.174] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x768c9439, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 1 [0077.174] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0077.174] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0077.174] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0077.174] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0077.174] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0077.174] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data") returned 40 [0077.174] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0077.174] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0077.174] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.174] GetProcessHeap () returned 0x3a00000 [0077.174] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.174] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*") returned 42 [0077.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x768c9439, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0077.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.178] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\.") returned 42 [0077.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.178] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x768c9439, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.178] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.178] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.178] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.178] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.178] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\..") returned 43 [0077.178] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.178] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.178] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x768c9439, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x769ae22f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x769ae22f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0077.178] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0077.178] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0077.178] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0077.178] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0077.178] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0077.178] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications") returned 53 [0077.178] lstrcmpW (lpString1="Applications", lpString2=".") returned 1 [0077.178] lstrcmpW (lpString1="Applications", lpString2="..") returned 1 [0077.178] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.179] GetProcessHeap () returned 0x3a00000 [0077.179] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.179] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*") returned 55 [0077.179] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x768c9439, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x769ae22f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x769ae22f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0077.179] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.179] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.179] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.179] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.179] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.179] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\.") returned 55 [0077.179] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.179] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x768c9439, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x769ae22f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x769ae22f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.179] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.179] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.179] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.179] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.179] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.179] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\..") returned 56 [0077.179] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.179] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.179] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ae22f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfd58d8c3, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xfd58d8c3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0077.179] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0077.179] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ae22f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfd58d8c3, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xfd58d8c3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 0 [0077.179] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0077.179] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0077.180] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\applications\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.182] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.183] CloseHandle (hObject=0x438) returned 1 [0077.183] GetProcessHeap () returned 0x3a00000 [0077.183] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.183] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b7d74b9, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2b7d74b9, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0077.183] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0077.183] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0077.183] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0077.183] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0077.183] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0077.184] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp") returned 45 [0077.184] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0077.184] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0077.184] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.184] GetProcessHeap () returned 0x3a00000 [0077.184] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.184] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*") returned 47 [0077.184] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b7d74b9, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb99ea4ee, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0077.189] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.189] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.189] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.189] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.189] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.189] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\.") returned 47 [0077.190] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.190] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b7d74b9, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb99ea4ee, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.190] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.190] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.190] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.190] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.190] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.190] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\..") returned 48 [0077.190] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.190] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.190] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b7d74b9, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xb99ea4ee, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.190] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0077.190] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0077.190] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.191] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.192] CloseHandle (hObject=0x438) returned 1 [0077.192] GetProcessHeap () returned 0x3a00000 [0077.192] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.192] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b7d74b9, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2b7d74b9, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 0 [0077.192] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0077.192] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0077.192] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.192] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.193] CloseHandle (hObject=0x434) returned 1 [0077.193] GetProcessHeap () returned 0x3a00000 [0077.193] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.193] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x768c9439, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 0 [0077.194] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0077.194] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0077.194] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\search\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.196] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.197] CloseHandle (hObject=0x430) returned 1 [0077.197] GetProcessHeap () returned 0x3a00000 [0077.197] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.197] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30e3b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Settings", cAlternateFileName="")) returned 1 [0077.197] lstrcmpiW (lpString1="Settings", lpString2="Windows") returned -1 [0077.197] lstrcmpiW (lpString1="Settings", lpString2="$Recycle.bin") returned 1 [0077.197] lstrcmpiW (lpString1="Settings", lpString2="System Volume Information") returned -1 [0077.197] lstrcmpiW (lpString1="Settings", lpString2="Program Files") returned 1 [0077.197] lstrcmpiW (lpString1="Settings", lpString2="Program Files (x86)") returned 1 [0077.197] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings") returned 37 [0077.197] lstrcmpW (lpString1="Settings", lpString2=".") returned 1 [0077.197] lstrcmpW (lpString1="Settings", lpString2="..") returned 1 [0077.197] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Settings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.197] GetProcessHeap () returned 0x3a00000 [0077.197] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.197] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\*") returned 39 [0077.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30e3b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0077.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.198] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\.") returned 39 [0077.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.198] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30e3b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.198] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\..") returned 40 [0077.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.198] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Accounts", cAlternateFileName="")) returned 1 [0077.198] lstrcmpiW (lpString1="Accounts", lpString2="Windows") returned -1 [0077.198] lstrcmpiW (lpString1="Accounts", lpString2="$Recycle.bin") returned 1 [0077.198] lstrcmpiW (lpString1="Accounts", lpString2="System Volume Information") returned -1 [0077.198] lstrcmpiW (lpString1="Accounts", lpString2="Program Files") returned -1 [0077.198] lstrcmpiW (lpString1="Accounts", lpString2="Program Files (x86)") returned -1 [0077.199] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts") returned 46 [0077.199] lstrcmpW (lpString1="Accounts", lpString2=".") returned 1 [0077.199] lstrcmpW (lpString1="Accounts", lpString2="..") returned 1 [0077.199] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.199] GetProcessHeap () returned 0x3a00000 [0077.199] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.199] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts\\*") returned 48 [0077.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.199] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.199] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.199] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.199] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.199] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.199] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts\\.") returned 48 [0077.199] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.199] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.199] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.199] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.199] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.199] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.199] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.199] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts\\..") returned 49 [0077.199] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.199] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.199] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.199] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.200] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0077.200] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\Accounts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\settings\\accounts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.200] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.201] CloseHandle (hObject=0x434) returned 1 [0077.201] GetProcessHeap () returned 0x3a00000 [0077.201] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.201] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Accounts", cAlternateFileName="")) returned 0 [0077.201] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0077.207] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0077.207] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Settings\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\settings\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.208] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.209] CloseHandle (hObject=0x430) returned 1 [0077.209] GetProcessHeap () returned 0x3a00000 [0077.209] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.209] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dcfea0a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dcfea0a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1 [0077.209] lstrcmpiW (lpString1="SmsRouter", lpString2="Windows") returned -1 [0077.209] lstrcmpiW (lpString1="SmsRouter", lpString2="$Recycle.bin") returned 1 [0077.209] lstrcmpiW (lpString1="SmsRouter", lpString2="System Volume Information") returned -1 [0077.209] lstrcmpiW (lpString1="SmsRouter", lpString2="Program Files") returned 1 [0077.209] lstrcmpiW (lpString1="SmsRouter", lpString2="Program Files (x86)") returned 1 [0077.209] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter") returned 38 [0077.209] lstrcmpW (lpString1="SmsRouter", lpString2=".") returned 1 [0077.209] lstrcmpW (lpString1="SmsRouter", lpString2="..") returned 1 [0077.209] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.209] GetProcessHeap () returned 0x3a00000 [0077.209] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.209] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*") returned 40 [0077.209] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dcfea0a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dcfea0a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0077.209] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.209] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.209] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.209] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.209] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.210] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\.") returned 40 [0077.210] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.210] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dcfea0a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dcfea0a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.210] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.210] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.210] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.210] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.210] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.210] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\..") returned 41 [0077.210] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.210] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.210] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1 [0077.210] lstrcmpiW (lpString1="MessageStore", lpString2="Windows") returned -1 [0077.210] lstrcmpiW (lpString1="MessageStore", lpString2="$Recycle.bin") returned 1 [0077.210] lstrcmpiW (lpString1="MessageStore", lpString2="System Volume Information") returned -1 [0077.210] lstrcmpiW (lpString1="MessageStore", lpString2="Program Files") returned -1 [0077.210] lstrcmpiW (lpString1="MessageStore", lpString2="Program Files (x86)") returned -1 [0077.210] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore") returned 51 [0077.210] lstrcmpW (lpString1="MessageStore", lpString2=".") returned 1 [0077.210] lstrcmpW (lpString1="MessageStore", lpString2="..") returned 1 [0077.210] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.210] GetProcessHeap () returned 0x3a00000 [0077.210] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.210] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\*") returned 53 [0077.210] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0077.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.212] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.212] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.212] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.212] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.212] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\.") returned 53 [0077.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.212] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.212] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.212] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.212] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.212] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.213] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\..") returned 54 [0077.213] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.213] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.213] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd4ae8d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b93f8ea, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0077.213] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0077.213] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0077.213] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0077.213] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0077.213] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0077.213] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk") returned 59 [0077.213] StrStrIW (lpFirst="edb.chk", lpSrch=".ebal") returned 0x0 [0077.213] lstrcmpW (lpString1="edb.chk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.213] lstrcmpW (lpString1="edb.chk", lpString2="taridd") returned -1 [0077.213] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.213] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.chk" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.214] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd24c5a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dec862e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b93f8ea, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0077.214] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0077.214] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0077.214] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0077.214] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0077.214] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0077.214] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log") returned 59 [0077.214] StrStrIW (lpFirst="edb.log", lpSrch=".ebal") returned 0x0 [0077.214] lstrcmpW (lpString1="edb.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.214] lstrcmpW (lpString1="edb.log", lpString2="taridd") returned -1 [0077.214] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.214] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd24c5a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b42ee8a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb00002.log", cAlternateFileName="")) returned 1 [0077.214] lstrcmpiW (lpString1="edb00002.log", lpString2="Windows") returned -1 [0077.214] lstrcmpiW (lpString1="edb00002.log", lpString2="$Recycle.bin") returned 1 [0077.214] lstrcmpiW (lpString1="edb00002.log", lpString2="System Volume Information") returned -1 [0077.214] lstrcmpiW (lpString1="edb00002.log", lpString2="Program Files") returned -1 [0077.214] lstrcmpiW (lpString1="edb00002.log", lpString2="Program Files (x86)") returned -1 [0077.214] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00002.log") returned 64 [0077.214] StrStrIW (lpFirst="edb00002.log", lpSrch=".ebal") returned 0x0 [0077.214] lstrcmpW (lpString1="edb00002.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.214] lstrcmpW (lpString1="edb00002.log", lpString2="taridd") returned -1 [0077.214] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00002.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.214] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edb00002.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edb00002.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.215] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd4ae8d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dd4ae8d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0077.215] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0077.215] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0077.215] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0077.215] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0077.215] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0077.215] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs") returned 67 [0077.215] StrStrIW (lpFirst="edbres00001.jrs", lpSrch=".ebal") returned 0x0 [0077.215] lstrcmpW (lpString1="edbres00001.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.215] lstrcmpW (lpString1="edbres00001.jrs", lpString2="taridd") returned -1 [0077.215] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.215] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.215] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd4ae8d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dd4ae8d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0077.215] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0077.217] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0077.217] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0077.217] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0077.217] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0077.217] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs") returned 67 [0077.217] StrStrIW (lpFirst="edbres00002.jrs", lpSrch=".ebal") returned 0x0 [0077.217] lstrcmpW (lpString1="edbres00002.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.217] lstrcmpW (lpString1="edbres00002.jrs", lpString2="taridd") returned -1 [0077.217] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.217] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd24c5a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd24c5a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1deee89a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0077.217] lstrcmpiW (lpString1="edbtmp.log", lpString2="Windows") returned -1 [0077.217] lstrcmpiW (lpString1="edbtmp.log", lpString2="$Recycle.bin") returned 1 [0077.217] lstrcmpiW (lpString1="edbtmp.log", lpString2="System Volume Information") returned -1 [0077.217] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files") returned -1 [0077.217] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files (x86)") returned -1 [0077.217] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log") returned 62 [0077.217] StrStrIW (lpFirst="edbtmp.log", lpSrch=".ebal") returned 0x0 [0077.217] lstrcmpW (lpString1="edbtmp.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.217] lstrcmpW (lpString1="edbtmp.log", lpString2="taridd") returned -1 [0077.217] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.217] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.217] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd973cb, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd973cb, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b74fcb1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1 [0077.217] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="Windows") returned -1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="$Recycle.bin") returned 1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="System Volume Information") returned -1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="Program Files") returned 1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="Program Files (x86)") returned 1 [0077.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db") returned 72 [0077.218] StrStrIW (lpFirst="SmsInterceptStore.db", lpSrch=".ebal") returned 0x0 [0077.218] lstrcmpW (lpString1="SmsInterceptStore.db", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.218] lstrcmpW (lpString1="SmsInterceptStore.db", lpString2="taridd") returned -1 [0077.218] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.218] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd7110f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd7110f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b74fcb1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsInterceptStore.jfm", cAlternateFileName="SMSINT~1.JFM")) returned 1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="Windows") returned -1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="$Recycle.bin") returned 1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="System Volume Information") returned -1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="Program Files") returned 1 [0077.218] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="Program Files (x86)") returned 1 [0077.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.jfm") returned 73 [0077.218] StrStrIW (lpFirst="SmsInterceptStore.jfm", lpSrch=".ebal") returned 0x0 [0077.218] lstrcmpW (lpString1="SmsInterceptStore.jfm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.218] lstrcmpW (lpString1="SmsInterceptStore.jfm", lpString2="taridd") returned -1 [0077.218] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.jfm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.218] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.jfm" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.jfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.218] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd7110f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd7110f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b74fcb1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsInterceptStore.jfm", cAlternateFileName="SMSINT~1.JFM")) returned 0 [0077.218] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0077.219] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0077.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\MessageStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\smsrouter\\messagestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.226] GetProcessHeap () returned 0x3a00000 [0077.226] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.226] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 0 [0077.226] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0077.226] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 70 [0077.226] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\SmsRouter\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\smsrouter\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.226] GetProcessHeap () returned 0x3a00000 [0077.226] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.226] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Spectrum", cAlternateFileName="")) returned 1 [0077.226] lstrcmpiW (lpString1="Spectrum", lpString2="Windows") returned -1 [0077.226] lstrcmpiW (lpString1="Spectrum", lpString2="$Recycle.bin") returned 1 [0077.226] lstrcmpiW (lpString1="Spectrum", lpString2="System Volume Information") returned -1 [0077.226] lstrcmpiW (lpString1="Spectrum", lpString2="Program Files") returned 1 [0077.226] lstrcmpiW (lpString1="Spectrum", lpString2="Program Files (x86)") returned 1 [0077.226] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum") returned 37 [0077.226] lstrcmpW (lpString1="Spectrum", lpString2=".") returned 1 [0077.226] lstrcmpW (lpString1="Spectrum", lpString2="..") returned 1 [0077.226] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.226] GetProcessHeap () returned 0x3a00000 [0077.226] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.226] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum\\*") returned 39 [0077.226] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0077.226] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.227] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum\\.") returned 39 [0077.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.227] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.227] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.227] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum\\..") returned 40 [0077.227] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.227] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.227] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.227] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0077.227] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0077.227] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Spectrum\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\spectrum\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.229] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.229] CloseHandle (hObject=0x430) returned 1 [0077.229] GetProcessHeap () returned 0x3a00000 [0077.229] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.229] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Speech_OneCore", cAlternateFileName="SPEECH~1")) returned 1 [0077.230] lstrcmpiW (lpString1="Speech_OneCore", lpString2="Windows") returned -1 [0077.230] lstrcmpiW (lpString1="Speech_OneCore", lpString2="$Recycle.bin") returned 1 [0077.230] lstrcmpiW (lpString1="Speech_OneCore", lpString2="System Volume Information") returned -1 [0077.230] lstrcmpiW (lpString1="Speech_OneCore", lpString2="Program Files") returned 1 [0077.230] lstrcmpiW (lpString1="Speech_OneCore", lpString2="Program Files (x86)") returned 1 [0077.230] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore") returned 43 [0077.230] lstrcmpW (lpString1="Speech_OneCore", lpString2=".") returned 1 [0077.230] lstrcmpW (lpString1="Speech_OneCore", lpString2="..") returned 1 [0077.230] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.230] GetProcessHeap () returned 0x3a00000 [0077.230] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.230] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore\\*") returned 45 [0077.230] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0077.231] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.231] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.231] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.231] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.231] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.231] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore\\.") returned 45 [0077.231] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.231] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.231] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.231] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.231] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.231] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.231] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.232] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore\\..") returned 46 [0077.232] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.232] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.232] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.232] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0077.232] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0077.232] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Speech_OneCore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\speech_onecore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.234] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.235] CloseHandle (hObject=0x430) returned 1 [0077.235] GetProcessHeap () returned 0x3a00000 [0077.235] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.235] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcb4dcad0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xcb4dcad0, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Storage Health", cAlternateFileName="STORAG~1")) returned 1 [0077.235] lstrcmpiW (lpString1="Storage Health", lpString2="Windows") returned -1 [0077.235] lstrcmpiW (lpString1="Storage Health", lpString2="$Recycle.bin") returned 1 [0077.235] lstrcmpiW (lpString1="Storage Health", lpString2="System Volume Information") returned -1 [0077.235] lstrcmpiW (lpString1="Storage Health", lpString2="Program Files") returned 1 [0077.235] lstrcmpiW (lpString1="Storage Health", lpString2="Program Files (x86)") returned 1 [0077.235] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health") returned 43 [0077.235] lstrcmpW (lpString1="Storage Health", lpString2=".") returned 1 [0077.235] lstrcmpW (lpString1="Storage Health", lpString2="..") returned 1 [0077.235] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.235] GetProcessHeap () returned 0x3a00000 [0077.235] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.235] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\*") returned 45 [0077.235] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcb4dcad0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xcb4dcad0, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.235] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.235] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.235] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.235] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.236] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.236] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\.") returned 45 [0077.236] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.236] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcb4dcad0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xcb4dcad0, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.236] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.236] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.236] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.236] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.236] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.236] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\..") returned 46 [0077.236] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.236] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.236] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4dcad0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xcb4dcad0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x2ab8b28d, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x1571, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="StorageEventsArchive.dat", cAlternateFileName="STORAG~1.DAT")) returned 1 [0077.236] lstrcmpiW (lpString1="StorageEventsArchive.dat", lpString2="Windows") returned -1 [0077.236] lstrcmpiW (lpString1="StorageEventsArchive.dat", lpString2="$Recycle.bin") returned 1 [0077.236] lstrcmpiW (lpString1="StorageEventsArchive.dat", lpString2="System Volume Information") returned -1 [0077.236] lstrcmpiW (lpString1="StorageEventsArchive.dat", lpString2="Program Files") returned 1 [0077.236] lstrcmpiW (lpString1="StorageEventsArchive.dat", lpString2="Program Files (x86)") returned 1 [0077.236] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageEventsArchive.dat") returned 68 [0077.236] StrStrIW (lpFirst="StorageEventsArchive.dat", lpSrch=".ebal") returned 0x0 [0077.236] lstrcmpW (lpString1="StorageEventsArchive.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.236] lstrcmpW (lpString1="StorageEventsArchive.dat", lpString2="taridd") returned -1 [0077.236] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageEventsArchive.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.236] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageEventsArchive.dat" (normalized: "c:\\programdata\\microsoft\\storage health\\storageeventsarchive.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.240] GetTickCount () returned 0x1153a56 [0077.240] GetTickCount () returned 0x1153a56 [0077.240] GetTickCount () returned 0x1153a56 [0077.240] GetTickCount () returned 0x1153a56 [0077.240] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.241] GetProcessHeap () returned 0x3a00000 [0077.241] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.241] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x1571, lpOverlapped=0x0) returned 1 [0077.243] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffea8f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.243] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1571, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x1571, lpOverlapped=0x0) returned 1 [0077.243] GetProcessHeap () returned 0x3a00000 [0077.243] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.243] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.243] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.243] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.243] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.243] CloseHandle (hObject=0x434) returned 1 [0077.243] GetProcessHeap () returned 0x3a00000 [0077.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.243] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageEventsArchive.dat_r00t_{8ew5f6}.ebal") returned 87 [0077.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageEventsArchive.dat" (normalized: "c:\\programdata\\microsoft\\storage health\\storageeventsarchive.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageEventsArchive.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\storage health\\storageeventsarchive.dat_r00t_{8ew5f6}.ebal")) returned 1 [0077.244] GetProcessHeap () returned 0x3a00000 [0077.244] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.244] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529e643a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x529e643a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x529e643a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1375f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="StorageHealthModel.dat", cAlternateFileName="")) returned 1 [0077.244] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="Windows") returned -1 [0077.244] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="$Recycle.bin") returned 1 [0077.244] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="System Volume Information") returned -1 [0077.244] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="Program Files") returned 1 [0077.244] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="Program Files (x86)") returned 1 [0077.244] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageHealthModel.dat") returned 66 [0077.244] StrStrIW (lpFirst="StorageHealthModel.dat", lpSrch=".ebal") returned 0x0 [0077.244] lstrcmpW (lpString1="StorageHealthModel.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.244] lstrcmpW (lpString1="StorageHealthModel.dat", lpString2="taridd") returned -1 [0077.244] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageHealthModel.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.244] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\StorageHealthModel.dat" (normalized: "c:\\programdata\\microsoft\\storage health\\storagehealthmodel.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.245] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529e643a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x529e643a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x529e643a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1375f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="StorageHealthModel.dat", cAlternateFileName="")) returned 0 [0077.245] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.245] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0077.245] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Storage Health\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\storage health\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.248] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.248] CloseHandle (hObject=0x430) returned 1 [0077.249] GetProcessHeap () returned 0x3a00000 [0077.249] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.249] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe3615f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UEV", cAlternateFileName="")) returned 1 [0077.249] lstrcmpiW (lpString1="UEV", lpString2="Windows") returned -1 [0077.249] lstrcmpiW (lpString1="UEV", lpString2="$Recycle.bin") returned 1 [0077.249] lstrcmpiW (lpString1="UEV", lpString2="System Volume Information") returned 1 [0077.249] lstrcmpiW (lpString1="UEV", lpString2="Program Files") returned 1 [0077.249] lstrcmpiW (lpString1="UEV", lpString2="Program Files (x86)") returned 1 [0077.249] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV") returned 32 [0077.249] lstrcmpW (lpString1="UEV", lpString2=".") returned 1 [0077.249] lstrcmpW (lpString1="UEV", lpString2="..") returned 1 [0077.249] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.249] GetProcessHeap () returned 0x3a00000 [0077.249] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.249] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\*") returned 34 [0077.249] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe3615f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.249] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.249] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.249] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.249] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.249] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.249] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\.") returned 34 [0077.249] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.249] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe3615f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.249] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.249] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.249] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.249] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.249] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.250] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\..") returned 35 [0077.250] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.250] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.250] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46867b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="InboxTemplates", cAlternateFileName="INBOXT~1")) returned 1 [0077.250] lstrcmpiW (lpString1="InboxTemplates", lpString2="Windows") returned -1 [0077.250] lstrcmpiW (lpString1="InboxTemplates", lpString2="$Recycle.bin") returned 1 [0077.250] lstrcmpiW (lpString1="InboxTemplates", lpString2="System Volume Information") returned -1 [0077.250] lstrcmpiW (lpString1="InboxTemplates", lpString2="Program Files") returned -1 [0077.250] lstrcmpiW (lpString1="InboxTemplates", lpString2="Program Files (x86)") returned -1 [0077.250] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates") returned 47 [0077.250] lstrcmpW (lpString1="InboxTemplates", lpString2=".") returned 1 [0077.250] lstrcmpW (lpString1="InboxTemplates", lpString2="..") returned 1 [0077.250] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.250] GetProcessHeap () returned 0x3a00000 [0077.250] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.250] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\*") returned 49 [0077.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46867b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0077.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.252] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.252] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\.") returned 49 [0077.252] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.252] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46867b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.252] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.252] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.252] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.252] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.252] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.252] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\..") returned 50 [0077.252] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.252] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.252] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf88ddb5, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf88ddb5, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x4771, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DesktopSettings2013.xml", cAlternateFileName="")) returned 1 [0077.253] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="Windows") returned -1 [0077.253] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="$Recycle.bin") returned 1 [0077.253] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="System Volume Information") returned -1 [0077.253] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="Program Files") returned -1 [0077.253] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="Program Files (x86)") returned -1 [0077.253] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\DesktopSettings2013.xml") returned 71 [0077.253] StrStrIW (lpFirst="DesktopSettings2013.xml", lpSrch=".ebal") returned 0x0 [0077.253] lstrcmpW (lpString1="DesktopSettings2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.253] lstrcmpW (lpString1="DesktopSettings2013.xml", lpString2="taridd") returned -1 [0077.253] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\DesktopSettings2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.253] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\DesktopSettings2013.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\desktopsettings2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.254] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x173d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="EaseOfAccessSettings2013.xml", cAlternateFileName="")) returned 1 [0077.254] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="Windows") returned -1 [0077.254] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="$Recycle.bin") returned 1 [0077.254] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="System Volume Information") returned -1 [0077.254] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="Program Files") returned -1 [0077.254] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="Program Files (x86)") returned -1 [0077.254] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\EaseOfAccessSettings2013.xml") returned 76 [0077.254] StrStrIW (lpFirst="EaseOfAccessSettings2013.xml", lpSrch=".ebal") returned 0x0 [0077.254] lstrcmpW (lpString1="EaseOfAccessSettings2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.254] lstrcmpW (lpString1="EaseOfAccessSettings2013.xml", lpString2="taridd") returned -1 [0077.254] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\EaseOfAccessSettings2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.254] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\EaseOfAccessSettings2013.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\easeofaccesssettings2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.255] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc27, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftInternetExplorer2013.xml", cAlternateFileName="")) returned 1 [0077.255] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="Windows") returned -1 [0077.255] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="$Recycle.bin") returned 1 [0077.255] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="System Volume Information") returned -1 [0077.255] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="Program Files") returned -1 [0077.255] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="Program Files (x86)") returned -1 [0077.255] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013.xml") returned 81 [0077.255] StrStrIW (lpFirst="MicrosoftInternetExplorer2013.xml", lpSrch=".ebal") returned 0x0 [0077.255] lstrcmpW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.255] lstrcmpW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="taridd") returned -1 [0077.255] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftinternetexplorer2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.257] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9eb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftInternetExplorer2013Backup.xml", cAlternateFileName="")) returned 1 [0077.257] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="Windows") returned -1 [0077.257] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="$Recycle.bin") returned 1 [0077.257] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="System Volume Information") returned -1 [0077.257] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="Program Files") returned -1 [0077.257] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="Program Files (x86)") returned -1 [0077.257] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013Backup.xml") returned 87 [0077.257] StrStrIW (lpFirst="MicrosoftInternetExplorer2013Backup.xml", lpSrch=".ebal") returned 0x0 [0077.257] lstrcmpW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.257] lstrcmpW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="taridd") returned -1 [0077.257] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013Backup.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.257] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013Backup.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftinternetexplorer2013backup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.257] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xf80, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftLync2010.xml", cAlternateFileName="")) returned 1 [0077.257] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="Windows") returned -1 [0077.257] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="$Recycle.bin") returned 1 [0077.257] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="System Volume Information") returned -1 [0077.257] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="Program Files") returned -1 [0077.258] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="Program Files (x86)") returned -1 [0077.258] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2010.xml") returned 69 [0077.258] StrStrIW (lpFirst="MicrosoftLync2010.xml", lpSrch=".ebal") returned 0x0 [0077.258] lstrcmpW (lpString1="MicrosoftLync2010.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.258] lstrcmpW (lpString1="MicrosoftLync2010.xml", lpString2="taridd") returned -1 [0077.258] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2010.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2010.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftlync2010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.258] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb31, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftLync2013Win32.xml", cAlternateFileName="")) returned 1 [0077.258] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="Windows") returned -1 [0077.258] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="$Recycle.bin") returned 1 [0077.258] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="System Volume Information") returned -1 [0077.258] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="Program Files") returned -1 [0077.258] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="Program Files (x86)") returned -1 [0077.258] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win32.xml") returned 74 [0077.258] StrStrIW (lpFirst="MicrosoftLync2013Win32.xml", lpSrch=".ebal") returned 0x0 [0077.258] lstrcmpW (lpString1="MicrosoftLync2013Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.258] lstrcmpW (lpString1="MicrosoftLync2013Win32.xml", lpString2="taridd") returned -1 [0077.258] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftlync2013win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.259] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb31, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftLync2013Win64.xml", cAlternateFileName="")) returned 1 [0077.259] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="Windows") returned -1 [0077.259] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="$Recycle.bin") returned 1 [0077.259] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="System Volume Information") returned -1 [0077.259] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="Program Files") returned -1 [0077.259] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="Program Files (x86)") returned -1 [0077.259] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win64.xml") returned 74 [0077.259] StrStrIW (lpFirst="MicrosoftLync2013Win64.xml", lpSrch=".ebal") returned 0x0 [0077.259] lstrcmpW (lpString1="MicrosoftLync2013Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.259] lstrcmpW (lpString1="MicrosoftLync2013Win64.xml", lpString2="taridd") returned -1 [0077.259] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.259] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftlync2013win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.259] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftNotepad.xml", cAlternateFileName="")) returned 1 [0077.259] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="Windows") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="$Recycle.bin") returned 1 [0077.260] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="System Volume Information") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="Program Files") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="Program Files (x86)") returned -1 [0077.260] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftNotepad.xml") returned 68 [0077.260] StrStrIW (lpFirst="MicrosoftNotepad.xml", lpSrch=".ebal") returned 0x0 [0077.260] lstrcmpW (lpString1="MicrosoftNotepad.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.260] lstrcmpW (lpString1="MicrosoftNotepad.xml", lpString2="taridd") returned -1 [0077.260] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftNotepad.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftNotepad.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftnotepad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.260] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x11c51, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2010Win32.xml", cAlternateFileName="")) returned 1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="Windows") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="$Recycle.bin") returned 1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="System Volume Information") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="Program Files") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="Program Files (x86)") returned -1 [0077.260] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win32.xml") returned 76 [0077.260] StrStrIW (lpFirst="MicrosoftOffice2010Win32.xml", lpSrch=".ebal") returned 0x0 [0077.260] lstrcmpW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.260] lstrcmpW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="taridd") returned -1 [0077.260] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2010win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.260] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x11c51, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2010Win64.xml", cAlternateFileName="")) returned 1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="Windows") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="$Recycle.bin") returned 1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="System Volume Information") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="Program Files") returned -1 [0077.260] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="Program Files (x86)") returned -1 [0077.260] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win64.xml") returned 76 [0077.260] StrStrIW (lpFirst="MicrosoftOffice2010Win64.xml", lpSrch=".ebal") returned 0x0 [0077.260] lstrcmpW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.261] lstrcmpW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="taridd") returned -1 [0077.261] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.261] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2010win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.261] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013BackupWin32.xml", cAlternateFileName="")) returned 1 [0077.261] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="Windows") returned -1 [0077.261] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="$Recycle.bin") returned 1 [0077.261] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="System Volume Information") returned -1 [0077.261] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="Program Files") returned -1 [0077.261] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="Program Files (x86)") returned -1 [0077.261] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin32.xml") returned 82 [0077.261] StrStrIW (lpFirst="MicrosoftOffice2013BackupWin32.xml", lpSrch=".ebal") returned 0x0 [0077.261] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.262] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="taridd") returned -1 [0077.262] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013backupwin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.262] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013BackupWin64.xml", cAlternateFileName="")) returned 1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="Windows") returned -1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="$Recycle.bin") returned 1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="System Volume Information") returned -1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="Program Files") returned -1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="Program Files (x86)") returned -1 [0077.262] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin64.xml") returned 82 [0077.262] StrStrIW (lpFirst="MicrosoftOffice2013BackupWin64.xml", lpSrch=".ebal") returned 0x0 [0077.262] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.262] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="taridd") returned -1 [0077.262] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013backupwin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.262] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf88ddb5, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf88ddb5, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2964, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Office365Win32.xml", cAlternateFileName="")) returned 1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="Windows") returned -1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="$Recycle.bin") returned 1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="System Volume Information") returned -1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="Program Files") returned -1 [0077.262] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="Program Files (x86)") returned -1 [0077.262] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win32.xml") returned 85 [0077.262] StrStrIW (lpFirst="MicrosoftOffice2013Office365Win32.xml", lpSrch=".ebal") returned 0x0 [0077.262] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.262] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="taridd") returned -1 [0077.263] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.263] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013office365win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.263] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2964, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Office365Win64.xml", cAlternateFileName="")) returned 1 [0077.263] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="Windows") returned -1 [0077.263] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="$Recycle.bin") returned 1 [0077.263] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="System Volume Information") returned -1 [0077.263] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="Program Files") returned -1 [0077.263] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="Program Files (x86)") returned -1 [0077.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win64.xml") returned 85 [0077.263] StrStrIW (lpFirst="MicrosoftOffice2013Office365Win64.xml", lpSrch=".ebal") returned 0x0 [0077.263] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.263] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="taridd") returned -1 [0077.263] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.263] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013office365win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.264] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x10b0f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Win32.xml", cAlternateFileName="")) returned 1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="Windows") returned -1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="$Recycle.bin") returned 1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="System Volume Information") returned -1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="Program Files") returned -1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="Program Files (x86)") returned -1 [0077.264] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win32.xml") returned 76 [0077.264] StrStrIW (lpFirst="MicrosoftOffice2013Win32.xml", lpSrch=".ebal") returned 0x0 [0077.264] lstrcmpW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.264] lstrcmpW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="taridd") returned -1 [0077.264] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.264] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.264] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x10b0f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Win64.xml", cAlternateFileName="")) returned 1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="Windows") returned -1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="$Recycle.bin") returned 1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="System Volume Information") returned -1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="Program Files") returned -1 [0077.264] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="Program Files (x86)") returned -1 [0077.264] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win64.xml") returned 76 [0077.264] StrStrIW (lpFirst="MicrosoftOffice2013Win64.xml", lpSrch=".ebal") returned 0x0 [0077.264] lstrcmpW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.264] lstrcmpW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="taridd") returned -1 [0077.264] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.264] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.265] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016BackupWin32.xml", cAlternateFileName="")) returned 1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="Windows") returned -1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="$Recycle.bin") returned 1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="System Volume Information") returned -1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="Program Files") returned -1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="Program Files (x86)") returned -1 [0077.265] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin32.xml") returned 82 [0077.265] StrStrIW (lpFirst="MicrosoftOffice2016BackupWin32.xml", lpSrch=".ebal") returned 0x0 [0077.265] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.265] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="taridd") returned -1 [0077.265] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016backupwin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.265] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016BackupWin64.xml", cAlternateFileName="")) returned 1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="Windows") returned -1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="$Recycle.bin") returned 1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="System Volume Information") returned -1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="Program Files") returned -1 [0077.265] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="Program Files (x86)") returned -1 [0077.265] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin64.xml") returned 82 [0077.265] StrStrIW (lpFirst="MicrosoftOffice2016BackupWin64.xml", lpSrch=".ebal") returned 0x0 [0077.265] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.265] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="taridd") returned -1 [0077.265] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.265] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016backupwin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.266] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x100c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016Win32.xml", cAlternateFileName="")) returned 1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="Windows") returned -1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="$Recycle.bin") returned 1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="System Volume Information") returned -1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="Program Files") returned -1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="Program Files (x86)") returned -1 [0077.266] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win32.xml") returned 76 [0077.266] StrStrIW (lpFirst="MicrosoftOffice2016Win32.xml", lpSrch=".ebal") returned 0x0 [0077.266] lstrcmpW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.266] lstrcmpW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="taridd") returned -1 [0077.266] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.266] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x100c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016Win64.xml", cAlternateFileName="")) returned 1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="Windows") returned -1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="$Recycle.bin") returned 1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="System Volume Information") returned -1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="Program Files") returned -1 [0077.266] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="Program Files (x86)") returned -1 [0077.266] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win64.xml") returned 76 [0077.267] StrStrIW (lpFirst="MicrosoftOffice2016Win64.xml", lpSrch=".ebal") returned 0x0 [0077.267] lstrcmpW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.267] lstrcmpW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="taridd") returned -1 [0077.267] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.267] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.268] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2013CAWin32.xml", cAlternateFileName="")) returned 1 [0077.268] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="Windows") returned -1 [0077.268] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="$Recycle.bin") returned 1 [0077.268] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="System Volume Information") returned -1 [0077.268] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="Program Files") returned -1 [0077.268] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="Program Files (x86)") returned -1 [0077.268] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin32.xml") returned 79 [0077.268] StrStrIW (lpFirst="MicrosoftOutlook2013CAWin32.xml", lpSrch=".ebal") returned 0x0 [0077.268] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.268] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="taridd") returned -1 [0077.268] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2013cawin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.269] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2013CAWin64.xml", cAlternateFileName="")) returned 1 [0077.269] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="Windows") returned -1 [0077.269] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="$Recycle.bin") returned 1 [0077.269] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="System Volume Information") returned -1 [0077.269] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="Program Files") returned -1 [0077.269] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="Program Files (x86)") returned -1 [0077.269] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin64.xml") returned 79 [0077.269] StrStrIW (lpFirst="MicrosoftOutlook2013CAWin64.xml", lpSrch=".ebal") returned 0x0 [0077.269] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.269] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="taridd") returned -1 [0077.269] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2013cawin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.270] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x509, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2016CAWin32.xml", cAlternateFileName="")) returned 1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="Windows") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="$Recycle.bin") returned 1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="System Volume Information") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="Program Files") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="Program Files (x86)") returned -1 [0077.270] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin32.xml") returned 79 [0077.270] StrStrIW (lpFirst="MicrosoftOutlook2016CAWin32.xml", lpSrch=".ebal") returned 0x0 [0077.270] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.270] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="taridd") returned -1 [0077.270] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2016cawin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.270] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x509, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2016CAWin64.xml", cAlternateFileName="")) returned 1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="Windows") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="$Recycle.bin") returned 1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="System Volume Information") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="Program Files") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="Program Files (x86)") returned -1 [0077.270] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin64.xml") returned 79 [0077.270] StrStrIW (lpFirst="MicrosoftOutlook2016CAWin64.xml", lpSrch=".ebal") returned 0x0 [0077.270] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.270] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="taridd") returned -1 [0077.270] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.270] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2016cawin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.270] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftSkypeForBusiness2016Win32.xml", cAlternateFileName="")) returned 1 [0077.270] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="Windows") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="$Recycle.bin") returned 1 [0077.270] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="System Volume Information") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="Program Files") returned -1 [0077.270] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="Program Files (x86)") returned -1 [0077.271] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win32.xml") returned 86 [0077.271] StrStrIW (lpFirst="MicrosoftSkypeForBusiness2016Win32.xml", lpSrch=".ebal") returned 0x0 [0077.271] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.271] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="taridd") returned -1 [0077.271] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win32.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftskypeforbusiness2016win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.271] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftSkypeForBusiness2016Win64.xml", cAlternateFileName="")) returned 1 [0077.271] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="Windows") returned -1 [0077.271] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="$Recycle.bin") returned 1 [0077.271] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="System Volume Information") returned -1 [0077.271] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="Program Files") returned -1 [0077.271] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="Program Files (x86)") returned -1 [0077.271] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win64.xml") returned 86 [0077.271] StrStrIW (lpFirst="MicrosoftSkypeForBusiness2016Win64.xml", lpSrch=".ebal") returned 0x0 [0077.271] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.271] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="taridd") returned -1 [0077.271] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.271] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win64.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftskypeforbusiness2016win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.272] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3ed, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftWordpad.xml", cAlternateFileName="")) returned 1 [0077.272] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="Windows") returned -1 [0077.272] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="$Recycle.bin") returned 1 [0077.272] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="System Volume Information") returned -1 [0077.272] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="Program Files") returned -1 [0077.272] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="Program Files (x86)") returned -1 [0077.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftWordpad.xml") returned 68 [0077.272] StrStrIW (lpFirst="MicrosoftWordpad.xml", lpSrch=".ebal") returned 0x0 [0077.272] lstrcmpW (lpString1="MicrosoftWordpad.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.272] lstrcmpW (lpString1="MicrosoftWordpad.xml", lpString2="taridd") returned -1 [0077.272] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftWordpad.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\MicrosoftWordpad.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\microsoftwordpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.272] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x85f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NetworkPrinters.xml", cAlternateFileName="")) returned 1 [0077.272] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="Windows") returned -1 [0077.272] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="$Recycle.bin") returned 1 [0077.272] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="System Volume Information") returned -1 [0077.272] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="Program Files") returned -1 [0077.272] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="Program Files (x86)") returned -1 [0077.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\NetworkPrinters.xml") returned 67 [0077.272] StrStrIW (lpFirst="NetworkPrinters.xml", lpSrch=".ebal") returned 0x0 [0077.272] lstrcmpW (lpString1="NetworkPrinters.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.272] lstrcmpW (lpString1="NetworkPrinters.xml", lpString2="taridd") returned -1 [0077.272] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\NetworkPrinters.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\NetworkPrinters.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\networkprinters.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.278] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd59, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RoamingCredentialSettings.xml", cAlternateFileName="")) returned 1 [0077.278] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="Windows") returned -1 [0077.278] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="$Recycle.bin") returned 1 [0077.279] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="System Volume Information") returned -1 [0077.279] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="Program Files") returned 1 [0077.279] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="Program Files (x86)") returned 1 [0077.279] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\RoamingCredentialSettings.xml") returned 77 [0077.279] StrStrIW (lpFirst="RoamingCredentialSettings.xml", lpSrch=".ebal") returned 0x0 [0077.279] lstrcmpW (lpString1="RoamingCredentialSettings.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.279] lstrcmpW (lpString1="RoamingCredentialSettings.xml", lpString2="taridd") returned -1 [0077.279] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\RoamingCredentialSettings.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.279] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\RoamingCredentialSettings.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\roamingcredentialsettings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.334] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ThemeSettings2013.xml", cAlternateFileName="")) returned 1 [0077.334] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="Windows") returned -1 [0077.334] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="$Recycle.bin") returned 1 [0077.334] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="System Volume Information") returned 1 [0077.334] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="Program Files") returned 1 [0077.334] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="Program Files (x86)") returned 1 [0077.334] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\ThemeSettings2013.xml") returned 69 [0077.334] StrStrIW (lpFirst="ThemeSettings2013.xml", lpSrch=".ebal") returned 0x0 [0077.334] lstrcmpW (lpString1="ThemeSettings2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.334] lstrcmpW (lpString1="ThemeSettings2013.xml", lpString2="taridd") returned 1 [0077.334] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\ThemeSettings2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.334] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\ThemeSettings2013.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\themesettings2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.399] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VdiState.xml", cAlternateFileName="")) returned 1 [0077.399] lstrcmpiW (lpString1="VdiState.xml", lpString2="Windows") returned -1 [0077.399] lstrcmpiW (lpString1="VdiState.xml", lpString2="$Recycle.bin") returned 1 [0077.399] lstrcmpiW (lpString1="VdiState.xml", lpString2="System Volume Information") returned 1 [0077.399] lstrcmpiW (lpString1="VdiState.xml", lpString2="Program Files") returned 1 [0077.399] lstrcmpiW (lpString1="VdiState.xml", lpString2="Program Files (x86)") returned 1 [0077.399] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\VdiState.xml") returned 60 [0077.399] StrStrIW (lpFirst="VdiState.xml", lpSrch=".ebal") returned 0x0 [0077.399] lstrcmpW (lpString1="VdiState.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.399] lstrcmpW (lpString1="VdiState.xml", lpString2="taridd") returned 1 [0077.399] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\VdiState.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.399] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\VdiState.xml" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\vdistate.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.420] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VdiState.xml", cAlternateFileName="")) returned 0 [0077.420] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0077.421] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0077.421] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\InboxTemplates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\uev\\inboxtemplates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.424] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.425] CloseHandle (hObject=0x434) returned 1 [0077.425] GetProcessHeap () returned 0x3a00000 [0077.425] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.425] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe469068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Scripts", cAlternateFileName="")) returned 1 [0077.425] lstrcmpiW (lpString1="Scripts", lpString2="Windows") returned -1 [0077.425] lstrcmpiW (lpString1="Scripts", lpString2="$Recycle.bin") returned 1 [0077.425] lstrcmpiW (lpString1="Scripts", lpString2="System Volume Information") returned -1 [0077.426] lstrcmpiW (lpString1="Scripts", lpString2="Program Files") returned 1 [0077.426] lstrcmpiW (lpString1="Scripts", lpString2="Program Files (x86)") returned 1 [0077.426] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts") returned 40 [0077.426] lstrcmpW (lpString1="Scripts", lpString2=".") returned 1 [0077.426] lstrcmpW (lpString1="Scripts", lpString2="..") returned 1 [0077.426] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.426] GetProcessHeap () returned 0x3a00000 [0077.426] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.426] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\*") returned 42 [0077.426] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe469068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0077.426] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.426] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.426] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.426] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.426] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.426] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\.") returned 42 [0077.426] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.426] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe469068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.426] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.426] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.426] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.426] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.426] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.426] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\..") returned 43 [0077.426] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.426] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.426] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x147, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RegisterInboxTemplates.ps1", cAlternateFileName="")) returned 1 [0077.427] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="Windows") returned -1 [0077.427] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="$Recycle.bin") returned 1 [0077.427] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="System Volume Information") returned -1 [0077.427] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="Program Files") returned 1 [0077.427] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="Program Files (x86)") returned 1 [0077.427] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\RegisterInboxTemplates.ps1") returned 67 [0077.427] StrStrIW (lpFirst="RegisterInboxTemplates.ps1", lpSrch=".ebal") returned 0x0 [0077.427] lstrcmpW (lpString1="RegisterInboxTemplates.ps1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.427] lstrcmpW (lpString1="RegisterInboxTemplates.ps1", lpString2="taridd") returned -1 [0077.427] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\RegisterInboxTemplates.ps1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.427] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\RegisterInboxTemplates.ps1" (normalized: "c:\\programdata\\microsoft\\uev\\scripts\\registerinboxtemplates.ps1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.429] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x147, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RegisterInboxTemplates.ps1", cAlternateFileName="")) returned 0 [0077.429] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0077.429] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0077.429] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Scripts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\uev\\scripts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.430] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.431] CloseHandle (hObject=0x434) returned 1 [0077.431] GetProcessHeap () returned 0x3a00000 [0077.431] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.431] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0077.431] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0077.431] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0077.431] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0077.431] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0077.432] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0077.432] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates") returned 42 [0077.432] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0077.432] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0077.432] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.432] GetProcessHeap () returned 0x3a00000 [0077.432] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.432] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\*") returned 44 [0077.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0077.432] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.432] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.432] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.432] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.432] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.432] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\.") returned 44 [0077.432] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.432] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.432] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.432] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.432] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.432] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.432] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.432] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\..") returned 45 [0077.432] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.432] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.432] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x25ec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate.xsd", cAlternateFileName="")) returned 1 [0077.432] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="Windows") returned -1 [0077.433] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="$Recycle.bin") returned 1 [0077.433] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="System Volume Information") returned -1 [0077.433] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="Program Files") returned 1 [0077.433] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="Program Files (x86)") returned 1 [0077.433] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate.xsd") returned 71 [0077.433] StrStrIW (lpFirst="SettingsLocationTemplate.xsd", lpSrch=".ebal") returned 0x0 [0077.433] lstrcmpW (lpString1="SettingsLocationTemplate.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.433] lstrcmpW (lpString1="SettingsLocationTemplate.xsd", lpString2="taridd") returned -1 [0077.433] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.433] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate.xsd" (normalized: "c:\\programdata\\microsoft\\uev\\templates\\settingslocationtemplate.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.434] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2c20, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate2013.xsd", cAlternateFileName="")) returned 1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="Windows") returned -1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="$Recycle.bin") returned 1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="System Volume Information") returned -1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="Program Files") returned 1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="Program Files (x86)") returned 1 [0077.434] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013.xsd") returned 75 [0077.434] StrStrIW (lpFirst="SettingsLocationTemplate2013.xsd", lpSrch=".ebal") returned 0x0 [0077.434] lstrcmpW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.434] lstrcmpW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="taridd") returned -1 [0077.434] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.434] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013.xsd" (normalized: "c:\\programdata\\microsoft\\uev\\templates\\settingslocationtemplate2013.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.434] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3724, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate2013A.xsd", cAlternateFileName="")) returned 1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="Windows") returned -1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="$Recycle.bin") returned 1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="System Volume Information") returned -1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="Program Files") returned 1 [0077.434] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="Program Files (x86)") returned 1 [0077.434] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013A.xsd") returned 76 [0077.434] StrStrIW (lpFirst="SettingsLocationTemplate2013A.xsd", lpSrch=".ebal") returned 0x0 [0077.434] lstrcmpW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.434] lstrcmpW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="taridd") returned -1 [0077.437] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013A.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013A.xsd" (normalized: "c:\\programdata\\microsoft\\uev\\templates\\settingslocationtemplate2013a.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.437] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3724, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate2013A.xsd", cAlternateFileName="")) returned 0 [0077.437] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0077.437] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0077.437] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\Templates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\uev\\templates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.439] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.440] CloseHandle (hObject=0x434) returned 1 [0077.440] GetProcessHeap () returned 0x3a00000 [0077.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.440] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0077.440] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.440] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0077.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\UEV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\uev\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.442] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.443] CloseHandle (hObject=0x430) returned 1 [0077.443] GetProcessHeap () returned 0x3a00000 [0077.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.443] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbaae4059, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xbaae4059, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0077.444] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0077.444] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0077.444] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0077.444] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0077.444] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0077.444] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures") returned 50 [0077.444] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0077.444] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0077.444] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.444] GetProcessHeap () returned 0x3a00000 [0077.444] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.444] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*") returned 52 [0077.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbaae4059, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xbaae4059, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0077.444] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.444] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.444] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.444] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.444] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.444] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\.") returned 52 [0077.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.444] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbaae4059, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xbaae4059, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.444] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.444] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.444] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.444] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.444] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.444] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\..") returned 53 [0077.444] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.444] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.444] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4ecc15f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa4ecc15f, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa4ecc15f, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x930d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Default User.dat", cAlternateFileName="DEFAUL~1.DAT")) returned 1 [0077.445] lstrcmpiW (lpString1="Default User.dat", lpString2="Windows") returned -1 [0077.445] lstrcmpiW (lpString1="Default User.dat", lpString2="$Recycle.bin") returned 1 [0077.445] lstrcmpiW (lpString1="Default User.dat", lpString2="System Volume Information") returned -1 [0077.445] lstrcmpiW (lpString1="Default User.dat", lpString2="Program Files") returned -1 [0077.445] lstrcmpiW (lpString1="Default User.dat", lpString2="Program Files (x86)") returned -1 [0077.445] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default User.dat") returned 67 [0077.445] StrStrIW (lpFirst="Default User.dat", lpSrch=".ebal") returned 0x0 [0077.445] lstrcmpW (lpString1="Default User.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.445] lstrcmpW (lpString1="Default User.dat", lpString2="taridd") returned -1 [0077.445] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default User.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default User.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default user.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] GetTickCount () returned 0x1153b21 [0077.446] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.446] GetProcessHeap () returned 0x3a00000 [0077.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.446] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0077.448] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.448] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0077.448] GetProcessHeap () returned 0x3a00000 [0077.448] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.448] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.449] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.450] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.450] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.451] CloseHandle (hObject=0x434) returned 1 [0077.451] GetProcessHeap () returned 0x3a00000 [0077.451] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.451] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default User.dat_r00t_{8ew5f6}.ebal") returned 86 [0077.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default User.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default user.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\Default User.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\default user.dat_r00t_{8ew5f6}.ebal")) returned 1 [0077.451] GetProcessHeap () returned 0x3a00000 [0077.451] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.451] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37896d36, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37896d36, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x37896d36, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="FD1HVy.dat", cAlternateFileName="")) returned 1 [0077.452] lstrcmpiW (lpString1="FD1HVy.dat", lpString2="Windows") returned -1 [0077.452] lstrcmpiW (lpString1="FD1HVy.dat", lpString2="$Recycle.bin") returned 1 [0077.452] lstrcmpiW (lpString1="FD1HVy.dat", lpString2="System Volume Information") returned -1 [0077.452] lstrcmpiW (lpString1="FD1HVy.dat", lpString2="Program Files") returned -1 [0077.452] lstrcmpiW (lpString1="FD1HVy.dat", lpString2="Program Files (x86)") returned -1 [0077.452] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\FD1HVy.dat") returned 61 [0077.452] StrStrIW (lpFirst="FD1HVy.dat", lpSrch=".ebal") returned 0x0 [0077.452] lstrcmpW (lpString1="FD1HVy.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.452] lstrcmpW (lpString1="FD1HVy.dat", lpString2="taridd") returned -1 [0077.452] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\FD1HVy.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.452] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\FD1HVy.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\fd1hvy.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.453] GetTickCount () returned 0x1153b31 [0077.453] GetTickCount () returned 0x1153b31 [0077.453] GetTickCount () returned 0x1153b31 [0077.453] GetTickCount () returned 0x1153b31 [0077.453] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.453] GetProcessHeap () returned 0x3a00000 [0077.453] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.453] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x0, lpOverlapped=0x0) returned 1 [0077.453] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.453] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x0, lpOverlapped=0x0) returned 1 [0077.453] GetProcessHeap () returned 0x3a00000 [0077.453] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.453] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.453] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.454] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.454] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.454] CloseHandle (hObject=0x434) returned 1 [0077.454] GetProcessHeap () returned 0x3a00000 [0077.454] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.454] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\FD1HVy.dat_r00t_{8ew5f6}.ebal") returned 80 [0077.454] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\FD1HVy.dat" (normalized: "c:\\programdata\\microsoft\\user account pictures\\fd1hvy.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\FD1HVy.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\fd1hvy.dat_r00t_{8ew5f6}.ebal")) returned 1 [0077.455] GetProcessHeap () returned 0x3a00000 [0077.455] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.455] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="guest.bmp", cAlternateFileName="")) returned 1 [0077.455] lstrcmpiW (lpString1="guest.bmp", lpString2="Windows") returned -1 [0077.455] lstrcmpiW (lpString1="guest.bmp", lpString2="$Recycle.bin") returned 1 [0077.455] lstrcmpiW (lpString1="guest.bmp", lpString2="System Volume Information") returned -1 [0077.455] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files") returned -1 [0077.455] lstrcmpiW (lpString1="guest.bmp", lpString2="Program Files (x86)") returned -1 [0077.455] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp") returned 60 [0077.455] StrStrIW (lpFirst="guest.bmp", lpSrch=".ebal") returned 0x0 [0077.455] lstrcmpW (lpString1="guest.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.455] lstrcmpW (lpString1="guest.bmp", lpString2="taridd") returned -1 [0077.455] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.456] GetTickCount () returned 0x1153b31 [0077.456] GetTickCount () returned 0x1153b31 [0077.456] GetTickCount () returned 0x1153b31 [0077.456] GetTickCount () returned 0x1153b31 [0077.456] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.456] GetProcessHeap () returned 0x3a00000 [0077.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.457] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0077.458] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.458] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0077.458] GetProcessHeap () returned 0x3a00000 [0077.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.458] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.458] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.460] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.460] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.460] CloseHandle (hObject=0x434) returned 1 [0077.461] GetProcessHeap () returned 0x3a00000 [0077.461] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.461] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp_r00t_{8ew5f6}.ebal") returned 79 [0077.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.bmp_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.bmp_r00t_{8ew5f6}.ebal")) returned 1 [0077.461] GetProcessHeap () returned 0x3a00000 [0077.461] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.461] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="guest.png", cAlternateFileName="")) returned 1 [0077.461] lstrcmpiW (lpString1="guest.png", lpString2="Windows") returned -1 [0077.461] lstrcmpiW (lpString1="guest.png", lpString2="$Recycle.bin") returned 1 [0077.461] lstrcmpiW (lpString1="guest.png", lpString2="System Volume Information") returned -1 [0077.461] lstrcmpiW (lpString1="guest.png", lpString2="Program Files") returned -1 [0077.461] lstrcmpiW (lpString1="guest.png", lpString2="Program Files (x86)") returned -1 [0077.461] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png") returned 60 [0077.461] StrStrIW (lpFirst="guest.png", lpSrch=".ebal") returned 0x0 [0077.461] lstrcmpW (lpString1="guest.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.461] lstrcmpW (lpString1="guest.png", lpString2="taridd") returned -1 [0077.462] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.462] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] GetTickCount () returned 0x1153b31 [0077.462] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.462] GetProcessHeap () returned 0x3a00000 [0077.462] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.462] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x1518, lpOverlapped=0x0) returned 1 [0077.471] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffeae8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.471] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1518, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x1518, lpOverlapped=0x0) returned 1 [0077.471] GetProcessHeap () returned 0x3a00000 [0077.471] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.471] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.471] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.471] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.471] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.471] CloseHandle (hObject=0x434) returned 1 [0077.471] GetProcessHeap () returned 0x3a00000 [0077.471] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.471] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png_r00t_{8ew5f6}.ebal") returned 79 [0077.471] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\guest.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\guest.png_r00t_{8ew5f6}.ebal")) returned 1 [0077.472] GetProcessHeap () returned 0x3a00000 [0077.472] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.472] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x967, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-192.png", cAlternateFileName="")) returned 1 [0077.472] lstrcmpiW (lpString1="user-192.png", lpString2="Windows") returned -1 [0077.472] lstrcmpiW (lpString1="user-192.png", lpString2="$Recycle.bin") returned 1 [0077.472] lstrcmpiW (lpString1="user-192.png", lpString2="System Volume Information") returned 1 [0077.472] lstrcmpiW (lpString1="user-192.png", lpString2="Program Files") returned 1 [0077.472] lstrcmpiW (lpString1="user-192.png", lpString2="Program Files (x86)") returned 1 [0077.472] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png") returned 63 [0077.472] StrStrIW (lpFirst="user-192.png", lpSrch=".ebal") returned 0x0 [0077.472] lstrcmpW (lpString1="user-192.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.472] lstrcmpW (lpString1="user-192.png", lpString2="taridd") returned 1 [0077.472] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.476] GetTickCount () returned 0x1153b40 [0077.476] GetTickCount () returned 0x1153b40 [0077.476] GetTickCount () returned 0x1153b40 [0077.476] GetTickCount () returned 0x1153b40 [0077.476] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.476] GetProcessHeap () returned 0x3a00000 [0077.476] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.476] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x967, lpOverlapped=0x0) returned 1 [0077.480] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff699, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.480] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x967, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x967, lpOverlapped=0x0) returned 1 [0077.480] GetProcessHeap () returned 0x3a00000 [0077.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.480] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.480] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.480] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.480] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.480] CloseHandle (hObject=0x434) returned 1 [0077.480] GetProcessHeap () returned 0x3a00000 [0077.480] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.480] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png_r00t_{8ew5f6}.ebal") returned 82 [0077.481] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-192.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-192.png_r00t_{8ew5f6}.ebal")) returned 1 [0077.481] GetProcessHeap () returned 0x3a00000 [0077.481] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.481] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x19f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-32.png", cAlternateFileName="")) returned 1 [0077.481] lstrcmpiW (lpString1="user-32.png", lpString2="Windows") returned -1 [0077.481] lstrcmpiW (lpString1="user-32.png", lpString2="$Recycle.bin") returned 1 [0077.481] lstrcmpiW (lpString1="user-32.png", lpString2="System Volume Information") returned 1 [0077.482] lstrcmpiW (lpString1="user-32.png", lpString2="Program Files") returned 1 [0077.482] lstrcmpiW (lpString1="user-32.png", lpString2="Program Files (x86)") returned 1 [0077.482] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png") returned 62 [0077.482] StrStrIW (lpFirst="user-32.png", lpSrch=".ebal") returned 0x0 [0077.482] lstrcmpW (lpString1="user-32.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.482] lstrcmpW (lpString1="user-32.png", lpString2="taridd") returned 1 [0077.482] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.483] GetTickCount () returned 0x1153b50 [0077.483] GetTickCount () returned 0x1153b50 [0077.483] GetTickCount () returned 0x1153b50 [0077.483] GetTickCount () returned 0x1153b50 [0077.483] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.483] GetProcessHeap () returned 0x3a00000 [0077.483] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.483] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x19f, lpOverlapped=0x0) returned 1 [0077.484] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffe61, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.484] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x19f, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x19f, lpOverlapped=0x0) returned 1 [0077.484] GetProcessHeap () returned 0x3a00000 [0077.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.484] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.484] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.486] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.486] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.486] CloseHandle (hObject=0x434) returned 1 [0077.486] GetProcessHeap () returned 0x3a00000 [0077.486] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.487] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png_r00t_{8ew5f6}.ebal") returned 81 [0077.487] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-32.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-32.png_r00t_{8ew5f6}.ebal")) returned 1 [0077.487] GetProcessHeap () returned 0x3a00000 [0077.487] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.487] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-40.png", cAlternateFileName="")) returned 1 [0077.487] lstrcmpiW (lpString1="user-40.png", lpString2="Windows") returned -1 [0077.487] lstrcmpiW (lpString1="user-40.png", lpString2="$Recycle.bin") returned 1 [0077.487] lstrcmpiW (lpString1="user-40.png", lpString2="System Volume Information") returned 1 [0077.487] lstrcmpiW (lpString1="user-40.png", lpString2="Program Files") returned 1 [0077.487] lstrcmpiW (lpString1="user-40.png", lpString2="Program Files (x86)") returned 1 [0077.487] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png") returned 62 [0077.487] StrStrIW (lpFirst="user-40.png", lpSrch=".ebal") returned 0x0 [0077.487] lstrcmpW (lpString1="user-40.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.487] lstrcmpW (lpString1="user-40.png", lpString2="taridd") returned 1 [0077.487] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.488] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.488] GetTickCount () returned 0x1153b50 [0077.488] GetTickCount () returned 0x1153b50 [0077.488] GetTickCount () returned 0x1153b50 [0077.488] GetTickCount () returned 0x1153b50 [0077.488] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.488] GetProcessHeap () returned 0x3a00000 [0077.488] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.488] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x1b1, lpOverlapped=0x0) returned 1 [0077.490] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffe4f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.490] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1b1, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x1b1, lpOverlapped=0x0) returned 1 [0077.490] GetProcessHeap () returned 0x3a00000 [0077.490] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.490] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.490] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.491] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.491] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.491] CloseHandle (hObject=0x434) returned 1 [0077.491] GetProcessHeap () returned 0x3a00000 [0077.491] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.491] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png_r00t_{8ew5f6}.ebal") returned 81 [0077.491] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-40.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-40.png_r00t_{8ew5f6}.ebal")) returned 1 [0077.492] GetProcessHeap () returned 0x3a00000 [0077.492] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.492] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-48.png", cAlternateFileName="")) returned 1 [0077.492] lstrcmpiW (lpString1="user-48.png", lpString2="Windows") returned -1 [0077.492] lstrcmpiW (lpString1="user-48.png", lpString2="$Recycle.bin") returned 1 [0077.492] lstrcmpiW (lpString1="user-48.png", lpString2="System Volume Information") returned 1 [0077.492] lstrcmpiW (lpString1="user-48.png", lpString2="Program Files") returned 1 [0077.492] lstrcmpiW (lpString1="user-48.png", lpString2="Program Files (x86)") returned 1 [0077.492] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png") returned 62 [0077.492] StrStrIW (lpFirst="user-48.png", lpSrch=".ebal") returned 0x0 [0077.492] lstrcmpW (lpString1="user-48.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.492] lstrcmpW (lpString1="user-48.png", lpString2="taridd") returned 1 [0077.492] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.493] GetTickCount () returned 0x1153b50 [0077.493] GetTickCount () returned 0x1153b50 [0077.493] GetTickCount () returned 0x1153b50 [0077.493] GetTickCount () returned 0x1153b50 [0077.493] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.493] GetProcessHeap () returned 0x3a00000 [0077.493] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.493] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x1f5, lpOverlapped=0x0) returned 1 [0077.494] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffe0b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.494] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1f5, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x1f5, lpOverlapped=0x0) returned 1 [0077.494] GetProcessHeap () returned 0x3a00000 [0077.494] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.494] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.494] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.495] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.495] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.495] CloseHandle (hObject=0x434) returned 1 [0077.495] GetProcessHeap () returned 0x3a00000 [0077.495] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.496] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png_r00t_{8ew5f6}.ebal") returned 81 [0077.496] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user-48.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user-48.png_r00t_{8ew5f6}.ebal")) returned 1 [0077.496] GetProcessHeap () returned 0x3a00000 [0077.496] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.496] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x93038, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user.bmp", cAlternateFileName="")) returned 1 [0077.496] lstrcmpiW (lpString1="user.bmp", lpString2="Windows") returned -1 [0077.496] lstrcmpiW (lpString1="user.bmp", lpString2="$Recycle.bin") returned 1 [0077.496] lstrcmpiW (lpString1="user.bmp", lpString2="System Volume Information") returned 1 [0077.496] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files") returned 1 [0077.496] lstrcmpiW (lpString1="user.bmp", lpString2="Program Files (x86)") returned 1 [0077.496] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp") returned 59 [0077.496] StrStrIW (lpFirst="user.bmp", lpSrch=".ebal") returned 0x0 [0077.496] lstrcmpW (lpString1="user.bmp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.496] lstrcmpW (lpString1="user.bmp", lpString2="taridd") returned 1 [0077.496] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.496] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.497] GetTickCount () returned 0x1153b5f [0077.497] GetTickCount () returned 0x1153b5f [0077.497] GetTickCount () returned 0x1153b5f [0077.497] GetTickCount () returned 0x1153b5f [0077.497] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.497] GetProcessHeap () returned 0x3a00000 [0077.497] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.497] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0077.499] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.499] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0077.499] GetProcessHeap () returned 0x3a00000 [0077.499] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.499] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.499] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.501] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.501] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.501] CloseHandle (hObject=0x434) returned 1 [0077.502] GetProcessHeap () returned 0x3a00000 [0077.502] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.502] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp_r00t_{8ew5f6}.ebal") returned 78 [0077.502] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.bmp_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.bmp_r00t_{8ew5f6}.ebal")) returned 1 [0077.502] GetProcessHeap () returned 0x3a00000 [0077.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.502] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user.png", cAlternateFileName="")) returned 1 [0077.502] lstrcmpiW (lpString1="user.png", lpString2="Windows") returned -1 [0077.502] lstrcmpiW (lpString1="user.png", lpString2="$Recycle.bin") returned 1 [0077.502] lstrcmpiW (lpString1="user.png", lpString2="System Volume Information") returned 1 [0077.502] lstrcmpiW (lpString1="user.png", lpString2="Program Files") returned 1 [0077.502] lstrcmpiW (lpString1="user.png", lpString2="Program Files (x86)") returned 1 [0077.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png") returned 59 [0077.502] StrStrIW (lpFirst="user.png", lpSrch=".ebal") returned 0x0 [0077.503] lstrcmpW (lpString1="user.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.503] lstrcmpW (lpString1="user.png", lpString2="taridd") returned 1 [0077.503] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.503] GetTickCount () returned 0x1153b5f [0077.503] GetTickCount () returned 0x1153b5f [0077.503] GetTickCount () returned 0x1153b5f [0077.503] GetTickCount () returned 0x1153b5f [0077.503] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0077.503] GetProcessHeap () returned 0x3a00000 [0077.503] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.503] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x1518, lpOverlapped=0x0) returned 1 [0077.504] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffeae8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.504] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1518, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x1518, lpOverlapped=0x0) returned 1 [0077.504] GetProcessHeap () returned 0x3a00000 [0077.504] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.504] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.504] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0077.504] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0077.505] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0077.505] CloseHandle (hObject=0x434) returned 1 [0077.505] GetProcessHeap () returned 0x3a00000 [0077.505] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.505] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png_r00t_{8ew5f6}.ebal") returned 78 [0077.505] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\user.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\user account pictures\\user.png_r00t_{8ew5f6}.ebal")) returned 1 [0077.509] GetProcessHeap () returned 0x3a00000 [0077.509] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.509] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5ed1465, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1518, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user.png", cAlternateFileName="")) returned 0 [0077.509] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0077.509] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0077.509] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\user account pictures\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.510] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.510] CloseHandle (hObject=0x430) returned 1 [0077.511] GetProcessHeap () returned 0x3a00000 [0077.511] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.511] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4bcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x448126f7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Vault", cAlternateFileName="")) returned 1 [0077.511] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0077.511] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0077.511] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0077.511] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0077.511] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0077.511] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault") returned 34 [0077.511] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0077.511] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0077.511] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.511] GetProcessHeap () returned 0x3a00000 [0077.511] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.511] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*") returned 36 [0077.511] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4bcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x448126f7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.511] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.511] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.511] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.511] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.511] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.511] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\.") returned 36 [0077.511] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.511] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4bcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x448126f7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.511] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.511] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.512] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.512] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.512] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.512] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\..") returned 37 [0077.512] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.512] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.512] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1 [0077.512] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="Windows") returned -1 [0077.512] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="$Recycle.bin") returned 1 [0077.512] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="System Volume Information") returned -1 [0077.512] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="Program Files") returned -1 [0077.512] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="Program Files (x86)") returned -1 [0077.512] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned 71 [0077.512] lstrcmpW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2=".") returned 1 [0077.512] lstrcmpW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="..") returned 1 [0077.512] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.512] GetProcessHeap () returned 0x3a00000 [0077.512] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.512] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*") returned 73 [0077.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0077.512] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.512] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.512] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.512] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.512] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.531] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\.") returned 73 [0077.531] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.531] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.531] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.532] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.532] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.532] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.532] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.532] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\..") returned 74 [0077.532] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.532] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc041220b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", cAlternateFileName="154E23~1.VSC")) returned 1 [0077.532] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="Windows") returned -1 [0077.532] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="$Recycle.bin") returned 1 [0077.532] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="System Volume Information") returned -1 [0077.532] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="Program Files") returned -1 [0077.532] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="Program Files (x86)") returned -1 [0077.532] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch") returned 113 [0077.532] StrStrIW (lpFirst="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpSrch=".ebal") returned 0x0 [0077.532] lstrcmpW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.532] lstrcmpW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch", lpString2="taridd") returned -1 [0077.532] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-506", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.532] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.533] GetTickCount () returned 0x1153b7f [0077.533] GetTickCount () returned 0x1153b7f [0077.533] GetTickCount () returned 0x1153b7f [0077.533] GetTickCount () returned 0x1153b7f [0077.533] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.533] GetProcessHeap () returned 0x3a00000 [0077.533] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.533] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x9e, lpOverlapped=0x0) returned 1 [0077.534] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff62, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.534] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x9e, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x9e, lpOverlapped=0x0) returned 1 [0077.541] GetProcessHeap () returned 0x3a00000 [0077.542] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.542] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.542] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.547] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.547] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.547] CloseHandle (hObject=0x438) returned 1 [0077.547] GetProcessHeap () returned 0x3a00000 [0077.547] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.547] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal") returned 132 [0077.547] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\154e23d0-c644-4e6f-8ce6-5069272f999f.vsch_r00t_{8ew5f6}.ebal")) returned 1 [0077.548] GetProcessHeap () returned 0x3a00000 [0077.548] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.548] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc041220b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x6e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", cAlternateFileName="2F1A65~1.VSC")) returned 1 [0077.548] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="Windows") returned -1 [0077.548] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="$Recycle.bin") returned 1 [0077.548] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="System Volume Information") returned -1 [0077.548] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="Program Files") returned -1 [0077.548] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="Program Files (x86)") returned -1 [0077.549] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch") returned 113 [0077.549] StrStrIW (lpFirst="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpSrch=".ebal") returned 0x0 [0077.549] lstrcmpW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.549] lstrcmpW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch", lpString2="taridd") returned -1 [0077.549] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-361", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.549] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.549] GetTickCount () returned 0x1153b8e [0077.549] GetTickCount () returned 0x1153b8e [0077.549] GetTickCount () returned 0x1153b8e [0077.549] GetTickCount () returned 0x1153b8e [0077.549] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.549] GetProcessHeap () returned 0x3a00000 [0077.549] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.549] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x6e, lpOverlapped=0x0) returned 1 [0077.550] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffff92, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.550] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x6e, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x6e, lpOverlapped=0x0) returned 1 [0077.550] GetProcessHeap () returned 0x3a00000 [0077.550] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.550] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.551] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.552] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.552] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.552] CloseHandle (hObject=0x438) returned 1 [0077.552] GetProcessHeap () returned 0x3a00000 [0077.552] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.552] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal") returned 132 [0077.552] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch_r00t_{8ew5f6}.ebal")) returned 1 [0077.553] GetProcessHeap () returned 0x3a00000 [0077.553] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.553] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc041220b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x106, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", cAlternateFileName="3CCD54~1.VSC")) returned 1 [0077.553] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="Windows") returned -1 [0077.553] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="$Recycle.bin") returned 1 [0077.553] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="System Volume Information") returned -1 [0077.553] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="Program Files") returned -1 [0077.553] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="Program Files (x86)") returned -1 [0077.553] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch") returned 113 [0077.553] StrStrIW (lpFirst="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpSrch=".ebal") returned 0x0 [0077.553] lstrcmpW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.554] lstrcmpW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch", lpString2="taridd") returned -1 [0077.554] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.554] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.554] GetTickCount () returned 0x1153b8e [0077.554] GetTickCount () returned 0x1153b8e [0077.554] GetTickCount () returned 0x1153b8e [0077.554] GetTickCount () returned 0x1153b8e [0077.554] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.554] GetProcessHeap () returned 0x3a00000 [0077.554] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.554] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x106, lpOverlapped=0x0) returned 1 [0077.555] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffefa, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.555] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x106, lpOverlapped=0x0) returned 1 [0077.555] GetProcessHeap () returned 0x3a00000 [0077.555] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.555] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.555] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.556] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.556] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.556] CloseHandle (hObject=0x438) returned 1 [0077.556] GetProcessHeap () returned 0x3a00000 [0077.556] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.556] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal") returned 132 [0077.556] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch_r00t_{8ew5f6}.ebal")) returned 1 [0077.557] GetProcessHeap () returned 0x3a00000 [0077.557] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.557] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc02e0f2e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc02e0f2e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc02e0f2e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 1 [0077.557] lstrcmpiW (lpString1="Policy.vpol", lpString2="Windows") returned -1 [0077.557] lstrcmpiW (lpString1="Policy.vpol", lpString2="$Recycle.bin") returned 1 [0077.557] lstrcmpiW (lpString1="Policy.vpol", lpString2="System Volume Information") returned -1 [0077.557] lstrcmpiW (lpString1="Policy.vpol", lpString2="Program Files") returned -1 [0077.557] lstrcmpiW (lpString1="Policy.vpol", lpString2="Program Files (x86)") returned -1 [0077.557] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol") returned 83 [0077.557] StrStrIW (lpFirst="Policy.vpol", lpSrch=".ebal") returned 0x0 [0077.557] lstrcmpW (lpString1="Policy.vpol", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.557] lstrcmpW (lpString1="Policy.vpol", lpString2="taridd") returned -1 [0077.557] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.557] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.557] GetTickCount () returned 0x1153b8e [0077.557] GetTickCount () returned 0x1153b8e [0077.557] GetTickCount () returned 0x1153b8e [0077.557] GetTickCount () returned 0x1153b8e [0077.558] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0077.558] GetProcessHeap () returned 0x3a00000 [0077.558] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.558] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1bc, lpOverlapped=0x0) returned 1 [0077.558] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffe44, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.558] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1bc, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1bc, lpOverlapped=0x0) returned 1 [0077.559] GetProcessHeap () returned 0x3a00000 [0077.559] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.559] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.559] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0077.560] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0077.560] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0077.560] CloseHandle (hObject=0x438) returned 1 [0077.560] GetProcessHeap () returned 0x3a00000 [0077.560] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.560] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol_r00t_{8ew5f6}.ebal") returned 102 [0077.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\policy.vpol_r00t_{8ew5f6}.ebal")) returned 1 [0077.561] GetProcessHeap () returned 0x3a00000 [0077.561] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.561] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc02e0f2e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc02e0f2e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc02e0f2e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Policy.vpol", cAlternateFileName="POLICY~1.VPO")) returned 0 [0077.561] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0077.561] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0077.561] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.561] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.562] CloseHandle (hObject=0x434) returned 1 [0077.562] GetProcessHeap () returned 0x3a00000 [0077.562] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.562] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc041220b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 0 [0077.563] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.563] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0077.563] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\vault\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.563] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.565] CloseHandle (hObject=0x430) returned 1 [0077.565] GetProcessHeap () returned 0x3a00000 [0077.565] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.565] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WDF", cAlternateFileName="")) returned 1 [0077.565] lstrcmpiW (lpString1="WDF", lpString2="Windows") returned -1 [0077.565] lstrcmpiW (lpString1="WDF", lpString2="$Recycle.bin") returned 1 [0077.565] lstrcmpiW (lpString1="WDF", lpString2="System Volume Information") returned 1 [0077.565] lstrcmpiW (lpString1="WDF", lpString2="Program Files") returned 1 [0077.565] lstrcmpiW (lpString1="WDF", lpString2="Program Files (x86)") returned 1 [0077.565] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF") returned 32 [0077.565] lstrcmpW (lpString1="WDF", lpString2=".") returned 1 [0077.565] lstrcmpW (lpString1="WDF", lpString2="..") returned 1 [0077.565] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WDF", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.565] GetProcessHeap () returned 0x3a00000 [0077.565] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.565] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*") returned 34 [0077.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0077.565] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.565] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.565] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.566] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\.") returned 34 [0077.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.566] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.566] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\..") returned 35 [0077.566] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.566] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.566] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0077.566] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0077.566] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WDF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\wdf\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0077.594] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0077.595] CloseHandle (hObject=0x430) returned 1 [0077.595] GetProcessHeap () returned 0x3a00000 [0077.595] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0077.595] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xedcf5f61, ftLastAccessTime.dwHighDateTime=0x1d336d9, ftLastWriteTime.dwLowDateTime=0xedcf5f61, ftLastWriteTime.dwHighDateTime=0x1d336d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0077.595] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0077.595] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ce1766, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc25d4e74, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb320aac5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0077.595] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0077.595] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0077.595] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0077.595] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0077.595] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0077.595] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender") returned 45 [0077.595] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0077.596] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0077.596] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.596] GetProcessHeap () returned 0x3a00000 [0077.596] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0077.596] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*") returned 47 [0077.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ce1766, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc25d4e74, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb320aac5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0077.597] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.597] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.597] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.597] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.597] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.597] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\.") returned 47 [0077.597] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.597] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ce1766, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc25d4e74, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb320aac5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.597] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.597] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.597] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.597] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.597] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.598] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\..") returned 48 [0077.598] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.598] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.598] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Clean Store", cAlternateFileName="CLEANS~1")) returned 1 [0077.598] lstrcmpiW (lpString1="Clean Store", lpString2="Windows") returned -1 [0077.598] lstrcmpiW (lpString1="Clean Store", lpString2="$Recycle.bin") returned 1 [0077.598] lstrcmpiW (lpString1="Clean Store", lpString2="System Volume Information") returned -1 [0077.598] lstrcmpiW (lpString1="Clean Store", lpString2="Program Files") returned -1 [0077.598] lstrcmpiW (lpString1="Clean Store", lpString2="Program Files (x86)") returned -1 [0077.598] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store") returned 57 [0077.598] lstrcmpW (lpString1="Clean Store", lpString2=".") returned 1 [0077.598] lstrcmpW (lpString1="Clean Store", lpString2="..") returned 1 [0077.598] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.598] GetProcessHeap () returned 0x3a00000 [0077.598] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.598] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*") returned 59 [0077.598] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0077.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.599] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.599] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.599] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.599] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.599] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\.") returned 59 [0077.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.599] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.599] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.599] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.599] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.599] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.599] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.599] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\..") returned 60 [0077.599] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.599] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.599] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.599] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0077.599] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0077.599] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Clean Store\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\clean store\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.601] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.601] CloseHandle (hObject=0x434) returned 1 [0077.602] GetProcessHeap () returned 0x3a00000 [0077.602] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.602] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb2ba2529, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2ba2529, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0077.602] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0077.602] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0077.602] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0077.602] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0077.602] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0077.602] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates") returned 64 [0077.602] lstrcmpW (lpString1="Definition Updates", lpString2=".") returned 1 [0077.602] lstrcmpW (lpString1="Definition Updates", lpString2="..") returned 1 [0077.602] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.602] GetProcessHeap () returned 0x3a00000 [0077.602] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.602] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*") returned 66 [0077.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb2ba2529, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2ba2529, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0077.603] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.603] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.603] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.603] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.603] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.603] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\.") returned 66 [0077.603] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.603] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb2ba2529, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2ba2529, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.603] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.603] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.603] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.603] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.603] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.603] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\..") returned 67 [0077.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.603] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Backup", cAlternateFileName="")) returned 1 [0077.603] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0077.603] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0077.603] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0077.603] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0077.603] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0077.603] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 71 [0077.603] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0077.603] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0077.603] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.603] GetProcessHeap () returned 0x3a00000 [0077.603] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.603] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned 73 [0077.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0077.604] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.604] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.604] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.604] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.604] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.604] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\.") returned 73 [0077.604] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.604] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.605] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.605] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.605] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.605] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.605] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.605] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\..") returned 74 [0077.605] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.605] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.605] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.605] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0077.605] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0077.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\backup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.605] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.607] CloseHandle (hObject=0x438) returned 1 [0077.607] GetProcessHeap () returned 0x3a00000 [0077.607] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.607] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26252c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Default", cAlternateFileName="")) returned 1 [0077.607] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0077.607] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0077.607] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0077.607] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0077.607] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0077.607] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default") returned 72 [0077.607] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0077.607] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0077.607] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.607] GetProcessHeap () returned 0x3a00000 [0077.607] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.607] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*") returned 74 [0077.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26252c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0077.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.611] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\.") returned 74 [0077.611] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.611] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26252c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.611] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.611] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.611] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.611] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.611] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.612] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\..") returned 75 [0077.612] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.612] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11d0d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GapaEngine.dll", cAlternateFileName="")) returned 1 [0077.612] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="Windows") returned -1 [0077.612] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="$Recycle.bin") returned 1 [0077.612] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="System Volume Information") returned -1 [0077.612] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="Program Files") returned -1 [0077.612] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="Program Files (x86)") returned -1 [0077.612] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll") returned 87 [0077.612] StrStrIW (lpFirst="GapaEngine.dll", lpSrch=".ebal") returned 0x0 [0077.612] lstrcmpW (lpString1="GapaEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.612] lstrcmpW (lpString1="GapaEngine.dll", lpString2="taridd") returned -1 [0077.612] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.612] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\gapaengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.612] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26af3c42, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26af3c42, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26b66370, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x22f6710, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAsBase.vdm", cAlternateFileName="")) returned 1 [0077.612] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="Windows") returned -1 [0077.612] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="$Recycle.bin") returned 1 [0077.612] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="System Volume Information") returned -1 [0077.612] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="Program Files") returned -1 [0077.612] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="Program Files (x86)") returned -1 [0077.612] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm") returned 85 [0077.612] StrStrIW (lpFirst="MpAsBase.vdm", lpSrch=".ebal") returned 0x0 [0077.612] lstrcmpW (lpString1="MpAsBase.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.612] lstrcmpW (lpString1="MpAsBase.vdm", lpString2="taridd") returned -1 [0077.612] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.613] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.615] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26af3c42, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26af3c42, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26af3c42, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8f10, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAsDlta.vdm", cAlternateFileName="")) returned 1 [0077.615] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="Windows") returned -1 [0077.615] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="$Recycle.bin") returned 1 [0077.615] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="System Volume Information") returned -1 [0077.615] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="Program Files") returned -1 [0077.615] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="Program Files (x86)") returned -1 [0077.615] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm") returned 85 [0077.615] StrStrIW (lpFirst="MpAsDlta.vdm", lpSrch=".ebal") returned 0x0 [0077.615] lstrcmpW (lpString1="MpAsDlta.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.615] lstrcmpW (lpString1="MpAsDlta.vdm", lpString2="taridd") returned -1 [0077.615] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.615] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.615] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b66370, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26b66370, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x563cd10, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAvBase.vdm", cAlternateFileName="")) returned 1 [0077.615] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="Windows") returned -1 [0077.615] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="$Recycle.bin") returned 1 [0077.615] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="System Volume Information") returned -1 [0077.615] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="Program Files") returned -1 [0077.615] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="Program Files (x86)") returned -1 [0077.615] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm") returned 85 [0077.615] StrStrIW (lpFirst="MpAvBase.vdm", lpSrch=".ebal") returned 0x0 [0077.616] lstrcmpW (lpString1="MpAvBase.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.616] lstrcmpW (lpString1="MpAvBase.vdm", lpString2="taridd") returned -1 [0077.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\mpavbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.616] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26af3c42, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26af3c42, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26af3c42, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x15910, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAvDlta.vdm", cAlternateFileName="")) returned 1 [0077.616] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="Windows") returned -1 [0077.616] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="$Recycle.bin") returned 1 [0077.616] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="System Volume Information") returned -1 [0077.616] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="Program Files") returned -1 [0077.616] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="Program Files (x86)") returned -1 [0077.616] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm") returned 85 [0077.616] StrStrIW (lpFirst="MpAvDlta.vdm", lpSrch=".ebal") returned 0x0 [0077.616] lstrcmpW (lpString1="MpAvDlta.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.616] lstrcmpW (lpString1="MpAvDlta.vdm", lpString2="taridd") returned -1 [0077.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\mpavdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.616] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c4b1e3, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc11740, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpEngine.dll", cAlternateFileName="")) returned 1 [0077.616] lstrcmpiW (lpString1="MpEngine.dll", lpString2="Windows") returned -1 [0077.616] lstrcmpiW (lpString1="MpEngine.dll", lpString2="$Recycle.bin") returned 1 [0077.616] lstrcmpiW (lpString1="MpEngine.dll", lpString2="System Volume Information") returned -1 [0077.616] lstrcmpiW (lpString1="MpEngine.dll", lpString2="Program Files") returned -1 [0077.616] lstrcmpiW (lpString1="MpEngine.dll", lpString2="Program Files (x86)") returned -1 [0077.616] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll") returned 85 [0077.616] StrStrIW (lpFirst="MpEngine.dll", lpSrch=".ebal") returned 0x0 [0077.616] lstrcmpW (lpString1="MpEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.616] lstrcmpW (lpString1="MpEngine.dll", lpString2="taridd") returned -1 [0077.616] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.616] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.619] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e318, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisBase.vdm", cAlternateFileName="")) returned 1 [0077.619] lstrcmpiW (lpString1="NisBase.vdm", lpString2="Windows") returned -1 [0077.619] lstrcmpiW (lpString1="NisBase.vdm", lpString2="$Recycle.bin") returned 1 [0077.619] lstrcmpiW (lpString1="NisBase.vdm", lpString2="System Volume Information") returned -1 [0077.619] lstrcmpiW (lpString1="NisBase.vdm", lpString2="Program Files") returned -1 [0077.619] lstrcmpiW (lpString1="NisBase.vdm", lpString2="Program Files (x86)") returned -1 [0077.619] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm") returned 84 [0077.619] StrStrIW (lpFirst="NisBase.vdm", lpSrch=".ebal") returned 0x0 [0077.620] lstrcmpW (lpString1="NisBase.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.620] lstrcmpW (lpString1="NisBase.vdm", lpString2="taridd") returned -1 [0077.620] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.620] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\nisbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.623] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e718, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisFull.vdm", cAlternateFileName="")) returned 1 [0077.623] lstrcmpiW (lpString1="NisFull.vdm", lpString2="Windows") returned -1 [0077.624] lstrcmpiW (lpString1="NisFull.vdm", lpString2="$Recycle.bin") returned 1 [0077.624] lstrcmpiW (lpString1="NisFull.vdm", lpString2="System Volume Information") returned -1 [0077.624] lstrcmpiW (lpString1="NisFull.vdm", lpString2="Program Files") returned -1 [0077.624] lstrcmpiW (lpString1="NisFull.vdm", lpString2="Program Files (x86)") returned -1 [0077.624] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm") returned 84 [0077.624] StrStrIW (lpFirst="NisFull.vdm", lpSrch=".ebal") returned 0x0 [0077.624] lstrcmpW (lpString1="NisFull.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.624] lstrcmpW (lpString1="NisFull.vdm", lpString2="taridd") returned -1 [0077.624] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.624] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\nisfull.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0077.624] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e718, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisFull.vdm", cAlternateFileName="")) returned 0 [0077.624] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0077.625] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0077.625] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\default\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.626] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.628] CloseHandle (hObject=0x438) returned 1 [0077.628] GetProcessHeap () returned 0x3a00000 [0077.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.628] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisBackup", cAlternateFileName="NISBAC~1")) returned 1 [0077.628] lstrcmpiW (lpString1="NisBackup", lpString2="Windows") returned -1 [0077.628] lstrcmpiW (lpString1="NisBackup", lpString2="$Recycle.bin") returned 1 [0077.628] lstrcmpiW (lpString1="NisBackup", lpString2="System Volume Information") returned -1 [0077.628] lstrcmpiW (lpString1="NisBackup", lpString2="Program Files") returned -1 [0077.628] lstrcmpiW (lpString1="NisBackup", lpString2="Program Files (x86)") returned -1 [0077.628] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup") returned 74 [0077.628] lstrcmpW (lpString1="NisBackup", lpString2=".") returned 1 [0077.628] lstrcmpW (lpString1="NisBackup", lpString2="..") returned 1 [0077.628] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.628] GetProcessHeap () returned 0x3a00000 [0077.628] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*") returned 76 [0077.628] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0077.629] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.629] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.629] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.629] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.629] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.629] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\.") returned 76 [0077.629] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.629] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.629] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.629] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.629] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.629] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.629] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.629] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\..") returned 77 [0077.629] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.629] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.629] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.629] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0077.629] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 106 [0077.629] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\nisbackup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.634] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.635] CloseHandle (hObject=0x438) returned 1 [0077.635] GetProcessHeap () returned 0x3a00000 [0077.635] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.635] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Updates", cAlternateFileName="")) returned 1 [0077.635] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0077.635] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0077.635] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0077.635] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0077.635] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0077.635] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 72 [0077.635] lstrcmpW (lpString1="Updates", lpString2=".") returned 1 [0077.635] lstrcmpW (lpString1="Updates", lpString2="..") returned 1 [0077.635] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.635] GetProcessHeap () returned 0x3a00000 [0077.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.635] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned 74 [0077.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0077.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\.") returned 74 [0077.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.636] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.636] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.636] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.636] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.636] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\..") returned 75 [0077.636] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.636] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.636] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0077.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0077.636] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\updates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.637] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.638] CloseHandle (hObject=0x438) returned 1 [0077.638] GetProcessHeap () returned 0x3a00000 [0077.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.638] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Updates", cAlternateFileName="")) returned 0 [0077.638] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0077.638] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0077.638] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Definition Updates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\definition updates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.643] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.644] CloseHandle (hObject=0x434) returned 1 [0077.644] GetProcessHeap () returned 0x3a00000 [0077.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.644] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Features", cAlternateFileName="")) returned 1 [0077.644] lstrcmpiW (lpString1="Features", lpString2="Windows") returned -1 [0077.644] lstrcmpiW (lpString1="Features", lpString2="$Recycle.bin") returned 1 [0077.644] lstrcmpiW (lpString1="Features", lpString2="System Volume Information") returned -1 [0077.644] lstrcmpiW (lpString1="Features", lpString2="Program Files") returned -1 [0077.644] lstrcmpiW (lpString1="Features", lpString2="Program Files (x86)") returned -1 [0077.644] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features") returned 54 [0077.644] lstrcmpW (lpString1="Features", lpString2=".") returned 1 [0077.644] lstrcmpW (lpString1="Features", lpString2="..") returned 1 [0077.644] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.645] GetProcessHeap () returned 0x3a00000 [0077.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*") returned 56 [0077.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.667] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.667] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.667] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.667] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.667] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.668] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\.") returned 56 [0077.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.668] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.668] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.668] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.668] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.668] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.668] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.668] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\..") returned 57 [0077.668] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.668] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.668] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.668] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.668] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0077.668] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Features\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\features\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.669] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.670] CloseHandle (hObject=0x434) returned 1 [0077.670] GetProcessHeap () returned 0x3a00000 [0077.670] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.670] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0077.670] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0077.670] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0077.670] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0077.670] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0077.670] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0077.670] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy") returned 55 [0077.670] lstrcmpW (lpString1="LocalCopy", lpString2=".") returned 1 [0077.670] lstrcmpW (lpString1="LocalCopy", lpString2="..") returned 1 [0077.670] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.671] GetProcessHeap () returned 0x3a00000 [0077.671] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.671] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*") returned 57 [0077.671] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0077.671] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.671] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.671] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.671] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.671] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.671] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\.") returned 57 [0077.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.671] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.672] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.672] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.672] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.672] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.672] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.672] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\..") returned 58 [0077.672] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.672] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.672] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.672] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0077.672] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0077.672] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\LocalCopy\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\localcopy\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.675] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.676] CloseHandle (hObject=0x434) returned 1 [0077.676] GetProcessHeap () returned 0x3a00000 [0077.676] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.676] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2628aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2bc876c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Network Inspection System", cAlternateFileName="NETWOR~1")) returned 1 [0077.676] lstrcmpiW (lpString1="Network Inspection System", lpString2="Windows") returned -1 [0077.676] lstrcmpiW (lpString1="Network Inspection System", lpString2="$Recycle.bin") returned 1 [0077.676] lstrcmpiW (lpString1="Network Inspection System", lpString2="System Volume Information") returned -1 [0077.676] lstrcmpiW (lpString1="Network Inspection System", lpString2="Program Files") returned -1 [0077.677] lstrcmpiW (lpString1="Network Inspection System", lpString2="Program Files (x86)") returned -1 [0077.677] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System") returned 71 [0077.677] lstrcmpW (lpString1="Network Inspection System", lpString2=".") returned 1 [0077.677] lstrcmpW (lpString1="Network Inspection System", lpString2="..") returned 1 [0077.677] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.677] GetProcessHeap () returned 0x3a00000 [0077.677] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.677] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*") returned 73 [0077.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2628aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2bc876c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0077.677] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.677] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.677] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.677] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.677] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.678] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\.") returned 73 [0077.678] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.678] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2628aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2bc876c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.678] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.678] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.678] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.678] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.678] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.678] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\..") returned 74 [0077.678] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.678] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x366fbd4a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 1 [0077.678] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0077.678] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0077.678] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0077.678] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0077.678] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0077.678] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support") returned 79 [0077.678] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0077.678] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0077.678] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.678] GetProcessHeap () returned 0x3a00000 [0077.678] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.678] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*") returned 81 [0077.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x366fbd4a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0077.678] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.678] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.678] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.679] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.679] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.679] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\.") returned 81 [0077.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.679] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x366fbd4a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.679] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.679] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.679] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.679] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.679] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.679] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\..") returned 82 [0077.679] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.679] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366fbd4a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x366fbd4a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisLog.txt", cAlternateFileName="")) returned 1 [0077.679] lstrcmpiW (lpString1="NisLog.txt", lpString2="Windows") returned -1 [0077.679] lstrcmpiW (lpString1="NisLog.txt", lpString2="$Recycle.bin") returned 1 [0077.679] lstrcmpiW (lpString1="NisLog.txt", lpString2="System Volume Information") returned -1 [0077.679] lstrcmpiW (lpString1="NisLog.txt", lpString2="Program Files") returned -1 [0077.679] lstrcmpiW (lpString1="NisLog.txt", lpString2="Program Files (x86)") returned -1 [0077.679] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt") returned 90 [0077.679] StrStrIW (lpFirst="NisLog.txt", lpSrch=".ebal") returned 0x0 [0077.679] lstrcmpW (lpString1="NisLog.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.679] lstrcmpW (lpString1="NisLog.txt", lpString2="taridd") returned -1 [0077.679] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\support\\nislog.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.680] GetTickCount () returned 0x1153c0b [0077.680] GetTickCount () returned 0x1153c0b [0077.680] GetTickCount () returned 0x1153c0b [0077.680] GetTickCount () returned 0x1153c0b [0077.680] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0077.680] GetProcessHeap () returned 0x3a00000 [0077.680] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.680] ReadFile (in: hFile=0x43c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af04c*=0x161, lpOverlapped=0x0) returned 1 [0077.681] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffe9f, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.681] WriteFile (in: hFile=0x43c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x161, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af04c*=0x161, lpOverlapped=0x0) returned 1 [0077.681] GetProcessHeap () returned 0x3a00000 [0077.681] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.681] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.681] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0077.682] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0077.682] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0077.682] CloseHandle (hObject=0x43c) returned 1 [0077.683] GetProcessHeap () returned 0x3a00000 [0077.683] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.683] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt_r00t_{8ew5f6}.ebal") returned 109 [0077.683] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\support\\nislog.txt"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\support\\nislog.txt_r00t_{8ew5f6}.ebal")) returned 1 [0077.683] GetProcessHeap () returned 0x3a00000 [0077.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.683] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366fbd4a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x366fbd4a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisLog.txt", cAlternateFileName="")) returned 0 [0077.683] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0077.683] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.684] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\support\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.684] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.685] CloseHandle (hObject=0x438) returned 1 [0077.685] GetProcessHeap () returned 0x3a00000 [0077.685] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.685] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x366fbd4a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 0 [0077.685] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0077.686] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0077.686] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Network Inspection System\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\network inspection system\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.686] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.687] CloseHandle (hObject=0x434) returned 1 [0077.687] GetProcessHeap () returned 0x3a00000 [0077.687] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.687] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Platform", cAlternateFileName="")) returned 1 [0077.687] lstrcmpiW (lpString1="Platform", lpString2="Windows") returned -1 [0077.687] lstrcmpiW (lpString1="Platform", lpString2="$Recycle.bin") returned 1 [0077.687] lstrcmpiW (lpString1="Platform", lpString2="System Volume Information") returned -1 [0077.687] lstrcmpiW (lpString1="Platform", lpString2="Program Files") returned -1 [0077.687] lstrcmpiW (lpString1="Platform", lpString2="Program Files (x86)") returned -1 [0077.687] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform") returned 54 [0077.687] lstrcmpW (lpString1="Platform", lpString2=".") returned 1 [0077.687] lstrcmpW (lpString1="Platform", lpString2="..") returned 1 [0077.687] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.687] GetProcessHeap () returned 0x3a00000 [0077.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.687] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*") returned 56 [0077.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0077.687] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.687] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.687] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.687] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.688] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.688] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\.") returned 56 [0077.688] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.688] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.688] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.688] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.688] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.688] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.688] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.688] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\..") returned 57 [0077.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.688] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.688] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0077.688] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0077.688] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\platform\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.688] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.689] CloseHandle (hObject=0x434) returned 1 [0077.689] GetProcessHeap () returned 0x3a00000 [0077.689] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.689] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0077.689] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0077.689] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0077.689] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0077.689] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0077.689] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0077.689] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine") returned 56 [0077.690] lstrcmpW (lpString1="Quarantine", lpString2=".") returned 1 [0077.690] lstrcmpW (lpString1="Quarantine", lpString2="..") returned 1 [0077.690] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.690] GetProcessHeap () returned 0x3a00000 [0077.690] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.690] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*") returned 58 [0077.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0077.690] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.690] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.690] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.690] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.690] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.690] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\.") returned 58 [0077.691] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.691] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.691] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.691] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.691] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.691] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\..") returned 59 [0077.691] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.691] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.691] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.691] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0077.691] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0077.691] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Quarantine\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\quarantine\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0077.692] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.693] CloseHandle (hObject=0x434) returned 1 [0077.693] GetProcessHeap () returned 0x3a00000 [0077.693] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0077.693] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26ff45d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x16ca3b2a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Scans", cAlternateFileName="")) returned 1 [0077.693] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0077.693] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0077.693] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0077.693] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0077.693] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0077.693] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans") returned 51 [0077.693] lstrcmpW (lpString1="Scans", lpString2=".") returned 1 [0077.693] lstrcmpW (lpString1="Scans", lpString2="..") returned 1 [0077.693] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.693] GetProcessHeap () returned 0x3a00000 [0077.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0077.693] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*") returned 53 [0077.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26ff45d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x16ca3b2a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0077.695] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.695] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.695] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.695] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.695] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.695] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\.") returned 53 [0077.695] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.695] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26ff45d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x16ca3b2a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.696] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.696] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.696] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.696] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.696] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.696] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\..") returned 54 [0077.696] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.696] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.696] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CleanFileTelemetry", cAlternateFileName="CLEANF~1")) returned 1 [0077.696] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="Windows") returned -1 [0077.696] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="$Recycle.bin") returned 1 [0077.696] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="System Volume Information") returned -1 [0077.696] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="Program Files") returned -1 [0077.696] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="Program Files (x86)") returned -1 [0077.696] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry") returned 70 [0077.696] lstrcmpW (lpString1="CleanFileTelemetry", lpString2=".") returned 1 [0077.696] lstrcmpW (lpString1="CleanFileTelemetry", lpString2="..") returned 1 [0077.696] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.696] GetProcessHeap () returned 0x3a00000 [0077.696] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.696] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*") returned 72 [0077.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0077.697] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.697] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.697] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\.") returned 72 [0077.697] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.697] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.697] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.697] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.697] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.697] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.697] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\..") returned 73 [0077.697] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.697] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.697] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.697] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0077.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 102 [0077.697] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanfiletelemetry\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.698] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.698] CloseHandle (hObject=0x438) returned 1 [0077.699] GetProcessHeap () returned 0x3a00000 [0077.699] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.699] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2703fb5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac58c824, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CleanStore", cAlternateFileName="CLEANS~1")) returned 1 [0077.699] lstrcmpiW (lpString1="CleanStore", lpString2="Windows") returned -1 [0077.699] lstrcmpiW (lpString1="CleanStore", lpString2="$Recycle.bin") returned 1 [0077.699] lstrcmpiW (lpString1="CleanStore", lpString2="System Volume Information") returned -1 [0077.699] lstrcmpiW (lpString1="CleanStore", lpString2="Program Files") returned -1 [0077.699] lstrcmpiW (lpString1="CleanStore", lpString2="Program Files (x86)") returned -1 [0077.699] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore") returned 62 [0077.699] lstrcmpW (lpString1="CleanStore", lpString2=".") returned 1 [0077.699] lstrcmpW (lpString1="CleanStore", lpString2="..") returned 1 [0077.699] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.699] GetProcessHeap () returned 0x3a00000 [0077.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.699] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*") returned 64 [0077.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2703fb5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac58c824, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0077.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.701] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\.") returned 64 [0077.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.701] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2703fb5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac58c824, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.701] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\..") returned 65 [0077.701] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.701] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.701] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Entries", cAlternateFileName="")) returned 1 [0077.701] lstrcmpiW (lpString1="Entries", lpString2="Windows") returned -1 [0077.702] lstrcmpiW (lpString1="Entries", lpString2="$Recycle.bin") returned 1 [0077.702] lstrcmpiW (lpString1="Entries", lpString2="System Volume Information") returned -1 [0077.702] lstrcmpiW (lpString1="Entries", lpString2="Program Files") returned -1 [0077.702] lstrcmpiW (lpString1="Entries", lpString2="Program Files (x86)") returned -1 [0077.702] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries") returned 70 [0077.702] lstrcmpW (lpString1="Entries", lpString2=".") returned 1 [0077.702] lstrcmpW (lpString1="Entries", lpString2="..") returned 1 [0077.702] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.702] GetProcessHeap () returned 0x3a00000 [0077.702] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*") returned 72 [0077.702] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0077.702] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.702] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.703] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.703] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.703] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.703] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\.") returned 72 [0077.703] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.703] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.703] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.703] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.703] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.703] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.703] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.703] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\..") returned 73 [0077.703] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.703] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.703] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0077.703] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 102 [0077.703] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\entries\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.703] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.704] CloseHandle (hObject=0x43c) returned 1 [0077.704] GetProcessHeap () returned 0x3a00000 [0077.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.704] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ResourceData", cAlternateFileName="RESOUR~1")) returned 1 [0077.704] lstrcmpiW (lpString1="ResourceData", lpString2="Windows") returned -1 [0077.705] lstrcmpiW (lpString1="ResourceData", lpString2="$Recycle.bin") returned 1 [0077.705] lstrcmpiW (lpString1="ResourceData", lpString2="System Volume Information") returned -1 [0077.705] lstrcmpiW (lpString1="ResourceData", lpString2="Program Files") returned 1 [0077.705] lstrcmpiW (lpString1="ResourceData", lpString2="Program Files (x86)") returned 1 [0077.705] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData") returned 75 [0077.705] lstrcmpW (lpString1="ResourceData", lpString2=".") returned 1 [0077.705] lstrcmpW (lpString1="ResourceData", lpString2="..") returned 1 [0077.705] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.705] GetProcessHeap () returned 0x3a00000 [0077.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.705] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*") returned 77 [0077.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0077.727] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.727] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.727] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.727] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.727] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.727] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\.") returned 77 [0077.727] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.727] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.727] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.727] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.727] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.727] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.727] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.727] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\..") returned 78 [0077.727] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.727] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.727] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.727] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0077.727] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0077.727] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\resourcedata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.728] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.729] CloseHandle (hObject=0x43c) returned 1 [0077.729] GetProcessHeap () returned 0x3a00000 [0077.729] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.729] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 1 [0077.729] lstrcmpiW (lpString1="Resources", lpString2="Windows") returned -1 [0077.729] lstrcmpiW (lpString1="Resources", lpString2="$Recycle.bin") returned 1 [0077.729] lstrcmpiW (lpString1="Resources", lpString2="System Volume Information") returned -1 [0077.729] lstrcmpiW (lpString1="Resources", lpString2="Program Files") returned 1 [0077.729] lstrcmpiW (lpString1="Resources", lpString2="Program Files (x86)") returned 1 [0077.729] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources") returned 72 [0077.729] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0077.729] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0077.730] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.730] GetProcessHeap () returned 0x3a00000 [0077.730] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*") returned 74 [0077.730] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0077.730] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.730] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.730] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.730] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.730] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\.") returned 74 [0077.730] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.730] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.730] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.730] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.730] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.730] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.730] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\..") returned 75 [0077.730] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.730] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.730] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.730] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0077.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0077.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\resources\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.733] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.734] CloseHandle (hObject=0x43c) returned 1 [0077.734] GetProcessHeap () returned 0x3a00000 [0077.734] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.734] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 0 [0077.734] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0077.734] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0077.734] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\CleanStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\cleanstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.741] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.742] CloseHandle (hObject=0x438) returned 1 [0077.742] GetProcessHeap () returned 0x3a00000 [0077.742] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28a95cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3125c62, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="History", cAlternateFileName="")) returned 1 [0077.742] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0077.742] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0077.742] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0077.742] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0077.742] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0077.742] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History") returned 59 [0077.742] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0077.742] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0077.742] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.742] GetProcessHeap () returned 0x3a00000 [0077.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.742] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*") returned 61 [0077.742] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28a95cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3125c62, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0077.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.744] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\.") returned 61 [0077.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.744] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28a95cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3125c62, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.745] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.745] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\..") returned 62 [0077.745] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.745] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.745] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1712929f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0077.745] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0077.745] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0077.745] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0077.745] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0077.745] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0077.745] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 72 [0077.745] lstrcmpW (lpString1="CacheManager", lpString2=".") returned 1 [0077.745] lstrcmpW (lpString1="CacheManager", lpString2="..") returned 1 [0077.745] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.745] GetProcessHeap () returned 0x3a00000 [0077.745] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.745] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned 74 [0077.745] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1712929f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0077.745] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.745] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.745] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.745] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.745] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.745] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\.") returned 74 [0077.746] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.746] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1712929f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.746] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.746] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.746] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.746] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.746] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.746] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\..") returned 75 [0077.746] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.746] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.746] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1712929f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.746] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0077.746] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0077.746] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\cachemanager\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.746] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.748] CloseHandle (hObject=0x43c) returned 1 [0077.748] GetProcessHeap () returned 0x3a00000 [0077.748] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.748] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28aac86, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2dde708, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Mput", cAlternateFileName="")) returned 1 [0077.748] lstrcmpiW (lpString1="Mput", lpString2="Windows") returned -1 [0077.748] lstrcmpiW (lpString1="Mput", lpString2="$Recycle.bin") returned 1 [0077.748] lstrcmpiW (lpString1="Mput", lpString2="System Volume Information") returned -1 [0077.748] lstrcmpiW (lpString1="Mput", lpString2="Program Files") returned -1 [0077.748] lstrcmpiW (lpString1="Mput", lpString2="Program Files (x86)") returned -1 [0077.748] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput") returned 64 [0077.748] lstrcmpW (lpString1="Mput", lpString2=".") returned 1 [0077.748] lstrcmpW (lpString1="Mput", lpString2="..") returned 1 [0077.748] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.748] GetProcessHeap () returned 0x3a00000 [0077.748] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.748] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*") returned 66 [0077.748] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28aac86, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2dde708, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0077.748] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.748] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.748] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.748] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.748] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.748] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\.") returned 66 [0077.748] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.748] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28aac86, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2dde708, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.748] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.748] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.748] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.749] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.749] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\..") returned 67 [0077.749] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.749] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.749] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3040e3a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 1 [0077.749] lstrcmpiW (lpString1="MputHistory", lpString2="Windows") returned -1 [0077.749] lstrcmpiW (lpString1="MputHistory", lpString2="$Recycle.bin") returned 1 [0077.749] lstrcmpiW (lpString1="MputHistory", lpString2="System Volume Information") returned -1 [0077.749] lstrcmpiW (lpString1="MputHistory", lpString2="Program Files") returned -1 [0077.749] lstrcmpiW (lpString1="MputHistory", lpString2="Program Files (x86)") returned -1 [0077.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory") returned 76 [0077.749] lstrcmpW (lpString1="MputHistory", lpString2=".") returned 1 [0077.749] lstrcmpW (lpString1="MputHistory", lpString2="..") returned 1 [0077.749] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.749] GetProcessHeap () returned 0x3a00000 [0077.749] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.749] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*") returned 78 [0077.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3040e3a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0077.751] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.751] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.751] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.751] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.751] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.751] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\.") returned 78 [0077.751] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.751] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3040e3a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.751] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.751] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.751] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.751] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.751] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.751] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\..") returned 79 [0077.751] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.751] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.751] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2900a03, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="00", cAlternateFileName="")) returned 1 [0077.751] lstrcmpiW (lpString1="00", lpString2="Windows") returned -1 [0077.751] lstrcmpiW (lpString1="00", lpString2="$Recycle.bin") returned 1 [0077.751] lstrcmpiW (lpString1="00", lpString2="System Volume Information") returned -1 [0077.751] lstrcmpiW (lpString1="00", lpString2="Program Files") returned -1 [0077.751] lstrcmpiW (lpString1="00", lpString2="Program Files (x86)") returned -1 [0077.752] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00") returned 79 [0077.752] lstrcmpW (lpString1="00", lpString2=".") returned 1 [0077.752] lstrcmpW (lpString1="00", lpString2="..") returned 1 [0077.752] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.752] GetProcessHeap () returned 0x3a00000 [0077.752] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.752] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*") returned 81 [0077.752] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2900a03, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0077.753] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.753] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.753] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.753] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.753] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.753] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\.") returned 81 [0077.753] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.753] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2900a03, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.753] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.753] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.753] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.753] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.753] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.753] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\..") returned 82 [0077.753] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.753] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.753] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192", cAlternateFileName="")) returned 1 [0077.753] lstrcmpiW (lpString1="192", lpString2="Windows") returned -1 [0077.753] lstrcmpiW (lpString1="192", lpString2="$Recycle.bin") returned 1 [0077.753] lstrcmpiW (lpString1="192", lpString2="System Volume Information") returned -1 [0077.753] lstrcmpiW (lpString1="192", lpString2="Program Files") returned -1 [0077.753] lstrcmpiW (lpString1="192", lpString2="Program Files (x86)") returned -1 [0077.753] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192") returned 83 [0077.753] StrStrIW (lpFirst="192", lpSrch=".ebal") returned 0x0 [0077.753] lstrcmpW (lpString1="192", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.753] lstrcmpW (lpString1="192", lpString2="taridd") returned -1 [0077.753] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.753] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\192"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.755] GetTickCount () returned 0x1153c59 [0077.755] GetTickCount () returned 0x1153c59 [0077.755] GetTickCount () returned 0x1153c59 [0077.755] GetTickCount () returned 0x1153c59 [0077.755] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.755] GetProcessHeap () returned 0x3a00000 [0077.755] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.755] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.757] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.757] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.757] GetProcessHeap () returned 0x3a00000 [0077.757] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.757] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.757] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.758] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.758] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.758] CloseHandle (hObject=0x450) returned 1 [0077.758] GetProcessHeap () returned 0x3a00000 [0077.758] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.758] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192_r00t_{8ew5f6}.ebal") returned 102 [0077.758] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\192"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\192_r00t_{8ew5f6}.ebal")) returned 1 [0077.759] GetProcessHeap () returned 0x3a00000 [0077.759] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.759] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192", cAlternateFileName="")) returned 0 [0077.759] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0077.759] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.759] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.760] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.761] CloseHandle (hObject=0x44c) returned 1 [0077.761] GetProcessHeap () returned 0x3a00000 [0077.761] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.761] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc290171f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2e0495b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="01", cAlternateFileName="")) returned 1 [0077.761] lstrcmpiW (lpString1="01", lpString2="Windows") returned -1 [0077.761] lstrcmpiW (lpString1="01", lpString2="$Recycle.bin") returned 1 [0077.761] lstrcmpiW (lpString1="01", lpString2="System Volume Information") returned -1 [0077.761] lstrcmpiW (lpString1="01", lpString2="Program Files") returned -1 [0077.761] lstrcmpiW (lpString1="01", lpString2="Program Files (x86)") returned -1 [0077.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01") returned 79 [0077.761] lstrcmpW (lpString1="01", lpString2=".") returned 1 [0077.761] lstrcmpW (lpString1="01", lpString2="..") returned 1 [0077.761] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.761] GetProcessHeap () returned 0x3a00000 [0077.761] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.761] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*") returned 81 [0077.761] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc290171f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2e0495b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0077.762] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.762] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.762] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.762] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.762] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.762] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\.") returned 81 [0077.762] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.762] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc290171f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2e0495b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.762] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.762] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.762] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.762] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.762] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.762] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\..") returned 82 [0077.762] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.762] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.762] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271", cAlternateFileName="")) returned 1 [0077.762] lstrcmpiW (lpString1="271", lpString2="Windows") returned -1 [0077.762] lstrcmpiW (lpString1="271", lpString2="$Recycle.bin") returned 1 [0077.762] lstrcmpiW (lpString1="271", lpString2="System Volume Information") returned -1 [0077.762] lstrcmpiW (lpString1="271", lpString2="Program Files") returned -1 [0077.762] lstrcmpiW (lpString1="271", lpString2="Program Files (x86)") returned -1 [0077.762] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271") returned 83 [0077.762] StrStrIW (lpFirst="271", lpSrch=".ebal") returned 0x0 [0077.762] lstrcmpW (lpString1="271", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.762] lstrcmpW (lpString1="271", lpString2="taridd") returned -1 [0077.762] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.762] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\271"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.767] GetTickCount () returned 0x1153c69 [0077.767] GetTickCount () returned 0x1153c69 [0077.767] GetTickCount () returned 0x1153c69 [0077.767] GetTickCount () returned 0x1153c69 [0077.768] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.768] GetProcessHeap () returned 0x3a00000 [0077.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.768] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.769] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.769] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.769] GetProcessHeap () returned 0x3a00000 [0077.769] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.769] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.769] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.770] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.770] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.770] CloseHandle (hObject=0x450) returned 1 [0077.771] GetProcessHeap () returned 0x3a00000 [0077.771] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.771] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271_r00t_{8ew5f6}.ebal") returned 102 [0077.771] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\271"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\271_r00t_{8ew5f6}.ebal")) returned 1 [0077.771] GetProcessHeap () returned 0x3a00000 [0077.771] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.771] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271", cAlternateFileName="")) returned 0 [0077.772] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0077.772] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.772] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.772] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.773] CloseHandle (hObject=0x44c) returned 1 [0077.773] GetProcessHeap () returned 0x3a00000 [0077.773] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.773] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2951aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="02", cAlternateFileName="")) returned 1 [0077.773] lstrcmpiW (lpString1="02", lpString2="Windows") returned -1 [0077.773] lstrcmpiW (lpString1="02", lpString2="$Recycle.bin") returned 1 [0077.773] lstrcmpiW (lpString1="02", lpString2="System Volume Information") returned -1 [0077.773] lstrcmpiW (lpString1="02", lpString2="Program Files") returned -1 [0077.773] lstrcmpiW (lpString1="02", lpString2="Program Files (x86)") returned -1 [0077.773] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02") returned 79 [0077.773] lstrcmpW (lpString1="02", lpString2=".") returned 1 [0077.773] lstrcmpW (lpString1="02", lpString2="..") returned 1 [0077.773] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.773] GetProcessHeap () returned 0x3a00000 [0077.773] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.773] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*") returned 81 [0077.773] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2951aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0077.786] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.786] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.786] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.786] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.786] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.786] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\.") returned 81 [0077.786] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.786] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2951aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.786] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.786] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.787] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.787] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.787] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.787] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\..") returned 82 [0077.787] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.787] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.787] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109004", cAlternateFileName="")) returned 1 [0077.787] lstrcmpiW (lpString1="109004", lpString2="Windows") returned -1 [0077.787] lstrcmpiW (lpString1="109004", lpString2="$Recycle.bin") returned 1 [0077.787] lstrcmpiW (lpString1="109004", lpString2="System Volume Information") returned -1 [0077.787] lstrcmpiW (lpString1="109004", lpString2="Program Files") returned -1 [0077.787] lstrcmpiW (lpString1="109004", lpString2="Program Files (x86)") returned -1 [0077.787] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004") returned 86 [0077.787] StrStrIW (lpFirst="109004", lpSrch=".ebal") returned 0x0 [0077.787] lstrcmpW (lpString1="109004", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.787] lstrcmpW (lpString1="109004", lpString2="taridd") returned -1 [0077.787] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.787] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\109004"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.788] GetTickCount () returned 0x1153c79 [0077.788] GetTickCount () returned 0x1153c79 [0077.788] GetTickCount () returned 0x1153c79 [0077.788] GetTickCount () returned 0x1153c79 [0077.788] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.788] GetProcessHeap () returned 0x3a00000 [0077.788] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.788] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.789] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.789] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.790] GetProcessHeap () returned 0x3a00000 [0077.790] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.790] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.790] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.790] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.790] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.790] CloseHandle (hObject=0x450) returned 1 [0077.790] GetProcessHeap () returned 0x3a00000 [0077.791] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.791] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004_r00t_{8ew5f6}.ebal") returned 105 [0077.791] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\109004"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\109004_r00t_{8ew5f6}.ebal")) returned 1 [0077.791] GetProcessHeap () returned 0x3a00000 [0077.791] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.791] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109004", cAlternateFileName="")) returned 0 [0077.791] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0077.792] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.792] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.792] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.793] CloseHandle (hObject=0x44c) returned 1 [0077.793] GetProcessHeap () returned 0x3a00000 [0077.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.793] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc295215e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="04", cAlternateFileName="")) returned 1 [0077.793] lstrcmpiW (lpString1="04", lpString2="Windows") returned -1 [0077.793] lstrcmpiW (lpString1="04", lpString2="$Recycle.bin") returned 1 [0077.793] lstrcmpiW (lpString1="04", lpString2="System Volume Information") returned -1 [0077.793] lstrcmpiW (lpString1="04", lpString2="Program Files") returned -1 [0077.793] lstrcmpiW (lpString1="04", lpString2="Program Files (x86)") returned -1 [0077.793] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04") returned 79 [0077.793] lstrcmpW (lpString1="04", lpString2=".") returned 1 [0077.793] lstrcmpW (lpString1="04", lpString2="..") returned 1 [0077.793] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.793] GetProcessHeap () returned 0x3a00000 [0077.793] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.793] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*") returned 81 [0077.793] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc295215e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0077.794] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.794] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.794] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.794] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.794] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.794] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\.") returned 81 [0077.795] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.796] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc295215e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.796] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.796] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.796] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.796] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.796] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.796] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\..") returned 82 [0077.796] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.796] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.796] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109005", cAlternateFileName="")) returned 1 [0077.796] lstrcmpiW (lpString1="109005", lpString2="Windows") returned -1 [0077.796] lstrcmpiW (lpString1="109005", lpString2="$Recycle.bin") returned 1 [0077.796] lstrcmpiW (lpString1="109005", lpString2="System Volume Information") returned -1 [0077.796] lstrcmpiW (lpString1="109005", lpString2="Program Files") returned -1 [0077.796] lstrcmpiW (lpString1="109005", lpString2="Program Files (x86)") returned -1 [0077.796] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005") returned 86 [0077.796] StrStrIW (lpFirst="109005", lpSrch=".ebal") returned 0x0 [0077.796] lstrcmpW (lpString1="109005", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.796] lstrcmpW (lpString1="109005", lpString2="taridd") returned -1 [0077.796] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.796] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\109005"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.796] GetTickCount () returned 0x1153c88 [0077.796] GetTickCount () returned 0x1153c88 [0077.797] GetTickCount () returned 0x1153c88 [0077.797] GetTickCount () returned 0x1153c88 [0077.797] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.797] GetProcessHeap () returned 0x3a00000 [0077.797] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.797] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.798] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.798] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.798] GetProcessHeap () returned 0x3a00000 [0077.798] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.798] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.798] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.799] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.799] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.799] CloseHandle (hObject=0x450) returned 1 [0077.799] GetProcessHeap () returned 0x3a00000 [0077.799] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.799] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005_r00t_{8ew5f6}.ebal") returned 105 [0077.799] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\109005"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\109005_r00t_{8ew5f6}.ebal")) returned 1 [0077.800] GetProcessHeap () returned 0x3a00000 [0077.800] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.800] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259", cAlternateFileName="")) returned 1 [0077.800] lstrcmpiW (lpString1="259", lpString2="Windows") returned -1 [0077.800] lstrcmpiW (lpString1="259", lpString2="$Recycle.bin") returned 1 [0077.800] lstrcmpiW (lpString1="259", lpString2="System Volume Information") returned -1 [0077.800] lstrcmpiW (lpString1="259", lpString2="Program Files") returned -1 [0077.800] lstrcmpiW (lpString1="259", lpString2="Program Files (x86)") returned -1 [0077.800] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259") returned 83 [0077.800] StrStrIW (lpFirst="259", lpSrch=".ebal") returned 0x0 [0077.800] lstrcmpW (lpString1="259", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.800] lstrcmpW (lpString1="259", lpString2="taridd") returned -1 [0077.800] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.800] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\259"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.801] GetTickCount () returned 0x1153c88 [0077.801] GetTickCount () returned 0x1153c88 [0077.801] GetTickCount () returned 0x1153c88 [0077.802] GetTickCount () returned 0x1153c88 [0077.802] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.802] GetProcessHeap () returned 0x3a00000 [0077.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.802] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.805] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.805] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.805] GetProcessHeap () returned 0x3a00000 [0077.805] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.805] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.805] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.806] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.806] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.806] CloseHandle (hObject=0x450) returned 1 [0077.806] GetProcessHeap () returned 0x3a00000 [0077.806] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.806] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259_r00t_{8ew5f6}.ebal") returned 102 [0077.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\259"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\259_r00t_{8ew5f6}.ebal")) returned 1 [0077.807] GetProcessHeap () returned 0x3a00000 [0077.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.807] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259", cAlternateFileName="")) returned 0 [0077.807] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0077.807] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.807] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.807] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.808] CloseHandle (hObject=0x44c) returned 1 [0077.809] GetProcessHeap () returned 0x3a00000 [0077.809] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.809] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc295291b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2e9d2d1, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="05", cAlternateFileName="")) returned 1 [0077.809] lstrcmpiW (lpString1="05", lpString2="Windows") returned -1 [0077.809] lstrcmpiW (lpString1="05", lpString2="$Recycle.bin") returned 1 [0077.809] lstrcmpiW (lpString1="05", lpString2="System Volume Information") returned -1 [0077.809] lstrcmpiW (lpString1="05", lpString2="Program Files") returned -1 [0077.809] lstrcmpiW (lpString1="05", lpString2="Program Files (x86)") returned -1 [0077.809] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05") returned 79 [0077.809] lstrcmpW (lpString1="05", lpString2=".") returned 1 [0077.809] lstrcmpW (lpString1="05", lpString2="..") returned 1 [0077.809] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.809] GetProcessHeap () returned 0x3a00000 [0077.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.809] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*") returned 81 [0077.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc295291b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2e9d2d1, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0077.809] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.809] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.809] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.809] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.809] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.809] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\.") returned 81 [0077.809] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.809] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc295291b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2e9d2d1, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.810] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.810] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.810] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.810] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.810] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\..") returned 82 [0077.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.810] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191", cAlternateFileName="")) returned 1 [0077.810] lstrcmpiW (lpString1="191", lpString2="Windows") returned -1 [0077.810] lstrcmpiW (lpString1="191", lpString2="$Recycle.bin") returned 1 [0077.810] lstrcmpiW (lpString1="191", lpString2="System Volume Information") returned -1 [0077.810] lstrcmpiW (lpString1="191", lpString2="Program Files") returned -1 [0077.810] lstrcmpiW (lpString1="191", lpString2="Program Files (x86)") returned -1 [0077.810] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191") returned 83 [0077.810] StrStrIW (lpFirst="191", lpSrch=".ebal") returned 0x0 [0077.810] lstrcmpW (lpString1="191", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.810] lstrcmpW (lpString1="191", lpString2="taridd") returned -1 [0077.810] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.810] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\191"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.810] GetTickCount () returned 0x1153c98 [0077.810] GetTickCount () returned 0x1153c98 [0077.810] GetTickCount () returned 0x1153c98 [0077.810] GetTickCount () returned 0x1153c98 [0077.810] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.811] GetProcessHeap () returned 0x3a00000 [0077.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.811] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.812] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.812] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.812] GetProcessHeap () returned 0x3a00000 [0077.812] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.812] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.812] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.813] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.813] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.813] CloseHandle (hObject=0x450) returned 1 [0077.813] GetProcessHeap () returned 0x3a00000 [0077.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.813] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191_r00t_{8ew5f6}.ebal") returned 102 [0077.813] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\191"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\191_r00t_{8ew5f6}.ebal")) returned 1 [0077.814] GetProcessHeap () returned 0x3a00000 [0077.814] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.814] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191", cAlternateFileName="")) returned 0 [0077.814] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0077.814] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.814] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.815] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.816] CloseHandle (hObject=0x44c) returned 1 [0077.816] GetProcessHeap () returned 0x3a00000 [0077.816] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.816] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2952f6f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2ec3520, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="09", cAlternateFileName="")) returned 1 [0077.816] lstrcmpiW (lpString1="09", lpString2="Windows") returned -1 [0077.816] lstrcmpiW (lpString1="09", lpString2="$Recycle.bin") returned 1 [0077.816] lstrcmpiW (lpString1="09", lpString2="System Volume Information") returned -1 [0077.816] lstrcmpiW (lpString1="09", lpString2="Program Files") returned -1 [0077.816] lstrcmpiW (lpString1="09", lpString2="Program Files (x86)") returned -1 [0077.816] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09") returned 79 [0077.816] lstrcmpW (lpString1="09", lpString2=".") returned 1 [0077.816] lstrcmpW (lpString1="09", lpString2="..") returned 1 [0077.816] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.816] GetProcessHeap () returned 0x3a00000 [0077.816] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.816] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*") returned 81 [0077.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2952f6f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2ec3520, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0077.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.816] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\.") returned 81 [0077.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.816] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2952f6f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2ec3520, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.817] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\..") returned 82 [0077.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.817] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287", cAlternateFileName="")) returned 1 [0077.817] lstrcmpiW (lpString1="287", lpString2="Windows") returned -1 [0077.817] lstrcmpiW (lpString1="287", lpString2="$Recycle.bin") returned 1 [0077.817] lstrcmpiW (lpString1="287", lpString2="System Volume Information") returned -1 [0077.817] lstrcmpiW (lpString1="287", lpString2="Program Files") returned -1 [0077.817] lstrcmpiW (lpString1="287", lpString2="Program Files (x86)") returned -1 [0077.817] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287") returned 83 [0077.817] StrStrIW (lpFirst="287", lpSrch=".ebal") returned 0x0 [0077.817] lstrcmpW (lpString1="287", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.817] lstrcmpW (lpString1="287", lpString2="taridd") returned -1 [0077.817] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.817] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\287"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.818] GetTickCount () returned 0x1153c98 [0077.818] GetTickCount () returned 0x1153c98 [0077.818] GetTickCount () returned 0x1153c98 [0077.818] GetTickCount () returned 0x1153c98 [0077.818] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.819] GetProcessHeap () returned 0x3a00000 [0077.819] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.819] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.819] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.820] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.820] GetProcessHeap () returned 0x3a00000 [0077.820] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.820] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.820] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.820] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.820] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.821] CloseHandle (hObject=0x450) returned 1 [0077.821] GetProcessHeap () returned 0x3a00000 [0077.821] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.821] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287_r00t_{8ew5f6}.ebal") returned 102 [0077.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\287"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\287_r00t_{8ew5f6}.ebal")) returned 1 [0077.821] GetProcessHeap () returned 0x3a00000 [0077.821] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.821] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287", cAlternateFileName="")) returned 0 [0077.821] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0077.821] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.821] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.825] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.826] CloseHandle (hObject=0x44c) returned 1 [0077.826] GetProcessHeap () returned 0x3a00000 [0077.826] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.826] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29537a2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2ec3520, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="10", cAlternateFileName="")) returned 1 [0077.826] lstrcmpiW (lpString1="10", lpString2="Windows") returned -1 [0077.826] lstrcmpiW (lpString1="10", lpString2="$Recycle.bin") returned 1 [0077.826] lstrcmpiW (lpString1="10", lpString2="System Volume Information") returned -1 [0077.826] lstrcmpiW (lpString1="10", lpString2="Program Files") returned -1 [0077.826] lstrcmpiW (lpString1="10", lpString2="Program Files (x86)") returned -1 [0077.826] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10") returned 79 [0077.827] lstrcmpW (lpString1="10", lpString2=".") returned 1 [0077.827] lstrcmpW (lpString1="10", lpString2="..") returned 1 [0077.827] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.827] GetProcessHeap () returned 0x3a00000 [0077.827] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.827] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*") returned 81 [0077.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29537a2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2ec3520, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0077.827] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.827] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.827] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.827] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.827] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.827] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\.") returned 81 [0077.827] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.827] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29537a2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2ec3520, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.827] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.827] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.827] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.827] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.827] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.827] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\..") returned 82 [0077.827] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.827] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.827] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="267", cAlternateFileName="")) returned 1 [0077.827] lstrcmpiW (lpString1="267", lpString2="Windows") returned -1 [0077.827] lstrcmpiW (lpString1="267", lpString2="$Recycle.bin") returned 1 [0077.827] lstrcmpiW (lpString1="267", lpString2="System Volume Information") returned -1 [0077.827] lstrcmpiW (lpString1="267", lpString2="Program Files") returned -1 [0077.827] lstrcmpiW (lpString1="267", lpString2="Program Files (x86)") returned -1 [0077.827] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267") returned 83 [0077.828] StrStrIW (lpFirst="267", lpSrch=".ebal") returned 0x0 [0077.828] lstrcmpW (lpString1="267", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.828] lstrcmpW (lpString1="267", lpString2="taridd") returned -1 [0077.828] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.828] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\267"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.828] GetTickCount () returned 0x1153ca8 [0077.828] GetTickCount () returned 0x1153ca8 [0077.828] GetTickCount () returned 0x1153ca8 [0077.828] GetTickCount () returned 0x1153ca8 [0077.828] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.828] GetProcessHeap () returned 0x3a00000 [0077.828] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.828] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.844] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.844] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.844] GetProcessHeap () returned 0x3a00000 [0077.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.844] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.844] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.845] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.845] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.845] CloseHandle (hObject=0x450) returned 1 [0077.845] GetProcessHeap () returned 0x3a00000 [0077.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.845] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267_r00t_{8ew5f6}.ebal") returned 102 [0077.845] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\267"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\267_r00t_{8ew5f6}.ebal")) returned 1 [0077.846] GetProcessHeap () returned 0x3a00000 [0077.846] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.846] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286", cAlternateFileName="")) returned 1 [0077.846] lstrcmpiW (lpString1="286", lpString2="Windows") returned -1 [0077.846] lstrcmpiW (lpString1="286", lpString2="$Recycle.bin") returned 1 [0077.846] lstrcmpiW (lpString1="286", lpString2="System Volume Information") returned -1 [0077.846] lstrcmpiW (lpString1="286", lpString2="Program Files") returned -1 [0077.846] lstrcmpiW (lpString1="286", lpString2="Program Files (x86)") returned -1 [0077.846] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286") returned 83 [0077.846] StrStrIW (lpFirst="286", lpSrch=".ebal") returned 0x0 [0077.846] lstrcmpW (lpString1="286", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.846] lstrcmpW (lpString1="286", lpString2="taridd") returned -1 [0077.846] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.846] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\286"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.847] GetTickCount () returned 0x1153cb7 [0077.847] GetTickCount () returned 0x1153cb7 [0077.847] GetTickCount () returned 0x1153cb7 [0077.847] GetTickCount () returned 0x1153cb7 [0077.847] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.847] GetProcessHeap () returned 0x3a00000 [0077.847] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.847] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.848] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.848] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.849] GetProcessHeap () returned 0x3a00000 [0077.849] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.849] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.849] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.849] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.849] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.849] CloseHandle (hObject=0x450) returned 1 [0077.849] GetProcessHeap () returned 0x3a00000 [0077.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.850] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286_r00t_{8ew5f6}.ebal") returned 102 [0077.850] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\286"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\286_r00t_{8ew5f6}.ebal")) returned 1 [0077.850] GetProcessHeap () returned 0x3a00000 [0077.850] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.850] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286", cAlternateFileName="")) returned 0 [0077.850] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0077.850] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.850] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.851] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.852] CloseHandle (hObject=0x44c) returned 1 [0077.852] GetProcessHeap () returned 0x3a00000 [0077.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.852] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="11", cAlternateFileName="")) returned 1 [0077.852] lstrcmpiW (lpString1="11", lpString2="Windows") returned -1 [0077.852] lstrcmpiW (lpString1="11", lpString2="$Recycle.bin") returned 1 [0077.852] lstrcmpiW (lpString1="11", lpString2="System Volume Information") returned -1 [0077.852] lstrcmpiW (lpString1="11", lpString2="Program Files") returned -1 [0077.852] lstrcmpiW (lpString1="11", lpString2="Program Files (x86)") returned -1 [0077.852] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11") returned 79 [0077.852] lstrcmpW (lpString1="11", lpString2=".") returned 1 [0077.852] lstrcmpW (lpString1="11", lpString2="..") returned 1 [0077.852] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.852] GetProcessHeap () returned 0x3a00000 [0077.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.852] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*") returned 81 [0077.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0077.853] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.853] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\.") returned 81 [0077.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.853] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.853] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\..") returned 82 [0077.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.853] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.853] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0077.853] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.853] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\11\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.854] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.855] CloseHandle (hObject=0x44c) returned 1 [0077.855] GetProcessHeap () returned 0x3a00000 [0077.855] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.855] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2954efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="12", cAlternateFileName="")) returned 1 [0077.855] lstrcmpiW (lpString1="12", lpString2="Windows") returned -1 [0077.855] lstrcmpiW (lpString1="12", lpString2="$Recycle.bin") returned 1 [0077.855] lstrcmpiW (lpString1="12", lpString2="System Volume Information") returned -1 [0077.855] lstrcmpiW (lpString1="12", lpString2="Program Files") returned -1 [0077.855] lstrcmpiW (lpString1="12", lpString2="Program Files (x86)") returned -1 [0077.855] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12") returned 79 [0077.855] lstrcmpW (lpString1="12", lpString2=".") returned 1 [0077.855] lstrcmpW (lpString1="12", lpString2="..") returned 1 [0077.855] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.855] GetProcessHeap () returned 0x3a00000 [0077.855] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.855] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*") returned 81 [0077.855] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2954efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0077.857] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.857] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.857] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.857] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.857] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.857] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\.") returned 81 [0077.857] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.857] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2954efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.857] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.857] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.857] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.857] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.857] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.857] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\..") returned 82 [0077.857] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.857] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194", cAlternateFileName="")) returned 1 [0077.857] lstrcmpiW (lpString1="194", lpString2="Windows") returned -1 [0077.857] lstrcmpiW (lpString1="194", lpString2="$Recycle.bin") returned 1 [0077.857] lstrcmpiW (lpString1="194", lpString2="System Volume Information") returned -1 [0077.857] lstrcmpiW (lpString1="194", lpString2="Program Files") returned -1 [0077.857] lstrcmpiW (lpString1="194", lpString2="Program Files (x86)") returned -1 [0077.857] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194") returned 83 [0077.857] StrStrIW (lpFirst="194", lpSrch=".ebal") returned 0x0 [0077.857] lstrcmpW (lpString1="194", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.857] lstrcmpW (lpString1="194", lpString2="taridd") returned -1 [0077.857] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.858] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\194"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.859] GetTickCount () returned 0x1153cc7 [0077.859] GetTickCount () returned 0x1153cc7 [0077.859] GetTickCount () returned 0x1153cc7 [0077.859] GetTickCount () returned 0x1153cc7 [0077.859] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.859] GetProcessHeap () returned 0x3a00000 [0077.859] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.859] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.860] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.860] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.860] GetProcessHeap () returned 0x3a00000 [0077.860] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.860] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.860] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.861] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.861] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.861] CloseHandle (hObject=0x450) returned 1 [0077.861] GetProcessHeap () returned 0x3a00000 [0077.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.861] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194_r00t_{8ew5f6}.ebal") returned 102 [0077.861] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\194"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\194_r00t_{8ew5f6}.ebal")) returned 1 [0077.862] GetProcessHeap () returned 0x3a00000 [0077.862] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.862] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194", cAlternateFileName="")) returned 0 [0077.862] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0077.862] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.862] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.863] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.864] CloseHandle (hObject=0x44c) returned 1 [0077.864] GetProcessHeap () returned 0x3a00000 [0077.864] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.864] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2955681, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2f5be9a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="15", cAlternateFileName="")) returned 1 [0077.864] lstrcmpiW (lpString1="15", lpString2="Windows") returned -1 [0077.864] lstrcmpiW (lpString1="15", lpString2="$Recycle.bin") returned 1 [0077.864] lstrcmpiW (lpString1="15", lpString2="System Volume Information") returned -1 [0077.864] lstrcmpiW (lpString1="15", lpString2="Program Files") returned -1 [0077.864] lstrcmpiW (lpString1="15", lpString2="Program Files (x86)") returned -1 [0077.864] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15") returned 79 [0077.864] lstrcmpW (lpString1="15", lpString2=".") returned 1 [0077.864] lstrcmpW (lpString1="15", lpString2="..") returned 1 [0077.864] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.864] GetProcessHeap () returned 0x3a00000 [0077.864] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.864] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*") returned 81 [0077.864] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2955681, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2f5be9a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0077.864] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.864] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.864] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.864] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.864] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.865] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\.") returned 81 [0077.865] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.865] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2955681, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2f5be9a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.865] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.865] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.865] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.865] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.865] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.865] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\..") returned 82 [0077.865] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.865] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="196", cAlternateFileName="")) returned 1 [0077.865] lstrcmpiW (lpString1="196", lpString2="Windows") returned -1 [0077.865] lstrcmpiW (lpString1="196", lpString2="$Recycle.bin") returned 1 [0077.865] lstrcmpiW (lpString1="196", lpString2="System Volume Information") returned -1 [0077.865] lstrcmpiW (lpString1="196", lpString2="Program Files") returned -1 [0077.865] lstrcmpiW (lpString1="196", lpString2="Program Files (x86)") returned -1 [0077.865] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196") returned 83 [0077.865] StrStrIW (lpFirst="196", lpSrch=".ebal") returned 0x0 [0077.865] lstrcmpW (lpString1="196", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.865] lstrcmpW (lpString1="196", lpString2="taridd") returned -1 [0077.865] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.865] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\196"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.865] GetTickCount () returned 0x1153cc7 [0077.866] GetTickCount () returned 0x1153cc7 [0077.866] GetTickCount () returned 0x1153cc7 [0077.866] GetTickCount () returned 0x1153cc7 [0077.866] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.866] GetProcessHeap () returned 0x3a00000 [0077.866] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.866] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.867] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.867] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.867] GetProcessHeap () returned 0x3a00000 [0077.867] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.867] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.867] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.868] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.868] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.868] CloseHandle (hObject=0x450) returned 1 [0077.868] GetProcessHeap () returned 0x3a00000 [0077.868] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.868] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196_r00t_{8ew5f6}.ebal") returned 102 [0077.868] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\196"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\196_r00t_{8ew5f6}.ebal")) returned 1 [0077.868] GetProcessHeap () returned 0x3a00000 [0077.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.868] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262", cAlternateFileName="")) returned 1 [0077.868] lstrcmpiW (lpString1="262", lpString2="Windows") returned -1 [0077.868] lstrcmpiW (lpString1="262", lpString2="$Recycle.bin") returned 1 [0077.869] lstrcmpiW (lpString1="262", lpString2="System Volume Information") returned -1 [0077.869] lstrcmpiW (lpString1="262", lpString2="Program Files") returned -1 [0077.869] lstrcmpiW (lpString1="262", lpString2="Program Files (x86)") returned -1 [0077.869] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262") returned 83 [0077.869] StrStrIW (lpFirst="262", lpSrch=".ebal") returned 0x0 [0077.869] lstrcmpW (lpString1="262", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.869] lstrcmpW (lpString1="262", lpString2="taridd") returned -1 [0077.869] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.869] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\262"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.869] GetTickCount () returned 0x1153cc7 [0077.869] GetTickCount () returned 0x1153cc7 [0077.869] GetTickCount () returned 0x1153cc7 [0077.869] GetTickCount () returned 0x1153cc7 [0077.869] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.869] GetProcessHeap () returned 0x3a00000 [0077.869] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.869] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.870] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.870] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.870] GetProcessHeap () returned 0x3a00000 [0077.871] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.871] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.871] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.871] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.871] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.871] CloseHandle (hObject=0x450) returned 1 [0077.871] GetProcessHeap () returned 0x3a00000 [0077.871] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.871] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262_r00t_{8ew5f6}.ebal") returned 102 [0077.871] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\262"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\262_r00t_{8ew5f6}.ebal")) returned 1 [0077.872] GetProcessHeap () returned 0x3a00000 [0077.872] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.872] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262", cAlternateFileName="")) returned 0 [0077.872] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0077.872] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.872] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.873] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.874] CloseHandle (hObject=0x44c) returned 1 [0077.874] GetProcessHeap () returned 0x3a00000 [0077.874] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.874] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2955eb4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17", cAlternateFileName="")) returned 1 [0077.874] lstrcmpiW (lpString1="17", lpString2="Windows") returned -1 [0077.874] lstrcmpiW (lpString1="17", lpString2="$Recycle.bin") returned 1 [0077.874] lstrcmpiW (lpString1="17", lpString2="System Volume Information") returned -1 [0077.874] lstrcmpiW (lpString1="17", lpString2="Program Files") returned -1 [0077.874] lstrcmpiW (lpString1="17", lpString2="Program Files (x86)") returned -1 [0077.874] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17") returned 79 [0077.874] lstrcmpW (lpString1="17", lpString2=".") returned 1 [0077.874] lstrcmpW (lpString1="17", lpString2="..") returned 1 [0077.874] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.874] GetProcessHeap () returned 0x3a00000 [0077.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.874] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*") returned 81 [0077.874] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2955eb4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0077.875] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.875] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.875] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.875] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.875] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.875] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\.") returned 81 [0077.875] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.875] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2955eb4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.875] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.875] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.875] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.875] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.875] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.875] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\..") returned 82 [0077.875] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.875] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.875] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109001", cAlternateFileName="")) returned 1 [0077.875] lstrcmpiW (lpString1="109001", lpString2="Windows") returned -1 [0077.875] lstrcmpiW (lpString1="109001", lpString2="$Recycle.bin") returned 1 [0077.875] lstrcmpiW (lpString1="109001", lpString2="System Volume Information") returned -1 [0077.875] lstrcmpiW (lpString1="109001", lpString2="Program Files") returned -1 [0077.875] lstrcmpiW (lpString1="109001", lpString2="Program Files (x86)") returned -1 [0077.875] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001") returned 86 [0077.875] StrStrIW (lpFirst="109001", lpSrch=".ebal") returned 0x0 [0077.876] lstrcmpW (lpString1="109001", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.876] lstrcmpW (lpString1="109001", lpString2="taridd") returned -1 [0077.876] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.876] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\109001"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.876] GetTickCount () returned 0x1153cd6 [0077.876] GetTickCount () returned 0x1153cd6 [0077.876] GetTickCount () returned 0x1153cd6 [0077.876] GetTickCount () returned 0x1153cd6 [0077.876] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.876] GetProcessHeap () returned 0x3a00000 [0077.876] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.876] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.877] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.877] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.878] GetProcessHeap () returned 0x3a00000 [0077.878] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.878] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.878] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.879] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.879] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.879] CloseHandle (hObject=0x450) returned 1 [0077.879] GetProcessHeap () returned 0x3a00000 [0077.879] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.879] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001_r00t_{8ew5f6}.ebal") returned 105 [0077.879] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\109001"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\109001_r00t_{8ew5f6}.ebal")) returned 1 [0077.880] GetProcessHeap () returned 0x3a00000 [0077.880] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.880] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193", cAlternateFileName="")) returned 1 [0077.880] lstrcmpiW (lpString1="193", lpString2="Windows") returned -1 [0077.880] lstrcmpiW (lpString1="193", lpString2="$Recycle.bin") returned 1 [0077.880] lstrcmpiW (lpString1="193", lpString2="System Volume Information") returned -1 [0077.880] lstrcmpiW (lpString1="193", lpString2="Program Files") returned -1 [0077.880] lstrcmpiW (lpString1="193", lpString2="Program Files (x86)") returned -1 [0077.880] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193") returned 83 [0077.880] StrStrIW (lpFirst="193", lpSrch=".ebal") returned 0x0 [0077.880] lstrcmpW (lpString1="193", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.880] lstrcmpW (lpString1="193", lpString2="taridd") returned -1 [0077.880] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.880] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\193"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.880] GetTickCount () returned 0x1153cd6 [0077.880] GetTickCount () returned 0x1153cd6 [0077.880] GetTickCount () returned 0x1153cd6 [0077.880] GetTickCount () returned 0x1153cd6 [0077.880] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.880] GetProcessHeap () returned 0x3a00000 [0077.881] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.881] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.884] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.885] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.885] GetProcessHeap () returned 0x3a00000 [0077.885] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.885] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.885] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.885] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.886] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.886] CloseHandle (hObject=0x450) returned 1 [0077.886] GetProcessHeap () returned 0x3a00000 [0077.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.886] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193_r00t_{8ew5f6}.ebal") returned 102 [0077.886] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\193"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\193_r00t_{8ew5f6}.ebal")) returned 1 [0077.886] GetProcessHeap () returned 0x3a00000 [0077.887] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.887] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193", cAlternateFileName="")) returned 0 [0077.887] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0077.887] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.887] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.887] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.889] CloseHandle (hObject=0x44c) returned 1 [0077.889] GetProcessHeap () returned 0x3a00000 [0077.889] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.889] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2956545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2f82233, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="18", cAlternateFileName="")) returned 1 [0077.889] lstrcmpiW (lpString1="18", lpString2="Windows") returned -1 [0077.889] lstrcmpiW (lpString1="18", lpString2="$Recycle.bin") returned 1 [0077.889] lstrcmpiW (lpString1="18", lpString2="System Volume Information") returned -1 [0077.889] lstrcmpiW (lpString1="18", lpString2="Program Files") returned -1 [0077.889] lstrcmpiW (lpString1="18", lpString2="Program Files (x86)") returned -1 [0077.889] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18") returned 79 [0077.889] lstrcmpW (lpString1="18", lpString2=".") returned 1 [0077.889] lstrcmpW (lpString1="18", lpString2="..") returned 1 [0077.889] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.889] GetProcessHeap () returned 0x3a00000 [0077.889] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.889] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*") returned 81 [0077.889] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2956545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2f82233, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0077.889] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.889] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.889] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.889] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.889] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.889] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\.") returned 81 [0077.889] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.890] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2956545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2f82233, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.890] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.890] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.890] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.890] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.890] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.890] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\..") returned 82 [0077.890] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.890] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.890] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109002", cAlternateFileName="")) returned 1 [0077.890] lstrcmpiW (lpString1="109002", lpString2="Windows") returned -1 [0077.890] lstrcmpiW (lpString1="109002", lpString2="$Recycle.bin") returned 1 [0077.890] lstrcmpiW (lpString1="109002", lpString2="System Volume Information") returned -1 [0077.890] lstrcmpiW (lpString1="109002", lpString2="Program Files") returned -1 [0077.890] lstrcmpiW (lpString1="109002", lpString2="Program Files (x86)") returned -1 [0077.890] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002") returned 86 [0077.890] StrStrIW (lpFirst="109002", lpSrch=".ebal") returned 0x0 [0077.890] lstrcmpW (lpString1="109002", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.890] lstrcmpW (lpString1="109002", lpString2="taridd") returned -1 [0077.890] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.890] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\109002"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.890] GetTickCount () returned 0x1153ce6 [0077.890] GetTickCount () returned 0x1153ce6 [0077.890] GetTickCount () returned 0x1153ce6 [0077.890] GetTickCount () returned 0x1153ce6 [0077.891] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.891] GetProcessHeap () returned 0x3a00000 [0077.891] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.891] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.892] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.892] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.892] GetProcessHeap () returned 0x3a00000 [0077.892] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.892] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.892] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.893] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.893] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.893] CloseHandle (hObject=0x450) returned 1 [0077.893] GetProcessHeap () returned 0x3a00000 [0077.893] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.893] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002_r00t_{8ew5f6}.ebal") returned 105 [0077.893] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\109002"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\109002_r00t_{8ew5f6}.ebal")) returned 1 [0077.894] GetProcessHeap () returned 0x3a00000 [0077.894] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.894] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195", cAlternateFileName="")) returned 1 [0077.894] lstrcmpiW (lpString1="195", lpString2="Windows") returned -1 [0077.894] lstrcmpiW (lpString1="195", lpString2="$Recycle.bin") returned 1 [0077.894] lstrcmpiW (lpString1="195", lpString2="System Volume Information") returned -1 [0077.894] lstrcmpiW (lpString1="195", lpString2="Program Files") returned -1 [0077.894] lstrcmpiW (lpString1="195", lpString2="Program Files (x86)") returned -1 [0077.894] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195") returned 83 [0077.894] StrStrIW (lpFirst="195", lpSrch=".ebal") returned 0x0 [0077.894] lstrcmpW (lpString1="195", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.894] lstrcmpW (lpString1="195", lpString2="taridd") returned -1 [0077.894] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.894] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\195"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.894] GetTickCount () returned 0x1153ce6 [0077.894] GetTickCount () returned 0x1153ce6 [0077.894] GetTickCount () returned 0x1153ce6 [0077.894] GetTickCount () returned 0x1153ce6 [0077.894] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.895] GetProcessHeap () returned 0x3a00000 [0077.895] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.895] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.896] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.896] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.896] GetProcessHeap () returned 0x3a00000 [0077.896] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.896] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.896] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.896] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.897] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.897] CloseHandle (hObject=0x450) returned 1 [0077.897] GetProcessHeap () returned 0x3a00000 [0077.897] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.897] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195_r00t_{8ew5f6}.ebal") returned 102 [0077.897] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\195"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\195_r00t_{8ew5f6}.ebal")) returned 1 [0077.898] GetProcessHeap () returned 0x3a00000 [0077.898] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.898] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195", cAlternateFileName="")) returned 0 [0077.898] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0077.898] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.898] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.898] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.899] CloseHandle (hObject=0x44c) returned 1 [0077.899] GetProcessHeap () returned 0x3a00000 [0077.899] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.899] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2956d56, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19", cAlternateFileName="")) returned 1 [0077.899] lstrcmpiW (lpString1="19", lpString2="Windows") returned -1 [0077.899] lstrcmpiW (lpString1="19", lpString2="$Recycle.bin") returned 1 [0077.899] lstrcmpiW (lpString1="19", lpString2="System Volume Information") returned -1 [0077.899] lstrcmpiW (lpString1="19", lpString2="Program Files") returned -1 [0077.899] lstrcmpiW (lpString1="19", lpString2="Program Files (x86)") returned -1 [0077.899] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19") returned 79 [0077.899] lstrcmpW (lpString1="19", lpString2=".") returned 1 [0077.899] lstrcmpW (lpString1="19", lpString2="..") returned 1 [0077.899] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.899] GetProcessHeap () returned 0x3a00000 [0077.899] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.900] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*") returned 81 [0077.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2956d56, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0077.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.900] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\.") returned 81 [0077.900] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.900] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2956d56, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.900] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.900] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.900] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.900] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.900] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.900] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\..") returned 82 [0077.900] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.900] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="266", cAlternateFileName="")) returned 1 [0077.900] lstrcmpiW (lpString1="266", lpString2="Windows") returned -1 [0077.900] lstrcmpiW (lpString1="266", lpString2="$Recycle.bin") returned 1 [0077.900] lstrcmpiW (lpString1="266", lpString2="System Volume Information") returned -1 [0077.900] lstrcmpiW (lpString1="266", lpString2="Program Files") returned -1 [0077.900] lstrcmpiW (lpString1="266", lpString2="Program Files (x86)") returned -1 [0077.900] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266") returned 83 [0077.900] StrStrIW (lpFirst="266", lpSrch=".ebal") returned 0x0 [0077.900] lstrcmpW (lpString1="266", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.900] lstrcmpW (lpString1="266", lpString2="taridd") returned -1 [0077.901] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.901] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\266"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.901] GetTickCount () returned 0x1153ce6 [0077.901] GetTickCount () returned 0x1153ce6 [0077.901] GetTickCount () returned 0x1153ce6 [0077.901] GetTickCount () returned 0x1153ce6 [0077.901] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.901] GetProcessHeap () returned 0x3a00000 [0077.901] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.901] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.902] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.902] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.902] GetProcessHeap () returned 0x3a00000 [0077.902] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.902] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.902] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.903] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.903] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.903] CloseHandle (hObject=0x450) returned 1 [0077.903] GetProcessHeap () returned 0x3a00000 [0077.903] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.903] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266_r00t_{8ew5f6}.ebal") returned 102 [0077.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\266"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\266_r00t_{8ew5f6}.ebal")) returned 1 [0077.904] GetProcessHeap () returned 0x3a00000 [0077.904] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.904] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="272", cAlternateFileName="")) returned 1 [0077.904] lstrcmpiW (lpString1="272", lpString2="Windows") returned -1 [0077.904] lstrcmpiW (lpString1="272", lpString2="$Recycle.bin") returned 1 [0077.904] lstrcmpiW (lpString1="272", lpString2="System Volume Information") returned -1 [0077.904] lstrcmpiW (lpString1="272", lpString2="Program Files") returned -1 [0077.904] lstrcmpiW (lpString1="272", lpString2="Program Files (x86)") returned -1 [0077.904] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272") returned 83 [0077.904] StrStrIW (lpFirst="272", lpSrch=".ebal") returned 0x0 [0077.904] lstrcmpW (lpString1="272", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.904] lstrcmpW (lpString1="272", lpString2="taridd") returned -1 [0077.904] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.904] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\272"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.905] GetTickCount () returned 0x1153cf6 [0077.905] GetTickCount () returned 0x1153cf6 [0077.905] GetTickCount () returned 0x1153cf6 [0077.905] GetTickCount () returned 0x1153cf6 [0077.905] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.905] GetProcessHeap () returned 0x3a00000 [0077.905] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.905] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.906] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.906] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.906] GetProcessHeap () returned 0x3a00000 [0077.906] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.906] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.906] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.907] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.907] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.907] CloseHandle (hObject=0x450) returned 1 [0077.908] GetProcessHeap () returned 0x3a00000 [0077.908] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.908] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272_r00t_{8ew5f6}.ebal") returned 102 [0077.908] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\272"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\272_r00t_{8ew5f6}.ebal")) returned 1 [0077.908] GetProcessHeap () returned 0x3a00000 [0077.908] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.908] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="328", cAlternateFileName="")) returned 1 [0077.908] lstrcmpiW (lpString1="328", lpString2="Windows") returned -1 [0077.908] lstrcmpiW (lpString1="328", lpString2="$Recycle.bin") returned 1 [0077.908] lstrcmpiW (lpString1="328", lpString2="System Volume Information") returned -1 [0077.908] lstrcmpiW (lpString1="328", lpString2="Program Files") returned -1 [0077.908] lstrcmpiW (lpString1="328", lpString2="Program Files (x86)") returned -1 [0077.908] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328") returned 83 [0077.908] StrStrIW (lpFirst="328", lpSrch=".ebal") returned 0x0 [0077.908] lstrcmpW (lpString1="328", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.909] lstrcmpW (lpString1="328", lpString2="taridd") returned -1 [0077.909] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.909] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\328"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.909] GetTickCount () returned 0x1153cf6 [0077.909] GetTickCount () returned 0x1153cf6 [0077.909] GetTickCount () returned 0x1153cf6 [0077.909] GetTickCount () returned 0x1153cf6 [0077.910] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.910] GetProcessHeap () returned 0x3a00000 [0077.910] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.910] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.911] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.911] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.911] GetProcessHeap () returned 0x3a00000 [0077.911] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.911] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.911] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.912] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.912] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.912] CloseHandle (hObject=0x450) returned 1 [0077.912] GetProcessHeap () returned 0x3a00000 [0077.912] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.912] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328_r00t_{8ew5f6}.ebal") returned 102 [0077.912] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\328"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\328_r00t_{8ew5f6}.ebal")) returned 1 [0077.913] GetProcessHeap () returned 0x3a00000 [0077.913] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.913] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="328", cAlternateFileName="")) returned 0 [0077.913] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0077.913] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.914] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.915] CloseHandle (hObject=0x44c) returned 1 [0077.915] GetProcessHeap () returned 0x3a00000 [0077.915] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.915] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29575a5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="21", cAlternateFileName="")) returned 1 [0077.915] lstrcmpiW (lpString1="21", lpString2="Windows") returned -1 [0077.915] lstrcmpiW (lpString1="21", lpString2="$Recycle.bin") returned 1 [0077.915] lstrcmpiW (lpString1="21", lpString2="System Volume Information") returned -1 [0077.915] lstrcmpiW (lpString1="21", lpString2="Program Files") returned -1 [0077.915] lstrcmpiW (lpString1="21", lpString2="Program Files (x86)") returned -1 [0077.915] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21") returned 79 [0077.915] lstrcmpW (lpString1="21", lpString2=".") returned 1 [0077.915] lstrcmpW (lpString1="21", lpString2="..") returned 1 [0077.915] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.915] GetProcessHeap () returned 0x3a00000 [0077.915] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.915] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*") returned 81 [0077.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29575a5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0077.915] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.915] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.915] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.916] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\.") returned 81 [0077.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.916] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29575a5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa22bde00, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.916] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.916] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.916] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.916] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\..") returned 82 [0077.916] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.916] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.916] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260", cAlternateFileName="")) returned 1 [0077.916] lstrcmpiW (lpString1="260", lpString2="Windows") returned -1 [0077.916] lstrcmpiW (lpString1="260", lpString2="$Recycle.bin") returned 1 [0077.916] lstrcmpiW (lpString1="260", lpString2="System Volume Information") returned -1 [0077.916] lstrcmpiW (lpString1="260", lpString2="Program Files") returned -1 [0077.916] lstrcmpiW (lpString1="260", lpString2="Program Files (x86)") returned -1 [0077.916] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260") returned 83 [0077.916] StrStrIW (lpFirst="260", lpSrch=".ebal") returned 0x0 [0077.916] lstrcmpW (lpString1="260", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.916] lstrcmpW (lpString1="260", lpString2="taridd") returned -1 [0077.916] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.916] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\260"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.917] GetTickCount () returned 0x1153cf6 [0077.917] GetTickCount () returned 0x1153cf6 [0077.917] GetTickCount () returned 0x1153cf6 [0077.917] GetTickCount () returned 0x1153cf6 [0077.917] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.917] GetProcessHeap () returned 0x3a00000 [0077.917] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.917] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.918] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.918] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.918] GetProcessHeap () returned 0x3a00000 [0077.918] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.918] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.918] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.919] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.919] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.919] CloseHandle (hObject=0x450) returned 1 [0077.919] GetProcessHeap () returned 0x3a00000 [0077.919] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.919] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260_r00t_{8ew5f6}.ebal") returned 102 [0077.919] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\260"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\260_r00t_{8ew5f6}.ebal")) returned 1 [0077.920] GetProcessHeap () returned 0x3a00000 [0077.920] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.920] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260", cAlternateFileName="")) returned 0 [0077.920] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0077.920] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.920] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.922] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.923] CloseHandle (hObject=0x44c) returned 1 [0077.923] GetProcessHeap () returned 0x3a00000 [0077.923] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.923] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2957eed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22", cAlternateFileName="")) returned 1 [0077.923] lstrcmpiW (lpString1="22", lpString2="Windows") returned -1 [0077.923] lstrcmpiW (lpString1="22", lpString2="$Recycle.bin") returned 1 [0077.923] lstrcmpiW (lpString1="22", lpString2="System Volume Information") returned -1 [0077.923] lstrcmpiW (lpString1="22", lpString2="Program Files") returned -1 [0077.923] lstrcmpiW (lpString1="22", lpString2="Program Files (x86)") returned -1 [0077.923] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22") returned 79 [0077.923] lstrcmpW (lpString1="22", lpString2=".") returned 1 [0077.923] lstrcmpW (lpString1="22", lpString2="..") returned 1 [0077.923] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.923] GetProcessHeap () returned 0x3a00000 [0077.923] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.923] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*") returned 81 [0077.923] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2957eed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0077.950] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.950] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.950] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.950] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.950] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.950] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\.") returned 81 [0077.950] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.950] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2957eed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.950] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.950] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.950] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.951] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.951] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\..") returned 82 [0077.951] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.951] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109003", cAlternateFileName="")) returned 1 [0077.951] lstrcmpiW (lpString1="109003", lpString2="Windows") returned -1 [0077.951] lstrcmpiW (lpString1="109003", lpString2="$Recycle.bin") returned 1 [0077.951] lstrcmpiW (lpString1="109003", lpString2="System Volume Information") returned -1 [0077.951] lstrcmpiW (lpString1="109003", lpString2="Program Files") returned -1 [0077.951] lstrcmpiW (lpString1="109003", lpString2="Program Files (x86)") returned -1 [0077.951] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003") returned 86 [0077.951] StrStrIW (lpFirst="109003", lpSrch=".ebal") returned 0x0 [0077.951] lstrcmpW (lpString1="109003", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.951] lstrcmpW (lpString1="109003", lpString2="taridd") returned -1 [0077.951] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.951] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\109003"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.952] GetTickCount () returned 0x1153d25 [0077.952] GetTickCount () returned 0x1153d25 [0077.952] GetTickCount () returned 0x1153d25 [0077.952] GetTickCount () returned 0x1153d25 [0077.952] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.952] GetProcessHeap () returned 0x3a00000 [0077.952] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.952] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.953] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.953] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.953] GetProcessHeap () returned 0x3a00000 [0077.953] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.953] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.953] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.954] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.954] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.954] CloseHandle (hObject=0x450) returned 1 [0077.954] GetProcessHeap () returned 0x3a00000 [0077.954] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.954] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003_r00t_{8ew5f6}.ebal") returned 105 [0077.954] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\109003"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\109003_r00t_{8ew5f6}.ebal")) returned 1 [0077.955] GetProcessHeap () returned 0x3a00000 [0077.955] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.955] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109006", cAlternateFileName="")) returned 1 [0077.955] lstrcmpiW (lpString1="109006", lpString2="Windows") returned -1 [0077.956] lstrcmpiW (lpString1="109006", lpString2="$Recycle.bin") returned 1 [0077.956] lstrcmpiW (lpString1="109006", lpString2="System Volume Information") returned -1 [0077.956] lstrcmpiW (lpString1="109006", lpString2="Program Files") returned -1 [0077.956] lstrcmpiW (lpString1="109006", lpString2="Program Files (x86)") returned -1 [0077.956] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006") returned 86 [0077.956] StrStrIW (lpFirst="109006", lpSrch=".ebal") returned 0x0 [0077.956] lstrcmpW (lpString1="109006", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.956] lstrcmpW (lpString1="109006", lpString2="taridd") returned -1 [0077.956] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.956] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\109006"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0077.956] GetTickCount () returned 0x1153d25 [0077.956] GetTickCount () returned 0x1153d25 [0077.956] GetTickCount () returned 0x1153d25 [0077.956] GetTickCount () returned 0x1153d25 [0077.956] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0077.956] GetProcessHeap () returned 0x3a00000 [0077.956] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a742b0 [0077.956] ReadFile (in: hFile=0x450, lpBuffer=0x3a742b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesRead=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.957] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0xffffff78, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.957] WriteFile (in: hFile=0x450, lpBuffer=0x3a742b0*, nNumberOfBytesToWrite=0x88, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a742b0*, lpNumberOfBytesWritten=0x65ae8b4*=0x88, lpOverlapped=0x0) returned 1 [0077.958] GetProcessHeap () returned 0x3a00000 [0077.958] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742b0 | out: hHeap=0x3a00000) returned 1 [0077.958] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.958] WriteFile (in: hFile=0x450, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0077.958] WriteFile (in: hFile=0x450, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0077.958] WriteFile (in: hFile=0x450, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0077.958] CloseHandle (hObject=0x450) returned 1 [0077.959] GetProcessHeap () returned 0x3a00000 [0077.959] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70698 [0077.959] wnsprintfW (in: pszDest=0x3a70698, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006_r00t_{8ew5f6}.ebal") returned 105 [0077.959] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\109006"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\109006_r00t_{8ew5f6}.ebal")) returned 1 [0077.959] GetProcessHeap () returned 0x3a00000 [0077.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70698 | out: hHeap=0x3a00000) returned 1 [0077.959] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0x356bdc8f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x88, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109006", cAlternateFileName="")) returned 0 [0077.959] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0077.959] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0077.959] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.960] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.961] CloseHandle (hObject=0x44c) returned 1 [0077.961] GetProcessHeap () returned 0x3a00000 [0077.961] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.961] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc2957eed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22", cAlternateFileName="")) returned 0 [0077.961] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0077.961] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0077.961] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.961] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0077.962] CloseHandle (hObject=0x440) returned 1 [0077.962] GetProcessHeap () returned 0x3a00000 [0077.962] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.962] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3040e3a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 0 [0077.962] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0077.962] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0077.962] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\mput\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.963] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.964] CloseHandle (hObject=0x43c) returned 1 [0077.964] GetProcessHeap () returned 0x3a00000 [0077.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.965] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RemCheck", cAlternateFileName="")) returned 1 [0077.965] lstrcmpiW (lpString1="RemCheck", lpString2="Windows") returned -1 [0077.965] lstrcmpiW (lpString1="RemCheck", lpString2="$Recycle.bin") returned 1 [0077.965] lstrcmpiW (lpString1="RemCheck", lpString2="System Volume Information") returned -1 [0077.965] lstrcmpiW (lpString1="RemCheck", lpString2="Program Files") returned 1 [0077.965] lstrcmpiW (lpString1="RemCheck", lpString2="Program Files (x86)") returned 1 [0077.965] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck") returned 68 [0077.965] lstrcmpW (lpString1="RemCheck", lpString2=".") returned 1 [0077.965] lstrcmpW (lpString1="RemCheck", lpString2="..") returned 1 [0077.965] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.965] GetProcessHeap () returned 0x3a00000 [0077.965] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.965] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*") returned 70 [0077.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0077.965] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.965] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.965] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.965] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.965] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.965] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\.") returned 70 [0077.965] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.965] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.965] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.965] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.965] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.965] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.965] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.965] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\..") returned 71 [0077.965] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.965] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.966] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.966] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0077.966] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0077.966] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\remcheck\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.967] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.967] CloseHandle (hObject=0x43c) returned 1 [0077.968] GetProcessHeap () returned 0x3a00000 [0077.968] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.968] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Results", cAlternateFileName="")) returned 1 [0077.968] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0077.968] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0077.968] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0077.968] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0077.968] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0077.968] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 67 [0077.968] lstrcmpW (lpString1="Results", lpString2=".") returned 1 [0077.968] lstrcmpW (lpString1="Results", lpString2="..") returned 1 [0077.968] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.968] GetProcessHeap () returned 0x3a00000 [0077.968] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.968] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned 69 [0077.968] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0077.969] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.969] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.969] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.969] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.969] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.969] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\.") returned 69 [0077.969] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.969] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.969] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.969] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.969] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.969] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.969] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.969] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\..") returned 70 [0077.969] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.969] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.969] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.969] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0077.969] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0077.969] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Results\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\results\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.970] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.971] CloseHandle (hObject=0x43c) returned 1 [0077.971] GetProcessHeap () returned 0x3a00000 [0077.971] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.971] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1717573f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Service", cAlternateFileName="")) returned 1 [0077.971] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0077.971] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0077.971] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0077.971] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0077.971] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0077.971] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 67 [0077.971] lstrcmpW (lpString1="Service", lpString2=".") returned 1 [0077.971] lstrcmpW (lpString1="Service", lpString2="..") returned 1 [0077.971] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.971] GetProcessHeap () returned 0x3a00000 [0077.971] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.971] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned 69 [0077.971] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1717573f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0077.971] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.971] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.971] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.971] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.971] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.971] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\.") returned 69 [0077.972] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.972] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1717573f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.972] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.972] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.972] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.972] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.972] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.972] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\..") returned 70 [0077.972] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.972] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.972] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1717573f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.972] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0077.972] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0077.972] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\service\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.972] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.973] CloseHandle (hObject=0x43c) returned 1 [0077.973] GetProcessHeap () returned 0x3a00000 [0077.973] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.973] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Store", cAlternateFileName="")) returned 1 [0077.973] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0077.973] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0077.973] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0077.973] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0077.973] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0077.973] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 65 [0077.973] lstrcmpW (lpString1="Store", lpString2=".") returned 1 [0077.973] lstrcmpW (lpString1="Store", lpString2="..") returned 1 [0077.974] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.974] GetProcessHeap () returned 0x3a00000 [0077.974] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.974] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned 67 [0077.974] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0077.974] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.974] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.974] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.974] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.974] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.974] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\.") returned 67 [0077.974] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.974] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.974] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.974] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.974] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.974] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.974] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.974] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\..") returned 68 [0077.974] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.974] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.974] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.974] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0077.974] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0077.974] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Store\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\store\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.975] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.976] CloseHandle (hObject=0x43c) returned 1 [0077.976] GetProcessHeap () returned 0x3a00000 [0077.976] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.976] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Store", cAlternateFileName="")) returned 0 [0077.976] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0077.976] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0077.976] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\history\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0077.977] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0077.977] CloseHandle (hObject=0x438) returned 1 [0077.978] GetProcessHeap () returned 0x3a00000 [0077.978] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0077.978] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29db382, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MetaStore", cAlternateFileName="METAST~1")) returned 1 [0077.978] lstrcmpiW (lpString1="MetaStore", lpString2="Windows") returned -1 [0077.978] lstrcmpiW (lpString1="MetaStore", lpString2="$Recycle.bin") returned 1 [0077.978] lstrcmpiW (lpString1="MetaStore", lpString2="System Volume Information") returned -1 [0077.978] lstrcmpiW (lpString1="MetaStore", lpString2="Program Files") returned -1 [0077.978] lstrcmpiW (lpString1="MetaStore", lpString2="Program Files (x86)") returned -1 [0077.978] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore") returned 61 [0077.978] lstrcmpW (lpString1="MetaStore", lpString2=".") returned 1 [0077.978] lstrcmpW (lpString1="MetaStore", lpString2="..") returned 1 [0077.978] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.978] GetProcessHeap () returned 0x3a00000 [0077.978] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0077.978] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*") returned 63 [0077.978] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29db382, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0077.979] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.979] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.979] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.979] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.979] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.979] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\.") returned 63 [0077.979] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.979] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29db382, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.979] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.979] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.979] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.979] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.979] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.979] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\..") returned 64 [0077.979] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.979] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.979] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1", cAlternateFileName="")) returned 1 [0077.979] lstrcmpiW (lpString1="1", lpString2="Windows") returned -1 [0077.979] lstrcmpiW (lpString1="1", lpString2="$Recycle.bin") returned 1 [0077.979] lstrcmpiW (lpString1="1", lpString2="System Volume Information") returned -1 [0077.979] lstrcmpiW (lpString1="1", lpString2="Program Files") returned -1 [0077.979] lstrcmpiW (lpString1="1", lpString2="Program Files (x86)") returned -1 [0077.979] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1") returned 63 [0077.979] lstrcmpW (lpString1="1", lpString2=".") returned 1 [0077.979] lstrcmpW (lpString1="1", lpString2="..") returned 1 [0077.979] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.979] GetProcessHeap () returned 0x3a00000 [0077.979] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.979] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*") returned 65 [0077.979] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0077.979] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.979] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.980] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.980] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.980] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.980] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\.") returned 65 [0077.980] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.980] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.980] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.980] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.980] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.980] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.980] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.980] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\..") returned 66 [0077.980] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.980] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.980] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0077.980] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0077.980] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0077.980] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\1\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.980] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0077.981] CloseHandle (hObject=0x43c) returned 1 [0077.981] GetProcessHeap () returned 0x3a00000 [0077.981] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0077.981] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dc87e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2", cAlternateFileName="")) returned 1 [0077.981] lstrcmpiW (lpString1="2", lpString2="Windows") returned -1 [0077.982] lstrcmpiW (lpString1="2", lpString2="$Recycle.bin") returned 1 [0077.982] lstrcmpiW (lpString1="2", lpString2="System Volume Information") returned -1 [0077.982] lstrcmpiW (lpString1="2", lpString2="Program Files") returned -1 [0077.982] lstrcmpiW (lpString1="2", lpString2="Program Files (x86)") returned -1 [0077.982] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2") returned 63 [0077.982] lstrcmpW (lpString1="2", lpString2=".") returned 1 [0077.982] lstrcmpW (lpString1="2", lpString2="..") returned 1 [0077.982] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.982] GetProcessHeap () returned 0x3a00000 [0077.982] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0077.982] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*") returned 65 [0077.982] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dc87e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0077.982] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.982] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.982] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.982] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.982] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.982] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\.") returned 65 [0077.982] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.982] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dc87e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.982] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.982] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.982] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.982] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.982] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.982] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\..") returned 66 [0077.982] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.982] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.982] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a331af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7710f5c8, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="94", cAlternateFileName="")) returned 1 [0077.982] lstrcmpiW (lpString1="94", lpString2="Windows") returned -1 [0077.982] lstrcmpiW (lpString1="94", lpString2="$Recycle.bin") returned 1 [0077.982] lstrcmpiW (lpString1="94", lpString2="System Volume Information") returned -1 [0077.983] lstrcmpiW (lpString1="94", lpString2="Program Files") returned -1 [0077.983] lstrcmpiW (lpString1="94", lpString2="Program Files (x86)") returned -1 [0077.983] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94") returned 66 [0077.983] lstrcmpW (lpString1="94", lpString2=".") returned 1 [0077.983] lstrcmpW (lpString1="94", lpString2="..") returned 1 [0077.983] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0077.983] GetProcessHeap () returned 0x3a00000 [0077.983] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0077.983] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\*") returned 68 [0077.983] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a331af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7710f5c8, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0077.983] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0077.984] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0077.984] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0077.984] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0077.984] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0077.984] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\.") returned 68 [0077.984] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0077.984] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a331af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7710f5c8, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0077.984] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0077.984] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0077.984] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0077.984] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0077.984] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0077.984] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\..") returned 69 [0077.984] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0077.984] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0077.984] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7710f5c8, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x7710f5c8, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x13d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A75BFDE52F3DD8E6.dat", cAlternateFileName="A75BFD~1.DAT")) returned 1 [0077.984] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="Windows") returned -1 [0077.984] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="$Recycle.bin") returned 1 [0077.984] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="System Volume Information") returned -1 [0077.984] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="Program Files") returned -1 [0077.984] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="Program Files (x86)") returned -1 [0077.984] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat") returned 87 [0077.984] StrStrIW (lpFirst="A75BFDE52F3DD8E6.dat", lpSrch=".ebal") returned 0x0 [0077.984] lstrcmpW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0077.984] lstrcmpW (lpString1="A75BFDE52F3DD8E6.dat", lpString2="taridd") returned -1 [0077.984] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0077.984] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\94\\a75bfde52f3dd8e6.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0077.987] GetTickCount () returned 0x1153d44 [0077.987] GetTickCount () returned 0x1153d44 [0077.987] GetTickCount () returned 0x1153d44 [0077.987] GetTickCount () returned 0x1153d44 [0077.987] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0077.987] GetProcessHeap () returned 0x3a00000 [0077.987] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0077.987] ReadFile (in: hFile=0x44c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aeb3c*=0x13d9, lpOverlapped=0x0) returned 1 [0077.990] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffec27, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0077.990] WriteFile (in: hFile=0x44c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x13d9, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aeb3c*=0x13d9, lpOverlapped=0x0) returned 1 [0077.990] GetProcessHeap () returned 0x3a00000 [0077.990] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0077.990] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.990] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0077.990] WriteFile (in: hFile=0x44c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0077.991] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0077.991] CloseHandle (hObject=0x44c) returned 1 [0077.991] GetProcessHeap () returned 0x3a00000 [0077.991] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a70290 [0077.991] wnsprintfW (in: pszDest=0x3a70290, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal") returned 106 [0077.991] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\94\\a75bfde52f3dd8e6.dat"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\94\\a75bfde52f3dd8e6.dat_r00t_{8ew5f6}.ebal")) returned 1 [0077.992] GetProcessHeap () returned 0x3a00000 [0077.992] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a70290 | out: hHeap=0x3a00000) returned 1 [0077.992] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7710f5c8, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x7710f5c8, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x13d9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A75BFDE52F3DD8E6.dat", cAlternateFileName="A75BFD~1.DAT")) returned 0 [0077.992] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0077.992] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0077.992] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\94\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0077.992] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0077.993] CloseHandle (hObject=0x440) returned 1 [0077.993] GetProcessHeap () returned 0x3a00000 [0077.993] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0077.993] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a331af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7710f5c8, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="94", cAlternateFileName="")) returned 0 [0077.993] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0077.993] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0077.994] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\2\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0077.996] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.200] CloseHandle (hObject=0x43c) returned 1 [0078.201] GetProcessHeap () returned 0x3a00000 [0078.201] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0078.201] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3", cAlternateFileName="")) returned 1 [0078.201] lstrcmpiW (lpString1="3", lpString2="Windows") returned -1 [0078.201] lstrcmpiW (lpString1="3", lpString2="$Recycle.bin") returned 1 [0078.201] lstrcmpiW (lpString1="3", lpString2="System Volume Information") returned -1 [0078.201] lstrcmpiW (lpString1="3", lpString2="Program Files") returned -1 [0078.201] lstrcmpiW (lpString1="3", lpString2="Program Files (x86)") returned -1 [0078.201] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3") returned 63 [0078.201] lstrcmpW (lpString1="3", lpString2=".") returned 1 [0078.201] lstrcmpW (lpString1="3", lpString2="..") returned 1 [0078.201] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.201] GetProcessHeap () returned 0x3a00000 [0078.201] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0078.201] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*") returned 65 [0078.201] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0078.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.201] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.201] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\.") returned 65 [0078.202] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.202] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.202] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.202] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.202] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.202] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.202] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.202] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\..") returned 66 [0078.202] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.202] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.202] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0078.202] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0078.202] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0078.202] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\3\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.203] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.204] CloseHandle (hObject=0x43c) returned 1 [0078.204] GetProcessHeap () returned 0x3a00000 [0078.204] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0078.204] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4", cAlternateFileName="")) returned 1 [0078.204] lstrcmpiW (lpString1="4", lpString2="Windows") returned -1 [0078.204] lstrcmpiW (lpString1="4", lpString2="$Recycle.bin") returned 1 [0078.204] lstrcmpiW (lpString1="4", lpString2="System Volume Information") returned -1 [0078.204] lstrcmpiW (lpString1="4", lpString2="Program Files") returned -1 [0078.204] lstrcmpiW (lpString1="4", lpString2="Program Files (x86)") returned -1 [0078.204] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4") returned 63 [0078.204] lstrcmpW (lpString1="4", lpString2=".") returned 1 [0078.204] lstrcmpW (lpString1="4", lpString2="..") returned 1 [0078.204] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.204] GetProcessHeap () returned 0x3a00000 [0078.204] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0078.204] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*") returned 65 [0078.204] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0078.204] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.204] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.204] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.204] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.204] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.204] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\.") returned 65 [0078.204] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.204] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.205] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.205] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.205] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.205] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.205] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.205] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\..") returned 66 [0078.205] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.205] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.205] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0078.205] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0078.205] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0078.205] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\4\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.205] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.206] CloseHandle (hObject=0x43c) returned 1 [0078.206] GetProcessHeap () returned 0x3a00000 [0078.206] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0078.206] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4", cAlternateFileName="")) returned 0 [0078.206] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0078.207] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0078.207] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\MetaStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\metastore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.212] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0078.213] CloseHandle (hObject=0x438) returned 1 [0078.213] GetProcessHeap () returned 0x3a00000 [0078.213] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.213] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fab0876, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2fab0876, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xa2ac97, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", cAlternateFileName="")) returned 1 [0078.213] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="Windows") returned -1 [0078.213] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="$Recycle.bin") returned 1 [0078.213] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="System Volume Information") returned -1 [0078.213] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="Program Files") returned -1 [0078.213] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="Program Files (x86)") returned -1 [0078.213] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin") returned 104 [0078.213] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpSrch=".ebal") returned 0x0 [0078.213] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.213] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin", lpString2="taridd") returned -1 [0078.213] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.213] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.214] GetTickCount () returned 0x1153e1f [0078.214] GetTickCount () returned 0x1153e1f [0078.214] GetTickCount () returned 0x1153e1f [0078.214] GetTickCount () returned 0x1153e1f [0078.214] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.215] GetProcessHeap () returned 0x3a00000 [0078.215] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.215] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.218] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.218] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.218] GetProcessHeap () returned 0x3a00000 [0078.218] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.218] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.218] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.220] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.221] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.221] CloseHandle (hObject=0x438) returned 1 [0078.221] GetProcessHeap () returned 0x3a00000 [0078.221] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.221] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal") returned 123 [0078.221] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin_r00t_{8ew5f6}.ebal")) returned 1 [0078.222] GetProcessHeap () returned 0x3a00000 [0078.222] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.222] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3797bae0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3797bae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x379ee1a9, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x18ea5e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", cAlternateFileName="")) returned 1 [0078.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="Windows") returned -1 [0078.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="$Recycle.bin") returned 1 [0078.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="System Volume Information") returned -1 [0078.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="Program Files") returned -1 [0078.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="Program Files (x86)") returned -1 [0078.222] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B") returned 107 [0078.222] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpSrch=".ebal") returned 0x0 [0078.222] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.222] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B", lpString2="taridd") returned -1 [0078.222] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.222] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.5b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.224] GetTickCount () returned 0x1153e2e [0078.224] GetTickCount () returned 0x1153e2e [0078.224] GetTickCount () returned 0x1153e2e [0078.224] GetTickCount () returned 0x1153e2e [0078.224] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.224] GetProcessHeap () returned 0x3a00000 [0078.224] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.224] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.226] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.226] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.226] GetProcessHeap () returned 0x3a00000 [0078.226] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.226] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.226] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.228] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.228] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.229] CloseHandle (hObject=0x438) returned 1 [0078.229] GetProcessHeap () returned 0x3a00000 [0078.229] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.229] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal") returned 126 [0078.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.5b"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.5b_r00t_{8ew5f6}.ebal")) returned 1 [0078.229] GetProcessHeap () returned 0x3a00000 [0078.229] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.229] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37149d8d, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37149d8d, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3754fb0e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x6a1ab6c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", cAlternateFileName="")) returned 1 [0078.230] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="Windows") returned -1 [0078.230] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="$Recycle.bin") returned 1 [0078.230] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="System Volume Information") returned -1 [0078.230] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="Program Files") returned -1 [0078.230] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="Program Files (x86)") returned -1 [0078.230] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67") returned 107 [0078.230] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpSrch=".ebal") returned 0x0 [0078.230] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.230] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67", lpString2="taridd") returned -1 [0078.230] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.230] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.67"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.231] GetTickCount () returned 0x1153e2e [0078.231] GetTickCount () returned 0x1153e2e [0078.231] GetTickCount () returned 0x1153e2e [0078.231] GetTickCount () returned 0x1153e2e [0078.231] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.231] GetProcessHeap () returned 0x3a00000 [0078.231] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.231] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.234] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.234] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.235] GetProcessHeap () returned 0x3a00000 [0078.235] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.235] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.235] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.243] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.243] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.243] CloseHandle (hObject=0x438) returned 1 [0078.243] GetProcessHeap () returned 0x3a00000 [0078.243] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.243] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal") returned 126 [0078.243] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.67"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.67_r00t_{8ew5f6}.ebal")) returned 1 [0078.248] GetProcessHeap () returned 0x3a00000 [0078.248] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.248] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0x37575d5f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37575d5f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3771965f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x3b14000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", cAlternateFileName="")) returned 1 [0078.248] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="Windows") returned -1 [0078.248] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="$Recycle.bin") returned 1 [0078.248] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="System Volume Information") returned -1 [0078.248] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="Program Files") returned -1 [0078.248] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="Program Files (x86)") returned -1 [0078.248] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79") returned 107 [0078.248] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpSrch=".ebal") returned 0x0 [0078.248] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.248] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79", lpString2="taridd") returned -1 [0078.248] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.248] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.79"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.251] GetTickCount () returned 0x1153e4d [0078.251] GetTickCount () returned 0x1153e4d [0078.251] GetTickCount () returned 0x1153e4d [0078.251] GetTickCount () returned 0x1153e4d [0078.251] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.252] GetProcessHeap () returned 0x3a00000 [0078.252] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.252] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.255] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.256] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.257] GetProcessHeap () returned 0x3a00000 [0078.257] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.257] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.257] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.258] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.258] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.258] CloseHandle (hObject=0x438) returned 1 [0078.259] GetProcessHeap () returned 0x3a00000 [0078.259] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.259] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal") returned 126 [0078.259] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.79"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.79_r00t_{8ew5f6}.ebal")) returned 1 [0078.259] GetProcessHeap () returned 0x3a00000 [0078.259] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.259] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0x3771965f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3771965f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3773f8ba, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x529000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", cAlternateFileName="")) returned 1 [0078.259] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="Windows") returned -1 [0078.259] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="$Recycle.bin") returned 1 [0078.259] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="System Volume Information") returned -1 [0078.259] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="Program Files") returned -1 [0078.260] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="Program Files (x86)") returned -1 [0078.260] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C") returned 107 [0078.260] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpSrch=".ebal") returned 0x0 [0078.260] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.260] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C", lpString2="taridd") returned -1 [0078.260] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.260] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.7c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.261] GetTickCount () returned 0x1153e4d [0078.261] GetTickCount () returned 0x1153e4d [0078.261] GetTickCount () returned 0x1153e4d [0078.261] GetTickCount () returned 0x1153e4d [0078.261] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.261] GetProcessHeap () returned 0x3a00000 [0078.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.261] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.270] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.270] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.272] GetProcessHeap () returned 0x3a00000 [0078.272] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.272] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.272] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.274] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.274] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.274] CloseHandle (hObject=0x438) returned 1 [0078.274] GetProcessHeap () returned 0x3a00000 [0078.275] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.275] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal") returned 126 [0078.275] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.7c"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.7c_r00t_{8ew5f6}.ebal")) returned 1 [0078.275] GetProcessHeap () returned 0x3a00000 [0078.275] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.275] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37765b02, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37765b02, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x37765b02, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x3cff18, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", cAlternateFileName="")) returned 1 [0078.275] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="Windows") returned -1 [0078.275] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="$Recycle.bin") returned 1 [0078.275] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="System Volume Information") returned -1 [0078.275] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="Program Files") returned -1 [0078.275] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="Program Files (x86)") returned -1 [0078.275] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E") returned 107 [0078.275] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpSrch=".ebal") returned 0x0 [0078.276] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.276] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E", lpString2="taridd") returned -1 [0078.276] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.276] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.7e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.276] GetTickCount () returned 0x1153e5d [0078.276] GetTickCount () returned 0x1153e5d [0078.276] GetTickCount () returned 0x1153e5d [0078.276] GetTickCount () returned 0x1153e5d [0078.276] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.277] GetProcessHeap () returned 0x3a00000 [0078.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.277] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.278] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.278] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.279] GetProcessHeap () returned 0x3a00000 [0078.279] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.279] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.279] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.281] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.281] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.281] CloseHandle (hObject=0x438) returned 1 [0078.281] GetProcessHeap () returned 0x3a00000 [0078.281] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.281] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal") returned 126 [0078.281] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.7e"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.7e_r00t_{8ew5f6}.ebal")) returned 1 [0078.282] GetProcessHeap () returned 0x3a00000 [0078.282] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.282] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378e31c3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x378e31c3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3790940e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xcfdc43, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", cAlternateFileName="")) returned 1 [0078.282] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="Windows") returned -1 [0078.282] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="$Recycle.bin") returned 1 [0078.282] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="System Volume Information") returned -1 [0078.282] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="Program Files") returned -1 [0078.282] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="Program Files (x86)") returned -1 [0078.282] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80") returned 107 [0078.282] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpSrch=".ebal") returned 0x0 [0078.282] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.282] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80", lpString2="taridd") returned -1 [0078.282] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.282] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.80"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.282] GetTickCount () returned 0x1153e6d [0078.282] GetTickCount () returned 0x1153e6d [0078.282] GetTickCount () returned 0x1153e6d [0078.283] GetTickCount () returned 0x1153e6d [0078.283] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.283] GetProcessHeap () returned 0x3a00000 [0078.283] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.283] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.284] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.285] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.285] GetProcessHeap () returned 0x3a00000 [0078.285] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.285] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.285] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.287] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.287] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.287] CloseHandle (hObject=0x438) returned 1 [0078.287] GetProcessHeap () returned 0x3a00000 [0078.287] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.287] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal") returned 126 [0078.288] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.80"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.80_r00t_{8ew5f6}.ebal")) returned 1 [0078.288] GetProcessHeap () returned 0x3a00000 [0078.288] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.288] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0x3795589b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3795589b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3795589b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x1d7f38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", cAlternateFileName="")) returned 1 [0078.288] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="Windows") returned -1 [0078.288] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="$Recycle.bin") returned 1 [0078.288] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="System Volume Information") returned -1 [0078.288] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="Program Files") returned -1 [0078.288] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="Program Files (x86)") returned -1 [0078.288] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83") returned 107 [0078.288] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpSrch=".ebal") returned 0x0 [0078.288] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.288] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83", lpString2="taridd") returned -1 [0078.288] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.288] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.83"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.289] GetTickCount () returned 0x1153e6d [0078.289] GetTickCount () returned 0x1153e6d [0078.289] GetTickCount () returned 0x1153e6d [0078.289] GetTickCount () returned 0x1153e6d [0078.289] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.289] GetProcessHeap () returned 0x3a00000 [0078.289] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.289] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.292] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.292] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.302] GetProcessHeap () returned 0x3a00000 [0078.302] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.302] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.302] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.304] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.305] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.305] CloseHandle (hObject=0x438) returned 1 [0078.305] GetProcessHeap () returned 0x3a00000 [0078.305] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.305] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal") returned 126 [0078.305] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.83"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.83_r00t_{8ew5f6}.ebal")) returned 1 [0078.306] GetProcessHeap () returned 0x3a00000 [0078.306] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.306] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3792f650, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3792f650, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3792f650, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x1a3a61, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", cAlternateFileName="")) returned 1 [0078.306] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="Windows") returned -1 [0078.306] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="$Recycle.bin") returned 1 [0078.306] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="System Volume Information") returned -1 [0078.306] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="Program Files") returned -1 [0078.306] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="Program Files (x86)") returned -1 [0078.306] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87") returned 107 [0078.306] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpSrch=".ebal") returned 0x0 [0078.306] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.306] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87", lpString2="taridd") returned -1 [0078.306] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.306] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.87"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.307] GetTickCount () returned 0x1153e8c [0078.307] GetTickCount () returned 0x1153e8c [0078.307] GetTickCount () returned 0x1153e8c [0078.307] GetTickCount () returned 0x1153e8c [0078.307] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.307] GetProcessHeap () returned 0x3a00000 [0078.307] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.307] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.309] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.309] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.309] GetProcessHeap () returned 0x3a00000 [0078.309] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.309] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.309] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.311] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.311] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.311] CloseHandle (hObject=0x438) returned 1 [0078.311] GetProcessHeap () returned 0x3a00000 [0078.311] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.311] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal") returned 126 [0078.312] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.87"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.87_r00t_{8ew5f6}.ebal")) returned 1 [0078.312] GetProcessHeap () returned 0x3a00000 [0078.312] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.312] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3795589b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3795589b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3795589b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x358f2f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", cAlternateFileName="")) returned 1 [0078.312] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="Windows") returned -1 [0078.312] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="$Recycle.bin") returned 1 [0078.312] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="System Volume Information") returned -1 [0078.313] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="Program Files") returned -1 [0078.313] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="Program Files (x86)") returned -1 [0078.313] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0") returned 107 [0078.313] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpSrch=".ebal") returned 0x0 [0078.313] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.313] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0", lpString2="taridd") returned -1 [0078.313] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.313] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.a0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.313] GetTickCount () returned 0x1153e8c [0078.313] GetTickCount () returned 0x1153e8c [0078.313] GetTickCount () returned 0x1153e8c [0078.313] GetTickCount () returned 0x1153e8c [0078.313] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.313] GetProcessHeap () returned 0x3a00000 [0078.313] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.313] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.315] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.315] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.315] GetProcessHeap () returned 0x3a00000 [0078.315] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.315] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.315] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.317] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.318] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.318] CloseHandle (hObject=0x438) returned 1 [0078.318] GetProcessHeap () returned 0x3a00000 [0078.318] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.318] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal") returned 126 [0078.318] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.a0"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.a0_r00t_{8ew5f6}.ebal")) returned 1 [0078.318] GetProcessHeap () returned 0x3a00000 [0078.318] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.318] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3797bae0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3797bae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3797bae0, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x5fff9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", cAlternateFileName="")) returned 1 [0078.318] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="Windows") returned -1 [0078.319] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="$Recycle.bin") returned 1 [0078.319] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="System Volume Information") returned -1 [0078.319] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="Program Files") returned -1 [0078.319] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="Program Files (x86)") returned -1 [0078.319] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB") returned 107 [0078.319] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpSrch=".ebal") returned 0x0 [0078.319] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.319] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB", lpString2="taridd") returned -1 [0078.319] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.319] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.cb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.319] GetTickCount () returned 0x1153e8c [0078.319] GetTickCount () returned 0x1153e8c [0078.319] GetTickCount () returned 0x1153e8c [0078.319] GetTickCount () returned 0x1153e8c [0078.319] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.319] GetProcessHeap () returned 0x3a00000 [0078.319] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.319] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.322] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.322] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.322] GetProcessHeap () returned 0x3a00000 [0078.322] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.322] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.323] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.327] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.327] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.327] CloseHandle (hObject=0x438) returned 1 [0078.327] GetProcessHeap () returned 0x3a00000 [0078.327] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.327] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal") returned 126 [0078.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.cb"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.cb_r00t_{8ew5f6}.ebal")) returned 1 [0078.328] GetProcessHeap () returned 0x3a00000 [0078.328] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.328] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3797bae0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3797bae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x3797bae0, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x441a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", cAlternateFileName="")) returned 1 [0078.328] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="Windows") returned -1 [0078.328] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="$Recycle.bin") returned 1 [0078.328] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="System Volume Information") returned -1 [0078.328] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="Program Files") returned -1 [0078.328] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="Program Files (x86)") returned -1 [0078.328] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC") returned 107 [0078.328] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpSrch=".ebal") returned 0x0 [0078.328] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.328] lstrcmpW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC", lpString2="taridd") returned -1 [0078.328] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.328] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.329] GetTickCount () returned 0x1153e9c [0078.329] GetTickCount () returned 0x1153e9c [0078.329] GetTickCount () returned 0x1153e9c [0078.329] GetTickCount () returned 0x1153e9c [0078.329] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.329] GetProcessHeap () returned 0x3a00000 [0078.329] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.329] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.330] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.330] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.331] GetProcessHeap () returned 0x3a00000 [0078.331] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.331] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.331] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.333] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.333] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.333] CloseHandle (hObject=0x438) returned 1 [0078.333] GetProcessHeap () returned 0x3a00000 [0078.333] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.333] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal") returned 126 [0078.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.cc"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-3b2fa0352f7866f295fe76520c4d8ac0f30337f5.bin.cc_r00t_{8ew5f6}.ebal")) returned 1 [0078.334] GetProcessHeap () returned 0x3a00000 [0078.334] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.334] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccf915d5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xccf915d5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd1ce7a3f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0xa2ac97, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", cAlternateFileName="MPCACH~1.BIN")) returned 1 [0078.334] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="Windows") returned -1 [0078.334] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="$Recycle.bin") returned 1 [0078.334] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="System Volume Information") returned -1 [0078.334] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="Program Files") returned -1 [0078.334] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="Program Files (x86)") returned -1 [0078.334] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin") returned 104 [0078.334] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpSrch=".ebal") returned 0x0 [0078.334] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.334] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin", lpString2="taridd") returned -1 [0078.334] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.334] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.335] GetTickCount () returned 0x1153e9c [0078.335] GetTickCount () returned 0x1153e9c [0078.335] GetTickCount () returned 0x1153e9c [0078.335] GetTickCount () returned 0x1153e9c [0078.336] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.336] GetProcessHeap () returned 0x3a00000 [0078.336] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.336] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.338] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.338] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.338] GetProcessHeap () returned 0x3a00000 [0078.338] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.338] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.338] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.340] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.341] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.341] CloseHandle (hObject=0x438) returned 1 [0078.341] GetProcessHeap () returned 0x3a00000 [0078.341] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.341] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal") returned 123 [0078.341] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin_r00t_{8ew5f6}.ebal")) returned 1 [0078.342] GetProcessHeap () returned 0x3a00000 [0078.342] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.342] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18e1ad1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18e1ad1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd1bb677b, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x18ea5e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", cAlternateFileName="MPCACH~1.5B")) returned 1 [0078.342] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="Windows") returned -1 [0078.342] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="$Recycle.bin") returned 1 [0078.342] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="System Volume Information") returned -1 [0078.342] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="Program Files") returned -1 [0078.342] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="Program Files (x86)") returned -1 [0078.342] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B") returned 107 [0078.342] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpSrch=".ebal") returned 0x0 [0078.342] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.342] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B", lpString2="taridd") returned -1 [0078.342] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.342] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.5b"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.344] GetTickCount () returned 0x1153eab [0078.344] GetTickCount () returned 0x1153eab [0078.344] GetTickCount () returned 0x1153eab [0078.344] GetTickCount () returned 0x1153eab [0078.344] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.344] GetProcessHeap () returned 0x3a00000 [0078.344] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.344] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.357] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.357] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.357] GetProcessHeap () returned 0x3a00000 [0078.357] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.357] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.357] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.361] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.361] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.361] CloseHandle (hObject=0x438) returned 1 [0078.361] GetProcessHeap () returned 0x3a00000 [0078.361] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.361] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal") returned 126 [0078.361] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.5b"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.5b_r00t_{8ew5f6}.ebal")) returned 1 [0078.362] GetProcessHeap () returned 0x3a00000 [0078.362] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.362] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1206ea7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1206ea7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd154e258, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x6a1ab6c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", cAlternateFileName="MPCACH~1.67")) returned 1 [0078.362] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="Windows") returned -1 [0078.362] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="$Recycle.bin") returned 1 [0078.362] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="System Volume Information") returned -1 [0078.362] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="Program Files") returned -1 [0078.362] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="Program Files (x86)") returned -1 [0078.362] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67") returned 107 [0078.362] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpSrch=".ebal") returned 0x0 [0078.362] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.362] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67", lpString2="taridd") returned -1 [0078.363] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.363] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.67"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.365] GetTickCount () returned 0x1153ebb [0078.365] GetTickCount () returned 0x1153ebb [0078.365] GetTickCount () returned 0x1153ebb [0078.365] GetTickCount () returned 0x1153ebb [0078.365] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.365] GetProcessHeap () returned 0x3a00000 [0078.365] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.365] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.368] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.369] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.369] GetProcessHeap () returned 0x3a00000 [0078.369] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.369] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.369] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.371] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.371] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.371] CloseHandle (hObject=0x438) returned 1 [0078.371] GetProcessHeap () returned 0x3a00000 [0078.371] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal") returned 126 [0078.371] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.67"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.67_r00t_{8ew5f6}.ebal")) returned 1 [0078.374] GetProcessHeap () returned 0x3a00000 [0078.374] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.374] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xd159a713, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd159a713, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd16592ea, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x3b14000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", cAlternateFileName="MPCACH~1.79")) returned 1 [0078.374] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="Windows") returned -1 [0078.375] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="$Recycle.bin") returned 1 [0078.375] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="System Volume Information") returned -1 [0078.375] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="Program Files") returned -1 [0078.375] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="Program Files (x86)") returned -1 [0078.375] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79") returned 107 [0078.375] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpSrch=".ebal") returned 0x0 [0078.375] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.375] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79", lpString2="taridd") returned -1 [0078.375] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.375] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.79"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.389] GetTickCount () returned 0x1153eda [0078.389] GetTickCount () returned 0x1153eda [0078.389] GetTickCount () returned 0x1153eda [0078.389] GetTickCount () returned 0x1153eda [0078.389] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.389] GetProcessHeap () returned 0x3a00000 [0078.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.389] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.398] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.401] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.401] GetProcessHeap () returned 0x3a00000 [0078.401] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.401] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.401] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.402] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.402] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.403] CloseHandle (hObject=0x438) returned 1 [0078.403] GetProcessHeap () returned 0x3a00000 [0078.403] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.403] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal") returned 126 [0078.403] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.79"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.79_r00t_{8ew5f6}.ebal")) returned 1 [0078.499] GetProcessHeap () returned 0x3a00000 [0078.499] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.499] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xd167f527, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd167f527, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd167f527, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x529000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", cAlternateFileName="MPCACH~1.7C")) returned 1 [0078.499] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="Windows") returned -1 [0078.499] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="$Recycle.bin") returned 1 [0078.499] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="System Volume Information") returned -1 [0078.499] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="Program Files") returned -1 [0078.499] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="Program Files (x86)") returned -1 [0078.499] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C") returned 107 [0078.499] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpSrch=".ebal") returned 0x0 [0078.499] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.499] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C", lpString2="taridd") returned -1 [0078.499] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.499] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.7c"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.500] GetTickCount () returned 0x1153f47 [0078.500] GetTickCount () returned 0x1153f47 [0078.500] GetTickCount () returned 0x1153f47 [0078.500] GetTickCount () returned 0x1153f47 [0078.500] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.500] GetProcessHeap () returned 0x3a00000 [0078.500] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.500] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.507] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.507] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.509] GetProcessHeap () returned 0x3a00000 [0078.509] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.509] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.509] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.511] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.512] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.512] CloseHandle (hObject=0x438) returned 1 [0078.512] GetProcessHeap () returned 0x3a00000 [0078.512] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.512] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal") returned 126 [0078.512] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.7c"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.7c_r00t_{8ew5f6}.ebal")) returned 1 [0078.513] GetProcessHeap () returned 0x3a00000 [0078.513] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.513] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd16cb9d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd16cb9d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd16cb9d7, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x3cff18, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", cAlternateFileName="MPCACH~1.7E")) returned 1 [0078.513] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="Windows") returned -1 [0078.513] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="$Recycle.bin") returned 1 [0078.513] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="System Volume Information") returned -1 [0078.513] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="Program Files") returned -1 [0078.513] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="Program Files (x86)") returned -1 [0078.513] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E") returned 107 [0078.513] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpSrch=".ebal") returned 0x0 [0078.513] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.513] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E", lpString2="taridd") returned -1 [0078.513] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.513] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.7e"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.514] GetTickCount () returned 0x1153f57 [0078.514] GetTickCount () returned 0x1153f57 [0078.514] GetTickCount () returned 0x1153f57 [0078.514] GetTickCount () returned 0x1153f57 [0078.515] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.515] GetProcessHeap () returned 0x3a00000 [0078.515] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.515] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.516] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.516] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.517] GetProcessHeap () returned 0x3a00000 [0078.517] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.517] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.517] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.519] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.519] CloseHandle (hObject=0x438) returned 1 [0078.519] GetProcessHeap () returned 0x3a00000 [0078.519] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.519] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal") returned 126 [0078.519] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.7e"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.7e_r00t_{8ew5f6}.ebal")) returned 1 [0078.520] GetProcessHeap () returned 0x3a00000 [0078.520] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.520] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1822efb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1822efb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd186f3c1, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0xcfdc43, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", cAlternateFileName="MPCACH~1.80")) returned 1 [0078.520] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="Windows") returned -1 [0078.520] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="$Recycle.bin") returned 1 [0078.520] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="System Volume Information") returned -1 [0078.520] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="Program Files") returned -1 [0078.520] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="Program Files (x86)") returned -1 [0078.520] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80") returned 107 [0078.520] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpSrch=".ebal") returned 0x0 [0078.520] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.520] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80", lpString2="taridd") returned -1 [0078.520] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.520] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.80"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.521] GetTickCount () returned 0x1153f57 [0078.521] GetTickCount () returned 0x1153f57 [0078.521] GetTickCount () returned 0x1153f57 [0078.521] GetTickCount () returned 0x1153f57 [0078.521] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.521] GetProcessHeap () returned 0x3a00000 [0078.521] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.521] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.557] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.557] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.557] GetProcessHeap () returned 0x3a00000 [0078.557] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.557] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.557] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.559] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.560] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.560] CloseHandle (hObject=0x438) returned 1 [0078.560] GetProcessHeap () returned 0x3a00000 [0078.560] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.560] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal") returned 126 [0078.560] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.80"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.80_r00t_{8ew5f6}.ebal")) returned 1 [0078.561] GetProcessHeap () returned 0x3a00000 [0078.561] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.561] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xd18bb86e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18bb86e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd18bb86e, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x1d7f38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", cAlternateFileName="MPCACH~1.83")) returned 1 [0078.561] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="Windows") returned -1 [0078.561] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="$Recycle.bin") returned 1 [0078.561] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="System Volume Information") returned -1 [0078.561] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="Program Files") returned -1 [0078.561] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="Program Files (x86)") returned -1 [0078.561] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83") returned 107 [0078.561] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpSrch=".ebal") returned 0x0 [0078.561] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.561] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83", lpString2="taridd") returned -1 [0078.561] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.561] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.83"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.561] GetTickCount () returned 0x1153f86 [0078.561] GetTickCount () returned 0x1153f86 [0078.561] GetTickCount () returned 0x1153f86 [0078.562] GetTickCount () returned 0x1153f86 [0078.562] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.562] GetProcessHeap () returned 0x3a00000 [0078.562] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.562] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.566] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.566] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.566] GetProcessHeap () returned 0x3a00000 [0078.566] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.566] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.567] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.568] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.569] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.569] CloseHandle (hObject=0x438) returned 1 [0078.569] GetProcessHeap () returned 0x3a00000 [0078.569] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.569] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal") returned 126 [0078.569] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.83"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.83_r00t_{8ew5f6}.ebal")) returned 1 [0078.570] GetProcessHeap () returned 0x3a00000 [0078.570] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.570] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1895623, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1895623, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd1895623, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x1a3a61, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", cAlternateFileName="MPCACH~1.87")) returned 1 [0078.570] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="Windows") returned -1 [0078.570] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="$Recycle.bin") returned 1 [0078.570] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="System Volume Information") returned -1 [0078.570] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="Program Files") returned -1 [0078.570] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="Program Files (x86)") returned -1 [0078.570] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87") returned 107 [0078.570] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpSrch=".ebal") returned 0x0 [0078.570] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.570] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87", lpString2="taridd") returned -1 [0078.570] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.570] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.87"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.570] GetTickCount () returned 0x1153f86 [0078.570] GetTickCount () returned 0x1153f86 [0078.570] GetTickCount () returned 0x1153f86 [0078.570] GetTickCount () returned 0x1153f86 [0078.570] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.570] GetProcessHeap () returned 0x3a00000 [0078.571] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.571] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.572] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.572] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.572] GetProcessHeap () returned 0x3a00000 [0078.572] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.572] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.572] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.574] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.575] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.575] CloseHandle (hObject=0x438) returned 1 [0078.575] GetProcessHeap () returned 0x3a00000 [0078.575] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.575] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal") returned 126 [0078.575] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.87"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.87_r00t_{8ew5f6}.ebal")) returned 1 [0078.576] GetProcessHeap () returned 0x3a00000 [0078.576] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.576] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18bb86e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18bb86e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd18bb86e, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x358f2f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", cAlternateFileName="MPCACH~1.A0")) returned 1 [0078.576] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="Windows") returned -1 [0078.576] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="$Recycle.bin") returned 1 [0078.576] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="System Volume Information") returned -1 [0078.576] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="Program Files") returned -1 [0078.576] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="Program Files (x86)") returned -1 [0078.576] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0") returned 107 [0078.576] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpSrch=".ebal") returned 0x0 [0078.576] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.576] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0", lpString2="taridd") returned -1 [0078.576] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.576] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.a0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.577] GetTickCount () returned 0x1153f96 [0078.577] GetTickCount () returned 0x1153f96 [0078.577] GetTickCount () returned 0x1153f96 [0078.577] GetTickCount () returned 0x1153f96 [0078.577] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.577] GetProcessHeap () returned 0x3a00000 [0078.577] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.577] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.579] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.579] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.579] GetProcessHeap () returned 0x3a00000 [0078.579] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.579] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.579] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.581] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.581] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.581] CloseHandle (hObject=0x438) returned 1 [0078.582] GetProcessHeap () returned 0x3a00000 [0078.582] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.582] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal") returned 126 [0078.582] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.a0"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.a0_r00t_{8ew5f6}.ebal")) returned 1 [0078.582] GetProcessHeap () returned 0x3a00000 [0078.582] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.582] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18e1ad1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18e1ad1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd18e1ad1, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x5fff9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", cAlternateFileName="MPCACH~1.CB")) returned 1 [0078.582] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="Windows") returned -1 [0078.582] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="$Recycle.bin") returned 1 [0078.582] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="System Volume Information") returned -1 [0078.582] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="Program Files") returned -1 [0078.583] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="Program Files (x86)") returned -1 [0078.583] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB") returned 107 [0078.583] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpSrch=".ebal") returned 0x0 [0078.583] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.583] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB", lpString2="taridd") returned -1 [0078.583] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.583] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.cb"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.585] GetTickCount () returned 0x1153f96 [0078.585] GetTickCount () returned 0x1153f96 [0078.585] GetTickCount () returned 0x1153f96 [0078.585] GetTickCount () returned 0x1153f96 [0078.585] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.585] GetProcessHeap () returned 0x3a00000 [0078.585] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.585] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.587] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.587] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.587] GetProcessHeap () returned 0x3a00000 [0078.587] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.587] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.587] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.589] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.589] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.589] CloseHandle (hObject=0x438) returned 1 [0078.590] GetProcessHeap () returned 0x3a00000 [0078.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.590] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal") returned 126 [0078.590] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.cb"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.cb_r00t_{8ew5f6}.ebal")) returned 1 [0078.590] GetProcessHeap () returned 0x3a00000 [0078.590] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.590] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18e1ad1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18e1ad1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd18e1ad1, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x441a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", cAlternateFileName="MPCACH~1.CC")) returned 1 [0078.590] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="Windows") returned -1 [0078.590] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="$Recycle.bin") returned 1 [0078.590] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="System Volume Information") returned -1 [0078.591] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="Program Files") returned -1 [0078.591] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="Program Files (x86)") returned -1 [0078.591] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC") returned 107 [0078.591] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpSrch=".ebal") returned 0x0 [0078.591] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.591] lstrcmpW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC", lpString2="taridd") returned -1 [0078.591] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F74", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.591] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.cc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.592] GetTickCount () returned 0x1153fa5 [0078.592] GetTickCount () returned 0x1153fa5 [0078.592] GetTickCount () returned 0x1153fa5 [0078.592] GetTickCount () returned 0x1153fa5 [0078.592] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0078.592] GetProcessHeap () returned 0x3a00000 [0078.592] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.593] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.595] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.595] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0078.595] GetProcessHeap () returned 0x3a00000 [0078.595] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.595] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.595] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0078.597] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0078.597] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0078.597] CloseHandle (hObject=0x438) returned 1 [0078.597] GetProcessHeap () returned 0x3a00000 [0078.597] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.597] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal") returned 126 [0078.597] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.cc"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\mpcache-cc7537bd57f4e352d7cdea5852d447a507e0f749.bin.cc_r00t_{8ew5f6}.ebal")) returned 1 [0078.598] GetProcessHeap () returned 0x3a00000 [0078.598] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.598] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccf915d5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xccf915d5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf8757c0a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa2b01b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="MPCACH~1.EBA")) returned 1 [0078.598] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0078.598] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0078.598] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0078.598] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0078.598] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0078.598] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal") returned 123 [0078.598] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0078.598] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac709f73, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RtSigs", cAlternateFileName="")) returned 1 [0078.598] lstrcmpiW (lpString1="RtSigs", lpString2="Windows") returned -1 [0078.598] lstrcmpiW (lpString1="RtSigs", lpString2="$Recycle.bin") returned 1 [0078.598] lstrcmpiW (lpString1="RtSigs", lpString2="System Volume Information") returned -1 [0078.598] lstrcmpiW (lpString1="RtSigs", lpString2="Program Files") returned 1 [0078.598] lstrcmpiW (lpString1="RtSigs", lpString2="Program Files (x86)") returned 1 [0078.598] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs") returned 58 [0078.598] lstrcmpW (lpString1="RtSigs", lpString2=".") returned 1 [0078.598] lstrcmpW (lpString1="RtSigs", lpString2="..") returned 1 [0078.598] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.598] GetProcessHeap () returned 0x3a00000 [0078.598] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.599] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*") returned 60 [0078.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac709f73, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0078.599] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.599] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.599] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.599] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.599] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.599] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\.") returned 60 [0078.599] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.599] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac709f73, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.600] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\..") returned 61 [0078.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.600] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 1 [0078.600] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0078.600] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0078.600] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0078.600] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0078.600] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0078.600] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data") returned 63 [0078.600] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0078.600] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0078.600] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.600] GetProcessHeap () returned 0x3a00000 [0078.600] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0078.600] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*") returned 65 [0078.600] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0078.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.601] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\.") returned 65 [0078.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.601] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.601] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\..") returned 66 [0078.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.601] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0078.601] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0078.601] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0078.601] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\rtsigs\\data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.602] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.603] CloseHandle (hObject=0x43c) returned 1 [0078.603] GetProcessHeap () returned 0x3a00000 [0078.603] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0078.603] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 0 [0078.603] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0078.603] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0078.603] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\RtSigs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\rtsigs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.603] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0078.604] CloseHandle (hObject=0x438) returned 1 [0078.604] GetProcessHeap () returned 0x3a00000 [0078.604] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.604] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac709f73, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RtSigs", cAlternateFileName="")) returned 0 [0078.604] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0078.604] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0078.605] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Scans\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\scans\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0078.605] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.606] CloseHandle (hObject=0x434) returned 1 [0078.606] GetProcessHeap () returned 0x3a00000 [0078.606] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0078.606] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 1 [0078.606] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0078.606] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0078.606] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0078.606] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0078.606] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0078.606] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support") returned 53 [0078.606] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0078.606] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0078.668] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.668] GetProcessHeap () returned 0x3a00000 [0078.668] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0078.669] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*") returned 55 [0078.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0078.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.669] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.669] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.669] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.669] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.669] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\.") returned 55 [0078.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.669] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.670] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.670] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.670] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.670] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\..") returned 56 [0078.670] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.670] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0078.670] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0078.670] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0078.670] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\support\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0078.671] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.672] CloseHandle (hObject=0x434) returned 1 [0078.672] GetProcessHeap () returned 0x3a00000 [0078.672] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0078.672] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 0 [0078.672] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0078.672] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0078.672] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0078.673] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0078.674] CloseHandle (hObject=0x430) returned 1 [0078.674] GetProcessHeap () returned 0x3a00000 [0078.674] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0078.674] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a90a48, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Defender Advanced Threat Protection", cAlternateFileName="WIF4A9~1")) returned 1 [0078.674] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="Windows") returned 1 [0078.674] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="$Recycle.bin") returned 1 [0078.674] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="System Volume Information") returned 1 [0078.674] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="Program Files") returned 1 [0078.674] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="Program Files (x86)") returned 1 [0078.674] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection") returned 72 [0078.674] lstrcmpW (lpString1="Windows Defender Advanced Threat Protection", lpString2=".") returned 1 [0078.674] lstrcmpW (lpString1="Windows Defender Advanced Threat Protection", lpString2="..") returned 1 [0078.674] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.674] GetProcessHeap () returned 0x3a00000 [0078.674] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0078.674] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\*") returned 74 [0078.674] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a90a48, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0078.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.675] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.675] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.675] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\.") returned 74 [0078.675] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.675] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a90a48, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.675] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.675] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.675] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.675] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.675] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.675] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\..") returned 75 [0078.675] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.675] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.675] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a9166d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cache", cAlternateFileName="")) returned 1 [0078.675] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0078.675] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0078.675] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0078.676] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0078.676] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0078.676] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache") returned 78 [0078.676] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0078.676] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0078.676] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.676] GetProcessHeap () returned 0x3a00000 [0078.676] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0078.676] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache\\*") returned 80 [0078.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x5, ftLastWriteTime.dwLowDateTime=0xffffd25f, ftLastWriteTime.dwHighDateTime=0x7, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ٚ?", cAlternateFileName="俠Φ￿￿扨@￿￿俠Φ\x05")) returned 0xffffffff [0078.676] GetProcessHeap () returned 0x3a00000 [0078.676] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0078.676] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0078.676] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0078.676] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0078.676] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0078.676] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0078.676] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0078.676] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp") returned 77 [0078.676] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0078.676] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0078.676] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.676] GetProcessHeap () returned 0x3a00000 [0078.676] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0078.676] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\*") returned 79 [0078.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0078.677] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.677] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.677] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.677] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.677] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.677] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\.") returned 79 [0078.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.677] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.677] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.677] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.677] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.677] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.677] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.677] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\..") returned 80 [0078.677] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.677] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.677] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0078.677] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0078.677] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 109 [0078.677] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender advanced threat protection\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0078.678] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.679] CloseHandle (hObject=0x434) returned 1 [0078.679] GetProcessHeap () returned 0x3a00000 [0078.679] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0078.679] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 0 [0078.679] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0078.679] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0078.679] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows defender advanced threat protection\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0078.680] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0078.681] CloseHandle (hObject=0x430) returned 1 [0078.681] GetProcessHeap () returned 0x3a00000 [0078.681] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0078.681] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a928fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0078.681] lstrcmpiW (lpString1="Windows Live", lpString2="Windows") returned 1 [0078.681] lstrcmpiW (lpString1="Windows Live", lpString2="$Recycle.bin") returned 1 [0078.681] lstrcmpiW (lpString1="Windows Live", lpString2="System Volume Information") returned 1 [0078.681] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files") returned 1 [0078.681] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files (x86)") returned 1 [0078.681] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live") returned 41 [0078.681] lstrcmpW (lpString1="Windows Live", lpString2=".") returned 1 [0078.681] lstrcmpW (lpString1="Windows Live", lpString2="..") returned 1 [0078.681] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.681] GetProcessHeap () returned 0x3a00000 [0078.681] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0078.681] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*") returned 43 [0078.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a928fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0078.682] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.682] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.682] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.682] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.682] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.682] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\.") returned 43 [0078.682] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.682] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a928fc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.682] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.682] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.682] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.682] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.682] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.682] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\..") returned 44 [0078.682] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.682] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.682] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a996721, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1231, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WLive48x48.png", cAlternateFileName="WLIVE4~1.PNG")) returned 1 [0078.682] lstrcmpiW (lpString1="WLive48x48.png", lpString2="Windows") returned 1 [0078.682] lstrcmpiW (lpString1="WLive48x48.png", lpString2="$Recycle.bin") returned 1 [0078.682] lstrcmpiW (lpString1="WLive48x48.png", lpString2="System Volume Information") returned 1 [0078.682] lstrcmpiW (lpString1="WLive48x48.png", lpString2="Program Files") returned 1 [0078.682] lstrcmpiW (lpString1="WLive48x48.png", lpString2="Program Files (x86)") returned 1 [0078.682] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png") returned 56 [0078.682] StrStrIW (lpFirst="WLive48x48.png", lpSrch=".ebal") returned 0x0 [0078.682] lstrcmpW (lpString1="WLive48x48.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.682] lstrcmpW (lpString1="WLive48x48.png", lpString2="taridd") returned 1 [0078.682] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.682] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0078.685] GetTickCount () returned 0x1154003 [0078.685] GetTickCount () returned 0x1154003 [0078.685] GetTickCount () returned 0x1154003 [0078.685] GetTickCount () returned 0x1154003 [0078.685] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0078.685] GetProcessHeap () returned 0x3a00000 [0078.685] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0078.685] ReadFile (in: hFile=0x434, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af55c*=0x1231, lpOverlapped=0x0) returned 1 [0078.687] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffedcf, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0078.687] WriteFile (in: hFile=0x434, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1231, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af55c*=0x1231, lpOverlapped=0x0) returned 1 [0078.687] GetProcessHeap () returned 0x3a00000 [0078.687] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0078.687] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.687] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0078.687] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0078.687] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0078.687] CloseHandle (hObject=0x434) returned 1 [0078.687] GetProcessHeap () returned 0x3a00000 [0078.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0078.687] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png_r00t_{8ew5f6}.ebal") returned 75 [0078.687] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\WLive48x48.png_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows live\\wlive48x48.png_r00t_{8ew5f6}.ebal")) returned 1 [0078.688] GetProcessHeap () returned 0x3a00000 [0078.688] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0078.688] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a996721, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1231, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WLive48x48.png", cAlternateFileName="WLIVE4~1.PNG")) returned 0 [0078.688] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0078.688] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0078.688] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Live\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows live\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0078.689] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0078.690] CloseHandle (hObject=0x430) returned 1 [0078.690] GetProcessHeap () returned 0x3a00000 [0078.690] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0078.690] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a93496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1 [0078.690] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0078.690] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0078.690] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0078.690] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0078.690] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0078.690] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT") returned 39 [0078.690] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0078.690] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0078.690] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.690] GetProcessHeap () returned 0x3a00000 [0078.690] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0078.690] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*") returned 41 [0078.690] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a93496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0078.690] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.690] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.690] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.690] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.690] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.690] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\.") returned 41 [0078.690] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.690] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a93496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.690] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.691] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.691] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.691] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.691] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.691] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\..") returned 42 [0078.691] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.691] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.691] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb2396478, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2396478, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MSFax", cAlternateFileName="")) returned 1 [0078.691] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0078.691] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0078.691] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0078.691] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0078.691] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0078.691] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax") returned 45 [0078.691] lstrcmpW (lpString1="MSFax", lpString2=".") returned 1 [0078.691] lstrcmpW (lpString1="MSFax", lpString2="..") returned 1 [0078.691] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.691] GetProcessHeap () returned 0x3a00000 [0078.691] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0078.691] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*") returned 47 [0078.691] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb2396478, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2396478, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0078.692] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.693] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.693] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.693] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.693] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.693] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\.") returned 47 [0078.693] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.693] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb2396478, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2396478, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.693] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.693] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.693] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.693] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.693] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.693] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\..") returned 48 [0078.693] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.693] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.693] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0078.693] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0078.693] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0078.693] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0078.693] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0078.693] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0078.693] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 57 [0078.693] lstrcmpW (lpString1="ActivityLog", lpString2=".") returned 1 [0078.693] lstrcmpW (lpString1="ActivityLog", lpString2="..") returned 1 [0078.693] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.693] GetProcessHeap () returned 0x3a00000 [0078.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.693] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned 59 [0078.693] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0078.694] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.694] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.694] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.694] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.694] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.694] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\.") returned 59 [0078.694] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.694] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.694] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.694] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.694] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.694] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.694] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.694] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\..") returned 60 [0078.694] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.694] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.694] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0078.694] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0078.694] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0078.695] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\activitylog\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.695] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0078.696] CloseHandle (hObject=0x438) returned 1 [0078.696] GetProcessHeap () returned 0x3a00000 [0078.696] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.696] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0960f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0078.696] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0078.696] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0078.696] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0078.696] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0078.696] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0078.696] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 63 [0078.696] lstrcmpW (lpString1="Common Coverpages", lpString2=".") returned 1 [0078.696] lstrcmpW (lpString1="Common Coverpages", lpString2="..") returned 1 [0078.696] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.696] GetProcessHeap () returned 0x3a00000 [0078.696] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.696] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned 65 [0078.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0960f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0078.697] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.697] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.697] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.697] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.697] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\.") returned 65 [0078.697] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.697] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0960f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.697] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.697] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.697] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.697] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.697] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\..") returned 66 [0078.697] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.697] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.697] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0078.697] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0078.697] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0078.697] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0078.698] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0078.698] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0078.698] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 69 [0078.698] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0078.698] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0078.698] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.698] GetProcessHeap () returned 0x3a00000 [0078.698] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0078.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned 71 [0078.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0078.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0078.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0078.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0078.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0078.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0078.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\.") returned 71 [0078.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0078.698] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0078.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0078.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0078.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0078.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0078.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0078.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\..") returned 72 [0078.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0078.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0078.698] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0078.698] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0078.699] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0078.699] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0078.699] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0078.699] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0078.699] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 83 [0078.699] StrStrIW (lpFirst="confident.cov", lpSrch=".ebal") returned 0x0 [0078.699] lstrcmpW (lpString1="confident.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.699] lstrcmpW (lpString1="confident.cov", lpString2="taridd") returned -1 [0078.699] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.701] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0078.701] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0078.701] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0078.701] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0078.701] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0078.701] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0078.701] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 77 [0078.701] StrStrIW (lpFirst="fyi.cov", lpSrch=".ebal") returned 0x0 [0078.701] lstrcmpW (lpString1="fyi.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.701] lstrcmpW (lpString1="fyi.cov", lpString2="taridd") returned -1 [0078.701] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.701] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.701] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0078.701] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0078.701] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0078.701] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0078.702] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0078.702] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0078.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 81 [0078.702] StrStrIW (lpFirst="generic.cov", lpSrch=".ebal") returned 0x0 [0078.702] lstrcmpW (lpString1="generic.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.702] lstrcmpW (lpString1="generic.cov", lpString2="taridd") returned -1 [0078.702] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.702] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0078.702] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0078.702] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0078.702] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0078.702] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0078.702] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0078.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 80 [0078.702] StrStrIW (lpFirst="urgent.cov", lpSrch=".ebal") returned 0x0 [0078.702] lstrcmpW (lpString1="urgent.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0078.702] lstrcmpW (lpString1="urgent.cov", lpString2="taridd") returned 1 [0078.702] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0078.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0078.702] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0078.702] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0078.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 101 [0078.702] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0078.703] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0078.704] CloseHandle (hObject=0x43c) returned 1 [0078.704] GetProcessHeap () returned 0x3a00000 [0078.704] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0078.704] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 0 [0078.704] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0078.704] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0078.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\common coverpages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0078.705] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0078.706] CloseHandle (hObject=0x438) returned 1 [0078.709] GetProcessHeap () returned 0x3a00000 [0078.709] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0078.709] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Inbox", cAlternateFileName="")) returned 1 [0078.709] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0078.709] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0078.709] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0078.709] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0078.709] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0078.709] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 51 [0078.709] lstrcmpW (lpString1="Inbox", lpString2=".") returned 1 [0078.709] lstrcmpW (lpString1="Inbox", lpString2="..") returned 1 [0078.709] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0078.709] GetProcessHeap () returned 0x3a00000 [0078.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0078.709] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned 53 [0078.710] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0079.450] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.450] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.450] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.450] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.450] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.450] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\.") returned 53 [0079.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.450] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.450] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.451] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.451] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.451] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.451] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.451] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\..") returned 54 [0079.451] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.451] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.451] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0079.451] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0079.451] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0079.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Inbox\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\inbox\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.452] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0079.458] CloseHandle (hObject=0x438) returned 1 [0079.458] GetProcessHeap () returned 0x3a00000 [0079.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.458] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Queue", cAlternateFileName="")) returned 1 [0079.458] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0079.458] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0079.458] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0079.458] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0079.458] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0079.458] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue") returned 51 [0079.458] lstrcmpW (lpString1="Queue", lpString2=".") returned 1 [0079.459] lstrcmpW (lpString1="Queue", lpString2="..") returned 1 [0079.459] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.459] GetProcessHeap () returned 0x3a00000 [0079.459] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.459] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned 53 [0079.459] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0079.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.460] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.460] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\.") returned 53 [0079.460] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.460] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.460] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.460] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.460] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.460] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.460] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.460] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\..") returned 54 [0079.460] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.460] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.460] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0079.460] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0079.460] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0079.460] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.461] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0079.462] CloseHandle (hObject=0x438) returned 1 [0079.462] GetProcessHeap () returned 0x3a00000 [0079.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.462] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Queue_Migrated", cAlternateFileName="")) returned 1 [0079.462] lstrcmpiW (lpString1="Queue_Migrated", lpString2="Windows") returned -1 [0079.462] lstrcmpiW (lpString1="Queue_Migrated", lpString2="$Recycle.bin") returned 1 [0079.462] lstrcmpiW (lpString1="Queue_Migrated", lpString2="System Volume Information") returned -1 [0079.462] lstrcmpiW (lpString1="Queue_Migrated", lpString2="Program Files") returned 1 [0079.462] lstrcmpiW (lpString1="Queue_Migrated", lpString2="Program Files (x86)") returned 1 [0079.462] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated") returned 60 [0079.462] lstrcmpW (lpString1="Queue_Migrated", lpString2=".") returned 1 [0079.462] lstrcmpW (lpString1="Queue_Migrated", lpString2="..") returned 1 [0079.462] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.462] GetProcessHeap () returned 0x3a00000 [0079.462] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.462] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\*") returned 62 [0079.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0079.463] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.463] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.463] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.463] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.463] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\.") returned 62 [0079.464] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.464] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.464] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.464] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.464] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.464] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.464] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.464] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\..") returned 63 [0079.464] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.464] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0079.464] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0079.464] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0079.464] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\queue_migrated\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.465] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0079.465] CloseHandle (hObject=0x438) returned 1 [0079.466] GetProcessHeap () returned 0x3a00000 [0079.466] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.466] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0079.466] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0079.466] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0079.466] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0079.466] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0079.466] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0079.466] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 55 [0079.466] lstrcmpW (lpString1="SentItems", lpString2=".") returned 1 [0079.466] lstrcmpW (lpString1="SentItems", lpString2="..") returned 1 [0079.466] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.466] GetProcessHeap () returned 0x3a00000 [0079.466] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.466] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned 57 [0079.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0079.466] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.466] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.466] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.466] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.466] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.466] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\.") returned 57 [0079.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.466] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.466] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.466] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.466] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.467] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.467] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\..") returned 58 [0079.467] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.467] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.467] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0079.467] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0079.467] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0079.467] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\SentItems\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\sentitems\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.468] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0079.469] CloseHandle (hObject=0x438) returned 1 [0079.469] GetProcessHeap () returned 0x3a00000 [0079.469] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.469] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0079.469] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0079.469] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0079.469] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0079.469] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0079.469] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0079.469] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 58 [0079.469] lstrcmpW (lpString1="VirtualInbox", lpString2=".") returned 1 [0079.469] lstrcmpW (lpString1="VirtualInbox", lpString2="..") returned 1 [0079.470] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.470] GetProcessHeap () returned 0x3a00000 [0079.470] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.470] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned 60 [0079.470] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0079.470] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.470] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.470] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.470] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.470] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.470] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\.") returned 60 [0079.470] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.470] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.470] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.470] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.470] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.470] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.470] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.470] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\..") returned 61 [0079.470] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.470] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.470] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0079.470] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0079.470] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0079.470] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0079.470] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0079.470] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0079.470] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 64 [0079.471] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0079.471] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0079.471] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.471] GetProcessHeap () returned 0x3a00000 [0079.471] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0079.471] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned 66 [0079.471] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0079.471] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.471] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.471] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.471] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.471] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.471] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\.") returned 66 [0079.471] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.471] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.471] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.471] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.471] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.471] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.471] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.471] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\..") returned 67 [0079.471] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.471] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.471] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af00150, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0079.471] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0079.471] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0079.471] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0079.471] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0079.471] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0079.471] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 79 [0079.472] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch=".ebal") returned 0x0 [0079.472] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.472] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="taridd") returned 1 [0079.472] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.472] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0079.472] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af00150, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0079.472] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0079.473] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0079.473] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0079.473] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0079.474] CloseHandle (hObject=0x43c) returned 1 [0079.474] GetProcessHeap () returned 0x3a00000 [0079.474] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0079.474] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 0 [0079.474] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0079.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0079.474] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\virtualinbox\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.475] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0079.476] CloseHandle (hObject=0x438) returned 1 [0079.476] GetProcessHeap () returned 0x3a00000 [0079.476] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.476] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0079.476] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0079.476] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0079.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSFax\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msfax\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0079.476] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0079.477] CloseHandle (hObject=0x434) returned 1 [0079.477] GetProcessHeap () returned 0x3a00000 [0079.477] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0079.477] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MSScan", cAlternateFileName="")) returned 1 [0079.477] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0079.477] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0079.477] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0079.477] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0079.477] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0079.478] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan") returned 46 [0079.478] lstrcmpW (lpString1="MSScan", lpString2=".") returned 1 [0079.478] lstrcmpW (lpString1="MSScan", lpString2="..") returned 1 [0079.478] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.478] GetProcessHeap () returned 0x3a00000 [0079.478] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0079.478] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*") returned 48 [0079.478] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0079.478] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.478] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.478] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.478] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.478] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.478] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\.") returned 48 [0079.478] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.478] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.478] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.478] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.478] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.478] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.478] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.478] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\..") returned 49 [0079.478] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.478] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.478] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d027e99, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9d027e99, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9d04e0f0, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0079.478] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0079.478] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0079.478] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0079.478] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0079.478] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0079.479] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 62 [0079.479] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch=".ebal") returned 0x0 [0079.479] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.479] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="taridd") returned 1 [0079.479] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.479] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0079.479] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d027e99, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9d027e99, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9d04e0f0, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0079.480] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0079.480] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0079.480] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\MSScan\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\msscan\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0079.480] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0079.481] CloseHandle (hObject=0x434) returned 1 [0079.481] GetProcessHeap () returned 0x3a00000 [0079.481] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0079.481] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MSScan", cAlternateFileName="")) returned 0 [0079.482] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0079.482] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0079.482] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows NT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows nt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0079.482] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0079.483] CloseHandle (hObject=0x430) returned 1 [0079.483] GetProcessHeap () returned 0x3a00000 [0079.483] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0079.483] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ef6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Security Health", cAlternateFileName="WINDOW~4")) returned 1 [0079.483] lstrcmpiW (lpString1="Windows Security Health", lpString2="Windows") returned 1 [0079.483] lstrcmpiW (lpString1="Windows Security Health", lpString2="$Recycle.bin") returned 1 [0079.483] lstrcmpiW (lpString1="Windows Security Health", lpString2="System Volume Information") returned 1 [0079.483] lstrcmpiW (lpString1="Windows Security Health", lpString2="Program Files") returned 1 [0079.483] lstrcmpiW (lpString1="Windows Security Health", lpString2="Program Files (x86)") returned 1 [0079.489] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health") returned 52 [0079.489] lstrcmpW (lpString1="Windows Security Health", lpString2=".") returned 1 [0079.489] lstrcmpW (lpString1="Windows Security Health", lpString2="..") returned 1 [0079.489] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.489] GetProcessHeap () returned 0x3a00000 [0079.489] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0079.490] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\*") returned 54 [0079.490] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ef6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0079.490] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.490] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.490] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.490] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.490] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.490] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\.") returned 54 [0079.490] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.490] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ef6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.490] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.490] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.490] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.490] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.490] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.490] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\..") returned 55 [0079.490] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.490] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.490] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Health Advisor", cAlternateFileName="HEALTH~1")) returned 1 [0079.490] lstrcmpiW (lpString1="Health Advisor", lpString2="Windows") returned -1 [0079.490] lstrcmpiW (lpString1="Health Advisor", lpString2="$Recycle.bin") returned 1 [0079.490] lstrcmpiW (lpString1="Health Advisor", lpString2="System Volume Information") returned -1 [0079.490] lstrcmpiW (lpString1="Health Advisor", lpString2="Program Files") returned -1 [0079.490] lstrcmpiW (lpString1="Health Advisor", lpString2="Program Files (x86)") returned -1 [0079.490] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor") returned 67 [0079.490] lstrcmpW (lpString1="Health Advisor", lpString2=".") returned 1 [0079.490] lstrcmpW (lpString1="Health Advisor", lpString2="..") returned 1 [0079.490] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.490] GetProcessHeap () returned 0x3a00000 [0079.491] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0079.491] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor\\*") returned 69 [0079.491] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0079.491] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.491] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.491] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.491] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.491] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.491] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor\\.") returned 69 [0079.491] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.491] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.491] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.491] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.491] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.491] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.491] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.491] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor\\..") returned 70 [0079.491] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.491] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.491] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0079.491] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0079.491] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0079.491] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Health Advisor\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows security health\\health advisor\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0079.492] GetProcessHeap () returned 0x3a00000 [0079.492] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0079.492] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb32cf2c, ftLastAccessTime.dwHighDateTime=0x1d4d600, ftLastWriteTime.dwLowDateTime=0xb32cf2c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0079.492] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0079.492] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0079.492] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0079.492] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0079.492] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0079.492] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs") returned 57 [0079.492] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0079.492] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0079.492] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0079.492] GetProcessHeap () returned 0x3a00000 [0079.492] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0079.492] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\*") returned 59 [0079.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb32cf2c, ftLastAccessTime.dwHighDateTime=0x1d4d600, ftLastWriteTime.dwLowDateTime=0xb32cf2c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0079.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0079.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0079.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0079.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0079.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0079.492] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\.") returned 59 [0079.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0079.492] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb32cf2c, ftLastAccessTime.dwHighDateTime=0x1d4d600, ftLastWriteTime.dwLowDateTime=0xb32cf2c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0079.493] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0079.493] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0079.493] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0079.493] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0079.493] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0079.493] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\..") returned 60 [0079.493] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0079.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0079.493] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bbd978f, ftCreationTime.dwHighDateTime=0x1d38c3f, ftLastAccessTime.dwLowDateTime=0x7bbd978f, ftLastAccessTime.dwHighDateTime=0x1d38c3f, ftLastWriteTime.dwLowDateTime=0x8d13fad9, ftLastWriteTime.dwHighDateTime=0x1d38c3f, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-01~1.BIN")) returned 1 [0079.493] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.493] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.493] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.493] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.493] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.493] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.493] StrStrIW (lpFirst="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.493] lstrcmpW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.493] lstrcmpW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.493] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.493] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.494] GetTickCount () returned 0x1154320 [0079.494] GetTickCount () returned 0x1154320 [0079.494] GetTickCount () returned 0x1154320 [0079.494] GetTickCount () returned 0x1154320 [0079.494] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.494] GetProcessHeap () returned 0x3a00000 [0079.494] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.494] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.496] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.496] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.496] GetProcessHeap () returned 0x3a00000 [0079.496] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.496] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.496] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.497] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.497] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.497] CloseHandle (hObject=0x438) returned 1 [0079.497] GetProcessHeap () returned 0x3a00000 [0079.497] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.497] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.497] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.498] GetProcessHeap () returned 0x3a00000 [0079.498] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.498] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29ac15be, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x29ac15be, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0x25d26abc, ftLastWriteTime.dwHighDateTime=0x1d38c44, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-01~2.BIN")) returned 1 [0079.498] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.498] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.498] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.498] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.498] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.498] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.498] StrStrIW (lpFirst="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.498] lstrcmpW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.498] lstrcmpW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.498] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.498] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.499] GetTickCount () returned 0x1154320 [0079.499] GetTickCount () returned 0x1154320 [0079.499] GetTickCount () returned 0x1154320 [0079.499] GetTickCount () returned 0x1154320 [0079.710] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.711] GetProcessHeap () returned 0x3a00000 [0079.711] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.711] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.712] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.712] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.713] GetProcessHeap () returned 0x3a00000 [0079.713] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.713] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.713] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.713] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.713] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.713] CloseHandle (hObject=0x438) returned 1 [0079.713] GetProcessHeap () returned 0x3a00000 [0079.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.713] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.714] GetProcessHeap () returned 0x3a00000 [0079.714] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.714] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb863810c, ftCreationTime.dwHighDateTime=0x1d4ae7b, ftLastAccessTime.dwLowDateTime=0xb863810c, ftLastAccessTime.dwHighDateTime=0x1d4ae7b, ftLastWriteTime.dwLowDateTime=0x5a744dc7, ftLastWriteTime.dwHighDateTime=0x1d4ae7c, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-01~3.BIN")) returned 1 [0079.715] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.715] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.715] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.715] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.715] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.715] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.715] StrStrIW (lpFirst="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.715] lstrcmpW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.715] lstrcmpW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.715] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.715] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.716] GetTickCount () returned 0x11543fb [0079.716] GetTickCount () returned 0x11543fb [0079.716] GetTickCount () returned 0x11543fb [0079.716] GetTickCount () returned 0x11543fb [0079.716] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.716] GetProcessHeap () returned 0x3a00000 [0079.716] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.716] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.719] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.719] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.719] GetProcessHeap () returned 0x3a00000 [0079.719] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.719] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.720] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.720] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.720] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.720] CloseHandle (hObject=0x438) returned 1 [0079.720] GetProcessHeap () returned 0x3a00000 [0079.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.720] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.720] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.721] GetProcessHeap () returned 0x3a00000 [0079.721] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.721] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf94c6396, ftCreationTime.dwHighDateTime=0x1d39f5a, ftLastAccessTime.dwLowDateTime=0xf94c6396, ftLastAccessTime.dwHighDateTime=0x1d39f5a, ftLastWriteTime.dwLowDateTime=0x54c48137, ftLastWriteTime.dwHighDateTime=0x1d39f5b, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-02~1.BIN")) returned 1 [0079.721] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.721] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.721] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.721] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.721] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.721] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.721] StrStrIW (lpFirst="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.721] lstrcmpW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.721] lstrcmpW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.721] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.721] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.722] GetTickCount () returned 0x115440a [0079.722] GetTickCount () returned 0x115440a [0079.722] GetTickCount () returned 0x115440a [0079.722] GetTickCount () returned 0x115440a [0079.722] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.722] GetProcessHeap () returned 0x3a00000 [0079.722] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.722] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.724] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.724] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.724] GetProcessHeap () returned 0x3a00000 [0079.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.724] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.724] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.724] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.724] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.724] CloseHandle (hObject=0x438) returned 1 [0079.724] GetProcessHeap () returned 0x3a00000 [0079.724] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.725] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.725] GetProcessHeap () returned 0x3a00000 [0079.725] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.725] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb28f34a3, ftCreationTime.dwHighDateTime=0x1d39f5c, ftLastAccessTime.dwLowDateTime=0xb28f34a3, ftLastAccessTime.dwHighDateTime=0x1d39f5c, ftLastWriteTime.dwLowDateTime=0xdd1442c1, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-02~2.BIN")) returned 1 [0079.725] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.725] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.725] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.725] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.725] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.726] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.726] StrStrIW (lpFirst="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.726] lstrcmpW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.726] lstrcmpW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.726] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.726] GetTickCount () returned 0x115440a [0079.726] GetTickCount () returned 0x115440a [0079.726] GetTickCount () returned 0x115440a [0079.726] GetTickCount () returned 0x115440a [0079.726] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.726] GetProcessHeap () returned 0x3a00000 [0079.726] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.726] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.728] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.728] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.728] GetProcessHeap () returned 0x3a00000 [0079.728] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.728] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.728] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.728] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.728] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.728] CloseHandle (hObject=0x438) returned 1 [0079.729] GetProcessHeap () returned 0x3a00000 [0079.729] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.729] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.729] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.729] GetProcessHeap () returned 0x3a00000 [0079.729] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.729] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xee7ecabd, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0xee7ecabd, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x5e457d19, ftLastWriteTime.dwHighDateTime=0x1d39f5f, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-02~3.BIN")) returned 1 [0079.729] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.729] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.729] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.729] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.729] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.729] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.730] StrStrIW (lpFirst="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.730] lstrcmpW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.730] lstrcmpW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.730] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.730] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.730] GetTickCount () returned 0x115440a [0079.730] GetTickCount () returned 0x115440a [0079.730] GetTickCount () returned 0x115440a [0079.730] GetTickCount () returned 0x115440a [0079.730] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.730] GetProcessHeap () returned 0x3a00000 [0079.730] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.730] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.732] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.732] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.732] GetProcessHeap () returned 0x3a00000 [0079.732] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.732] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.732] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.732] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.732] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.732] CloseHandle (hObject=0x438) returned 1 [0079.732] GetProcessHeap () returned 0x3a00000 [0079.732] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.732] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.733] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.733] GetProcessHeap () returned 0x3a00000 [0079.740] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.740] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7a075c31, ftCreationTime.dwHighDateTime=0x1d3aafb, ftLastAccessTime.dwLowDateTime=0x7a075c31, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0x32313161, ftLastWriteTime.dwHighDateTime=0x1d3aafc, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-02~4.BIN")) returned 1 [0079.740] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.740] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.740] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.740] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.740] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.740] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.740] StrStrIW (lpFirst="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.741] lstrcmpW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.741] lstrcmpW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.741] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.741] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.741] GetTickCount () returned 0x115441a [0079.741] GetTickCount () returned 0x115441a [0079.741] GetTickCount () returned 0x115441a [0079.741] GetTickCount () returned 0x115441a [0079.741] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.741] GetProcessHeap () returned 0x3a00000 [0079.741] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.741] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.743] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.743] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.743] GetProcessHeap () returned 0x3a00000 [0079.743] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.743] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.743] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.743] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.743] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.743] CloseHandle (hObject=0x438) returned 1 [0079.743] GetProcessHeap () returned 0x3a00000 [0079.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.744] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.744] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.744] GetProcessHeap () returned 0x3a00000 [0079.744] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.744] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19a4d06c, ftCreationTime.dwHighDateTime=0x1d4d5d0, ftLastAccessTime.dwLowDateTime=0x19a4d06c, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0x37122ed1, ftLastWriteTime.dwHighDateTime=0x1d4d5d0, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-03~1.BIN")) returned 1 [0079.744] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.744] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.744] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.744] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.745] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.745] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.745] StrStrIW (lpFirst="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.745] lstrcmpW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.745] lstrcmpW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.745] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.745] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.746] GetTickCount () returned 0x115441a [0079.746] GetTickCount () returned 0x115441a [0079.746] GetTickCount () returned 0x115441a [0079.746] GetTickCount () returned 0x115441a [0079.746] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.746] GetProcessHeap () returned 0x3a00000 [0079.746] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.746] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.747] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.747] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.747] GetProcessHeap () returned 0x3a00000 [0079.747] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.747] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.748] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.748] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.748] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.748] CloseHandle (hObject=0x438) returned 1 [0079.748] GetProcessHeap () returned 0x3a00000 [0079.748] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.748] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.748] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.749] GetProcessHeap () returned 0x3a00000 [0079.751] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.751] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcadfed41, ftCreationTime.dwHighDateTime=0x1d4d5d2, ftLastAccessTime.dwLowDateTime=0xcadfed41, ftLastAccessTime.dwHighDateTime=0x1d4d5d2, ftLastWriteTime.dwLowDateTime=0xac415a8e, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-03~2.BIN")) returned 1 [0079.751] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.751] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.751] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.751] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.751] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.751] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.751] StrStrIW (lpFirst="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.751] lstrcmpW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.751] lstrcmpW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.751] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.752] GetTickCount () returned 0x1154429 [0079.752] GetTickCount () returned 0x1154429 [0079.752] GetTickCount () returned 0x1154429 [0079.752] GetTickCount () returned 0x1154429 [0079.752] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.752] GetProcessHeap () returned 0x3a00000 [0079.752] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.752] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.755] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.755] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.755] GetProcessHeap () returned 0x3a00000 [0079.756] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.756] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.756] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.756] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.756] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.756] CloseHandle (hObject=0x438) returned 1 [0079.756] GetProcessHeap () returned 0x3a00000 [0079.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.756] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.757] GetProcessHeap () returned 0x3a00000 [0079.757] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.757] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xb32cf2c, ftCreationTime.dwHighDateTime=0x1d4d600, ftLastAccessTime.dwLowDateTime=0xb32cf2c, ftLastAccessTime.dwHighDateTime=0x1d4d600, ftLastWriteTime.dwLowDateTime=0xb32cf2c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-03~3.BIN")) returned 1 [0079.757] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.757] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.757] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.757] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.757] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.757] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.757] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e95e484, ftCreationTime.dwHighDateTime=0x1d41dc3, ftLastAccessTime.dwLowDateTime=0x6e95e484, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0x6da4c73e, ftLastWriteTime.dwHighDateTime=0x1d41dc4, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-07~2.BIN")) returned 1 [0079.757] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.757] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.757] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.757] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.757] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.757] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.757] StrStrIW (lpFirst="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.757] lstrcmpW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.757] lstrcmpW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.757] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.757] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.800] GetTickCount () returned 0x1154458 [0079.800] GetTickCount () returned 0x1154458 [0079.800] GetTickCount () returned 0x1154458 [0079.800] GetTickCount () returned 0x1154458 [0079.800] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.800] GetProcessHeap () returned 0x3a00000 [0079.800] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.800] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.801] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.802] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.802] GetProcessHeap () returned 0x3a00000 [0079.802] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.802] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.802] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.802] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.802] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.802] CloseHandle (hObject=0x438) returned 1 [0079.802] GetProcessHeap () returned 0x3a00000 [0079.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.802] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.803] GetProcessHeap () returned 0x3a00000 [0079.803] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.803] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3f8b81, ftCreationTime.dwHighDateTime=0x1d41dc5, ftLastAccessTime.dwLowDateTime=0xc3f8b81, ftLastAccessTime.dwHighDateTime=0x1d41dc5, ftLastWriteTime.dwLowDateTime=0x23c2da14, ftLastWriteTime.dwHighDateTime=0x1d41dc5, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-07~1.BIN")) returned 1 [0079.803] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.803] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.803] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.804] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.804] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.804] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.804] StrStrIW (lpFirst="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.804] lstrcmpW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.804] lstrcmpW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.804] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.804] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.805] GetTickCount () returned 0x1154458 [0079.805] GetTickCount () returned 0x1154458 [0079.805] GetTickCount () returned 0x1154458 [0079.805] GetTickCount () returned 0x1154458 [0079.805] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.805] GetProcessHeap () returned 0x3a00000 [0079.805] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.805] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.807] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.807] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0079.807] GetProcessHeap () returned 0x3a00000 [0079.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.807] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.807] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.807] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.807] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.807] CloseHandle (hObject=0x438) returned 1 [0079.807] GetProcessHeap () returned 0x3a00000 [0079.807] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.807] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.808] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.808] GetProcessHeap () returned 0x3a00000 [0079.808] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.808] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x88c78932, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x88c78932, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x7b55a971, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-09~1.BIN")) returned 1 [0079.808] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.808] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.808] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.808] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.808] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.808] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.808] StrStrIW (lpFirst="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.808] lstrcmpW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.808] lstrcmpW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.808] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.809] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.809] GetTickCount () returned 0x1154458 [0079.809] GetTickCount () returned 0x1154458 [0079.809] GetTickCount () returned 0x1154458 [0079.809] GetTickCount () returned 0x1154458 [0079.809] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.809] GetProcessHeap () returned 0x3a00000 [0079.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.809] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.811] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.811] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.811] GetProcessHeap () returned 0x3a00000 [0079.811] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.811] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.811] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.811] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.811] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.811] CloseHandle (hObject=0x438) returned 1 [0079.816] GetProcessHeap () returned 0x3a00000 [0079.816] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.816] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.816] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.817] GetProcessHeap () returned 0x3a00000 [0079.817] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.817] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9095a9c2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9095a9c2, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x5a28d98a, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-09~2.BIN")) returned 1 [0079.817] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.817] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.817] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.817] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.817] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.817] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.817] StrStrIW (lpFirst="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.817] lstrcmpW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.817] lstrcmpW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.817] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.818] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.818] GetTickCount () returned 0x1154468 [0079.818] GetTickCount () returned 0x1154468 [0079.818] GetTickCount () returned 0x1154468 [0079.818] GetTickCount () returned 0x1154468 [0079.818] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.818] GetProcessHeap () returned 0x3a00000 [0079.818] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.818] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0079.819] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.820] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0079.820] GetProcessHeap () returned 0x3a00000 [0079.820] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.820] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.820] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.820] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.820] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.820] CloseHandle (hObject=0x438) returned 1 [0079.821] GetProcessHeap () returned 0x3a00000 [0079.821] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.821] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.821] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.821] GetProcessHeap () returned 0x3a00000 [0079.821] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.821] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64211155, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x64211155, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xfd42c56a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-09~3.BIN")) returned 1 [0079.821] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.821] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.821] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.821] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.821] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.821] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.821] StrStrIW (lpFirst="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.822] lstrcmpW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.822] lstrcmpW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.822] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.822] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.822] GetTickCount () returned 0x1154468 [0079.822] GetTickCount () returned 0x1154468 [0079.822] GetTickCount () returned 0x1154468 [0079.822] GetTickCount () returned 0x1154468 [0079.822] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.823] GetProcessHeap () returned 0x3a00000 [0079.823] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.823] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.824] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.824] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.824] GetProcessHeap () returned 0x3a00000 [0079.824] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.824] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.824] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.824] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.824] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.825] CloseHandle (hObject=0x438) returned 1 [0079.825] GetProcessHeap () returned 0x3a00000 [0079.825] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.825] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.825] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.825] GetProcessHeap () returned 0x3a00000 [0079.825] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.825] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x65faa03, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x65faa03, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x8f6c25b7, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-09~4.BIN")) returned 1 [0079.825] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.826] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.826] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.826] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.826] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.826] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.826] StrStrIW (lpFirst="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.826] lstrcmpW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.826] lstrcmpW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.826] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.826] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.826] GetTickCount () returned 0x1154468 [0079.826] GetTickCount () returned 0x1154468 [0079.826] GetTickCount () returned 0x1154468 [0079.826] GetTickCount () returned 0x1154468 [0079.826] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.826] GetProcessHeap () returned 0x3a00000 [0079.826] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.826] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.828] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.828] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.828] GetProcessHeap () returned 0x3a00000 [0079.828] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.828] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.829] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.829] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.829] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.829] CloseHandle (hObject=0x438) returned 1 [0079.829] GetProcessHeap () returned 0x3a00000 [0079.829] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.829] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.830] GetProcessHeap () returned 0x3a00000 [0079.830] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.830] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x98d63d64, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0x98d63d64, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xffed8d7a, ftLastWriteTime.dwHighDateTime=0x1d327ec, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SH3B08~1.BIN")) returned 1 [0079.830] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.830] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.830] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.830] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.830] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.830] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.830] StrStrIW (lpFirst="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.830] lstrcmpW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.830] lstrcmpW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.830] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.830] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.830] GetTickCount () returned 0x1154478 [0079.830] GetTickCount () returned 0x1154478 [0079.830] GetTickCount () returned 0x1154478 [0079.830] GetTickCount () returned 0x1154478 [0079.830] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.831] GetProcessHeap () returned 0x3a00000 [0079.831] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.831] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0079.832] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.833] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0079.833] GetProcessHeap () returned 0x3a00000 [0079.833] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.833] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.833] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.833] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.833] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.833] CloseHandle (hObject=0x438) returned 1 [0079.833] GetProcessHeap () returned 0x3a00000 [0079.833] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.833] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.833] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.834] GetProcessHeap () returned 0x3a00000 [0079.834] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.834] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xd5f7bb1, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0xd5f7bb1, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xd5f7bb1, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SH7EFA~1.BIN")) returned 1 [0079.834] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.834] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.834] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.834] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.834] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.834] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.834] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8361892b, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x8361892b, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0x1e89ead9, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHFD17~1.BIN")) returned 1 [0079.834] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.834] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.834] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.834] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.834] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.834] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.834] StrStrIW (lpFirst="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.834] lstrcmpW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.835] lstrcmpW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.835] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.835] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.836] GetTickCount () returned 0x1154478 [0079.836] GetTickCount () returned 0x1154478 [0079.836] GetTickCount () returned 0x1154478 [0079.836] GetTickCount () returned 0x1154478 [0079.836] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.836] GetProcessHeap () returned 0x3a00000 [0079.836] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.836] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.837] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0079.838] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0079.838] GetProcessHeap () returned 0x3a00000 [0079.838] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0079.838] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.838] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0079.838] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0079.838] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0079.838] CloseHandle (hObject=0x438) returned 1 [0079.838] GetProcessHeap () returned 0x3a00000 [0079.838] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0079.838] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0079.838] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0079.839] GetProcessHeap () returned 0x3a00000 [0079.839] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0079.839] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x291e9ee7, ftCreationTime.dwHighDateTime=0x1d336e0, ftLastAccessTime.dwLowDateTime=0x291e9ee7, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xbc53e837, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SH8EDE~1.BIN")) returned 1 [0079.839] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0079.839] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0079.839] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0079.839] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0079.839] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0079.839] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0079.839] StrStrIW (lpFirst="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0079.839] lstrcmpW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0079.839] lstrcmpW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0079.839] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0079.839] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0079.904] GetTickCount () returned 0x11544b6 [0079.904] GetTickCount () returned 0x11544b6 [0079.904] GetTickCount () returned 0x11544b6 [0079.904] GetTickCount () returned 0x11544b6 [0079.904] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0079.904] GetProcessHeap () returned 0x3a00000 [0079.904] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0079.904] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.003] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.003] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.003] GetProcessHeap () returned 0x3a00000 [0080.003] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.003] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.003] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.003] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.003] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.003] CloseHandle (hObject=0x438) returned 1 [0080.003] GetProcessHeap () returned 0x3a00000 [0080.003] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.004] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.004] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.005] GetProcessHeap () returned 0x3a00000 [0080.005] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.005] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa53a1f04, ftCreationTime.dwHighDateTime=0x1d461f2, ftLastAccessTime.dwLowDateTime=0xa53a1f04, ftLastAccessTime.dwHighDateTime=0x1d461f2, ftLastWriteTime.dwLowDateTime=0xc1465998, ftLastWriteTime.dwHighDateTime=0x1d461f2, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-10~2.BIN")) returned 1 [0080.005] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.005] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.005] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.005] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.005] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.005] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.005] StrStrIW (lpFirst="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.005] lstrcmpW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.005] lstrcmpW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.005] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.005] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.006] GetTickCount () returned 0x1154523 [0080.006] GetTickCount () returned 0x1154523 [0080.006] GetTickCount () returned 0x1154523 [0080.006] GetTickCount () returned 0x1154523 [0080.006] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.006] GetProcessHeap () returned 0x3a00000 [0080.006] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.006] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.023] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.023] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.024] GetProcessHeap () returned 0x3a00000 [0080.024] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.024] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.024] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.024] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.024] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.024] CloseHandle (hObject=0x438) returned 1 [0080.024] GetProcessHeap () returned 0x3a00000 [0080.024] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.024] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.024] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.025] GetProcessHeap () returned 0x3a00000 [0080.025] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.025] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x24b95208, ftCreationTime.dwHighDateTime=0x1d461fa, ftLastAccessTime.dwLowDateTime=0x24b95208, ftLastAccessTime.dwHighDateTime=0x1d461fa, ftLastWriteTime.dwLowDateTime=0x41cd2745, ftLastWriteTime.dwHighDateTime=0x1d461fa, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-10~3.BIN")) returned 1 [0080.025] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.025] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.025] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.025] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.025] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.025] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.025] StrStrIW (lpFirst="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.025] lstrcmpW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.025] lstrcmpW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.025] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.025] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.028] GetTickCount () returned 0x1154533 [0080.028] GetTickCount () returned 0x1154533 [0080.028] GetTickCount () returned 0x1154533 [0080.028] GetTickCount () returned 0x1154533 [0080.028] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.028] GetProcessHeap () returned 0x3a00000 [0080.028] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.028] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.052] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.052] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.052] GetProcessHeap () returned 0x3a00000 [0080.052] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.052] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.052] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.053] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.053] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.053] CloseHandle (hObject=0x438) returned 1 [0080.053] GetProcessHeap () returned 0x3a00000 [0080.053] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.053] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.053] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.054] GetProcessHeap () returned 0x3a00000 [0080.054] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.054] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb8d5846d, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xb8d5846d, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xcd7cd567, ftLastWriteTime.dwHighDateTime=0x1d34734, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-10~1.BIN")) returned 1 [0080.054] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.054] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.054] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.054] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.054] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.054] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.054] StrStrIW (lpFirst="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.054] lstrcmpW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.054] lstrcmpW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.054] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.054] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.055] GetTickCount () returned 0x1154552 [0080.055] GetTickCount () returned 0x1154552 [0080.055] GetTickCount () returned 0x1154552 [0080.055] GetTickCount () returned 0x1154552 [0080.055] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.055] GetProcessHeap () returned 0x3a00000 [0080.055] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.055] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.057] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.057] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.057] GetProcessHeap () returned 0x3a00000 [0080.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.057] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.057] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.058] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.058] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.058] CloseHandle (hObject=0x438) returned 1 [0080.058] GetProcessHeap () returned 0x3a00000 [0080.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.058] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.058] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.059] GetProcessHeap () returned 0x3a00000 [0080.059] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.059] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e427524, ftCreationTime.dwHighDateTime=0x1d47c27, ftLastAccessTime.dwLowDateTime=0x4e427524, ftLastAccessTime.dwHighDateTime=0x1d47c27, ftLastWriteTime.dwLowDateTime=0x76bc81c5, ftLastWriteTime.dwHighDateTime=0x1d47c27, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-11~3.BIN")) returned 1 [0080.059] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.059] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.059] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.059] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.059] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.059] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.059] StrStrIW (lpFirst="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.059] lstrcmpW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.059] lstrcmpW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.059] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.059] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.060] GetTickCount () returned 0x1154552 [0080.060] GetTickCount () returned 0x1154552 [0080.060] GetTickCount () returned 0x1154552 [0080.060] GetTickCount () returned 0x1154552 [0080.060] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.060] GetProcessHeap () returned 0x3a00000 [0080.060] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.060] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0080.061] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.061] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0080.061] GetProcessHeap () returned 0x3a00000 [0080.061] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.062] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.062] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.063] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.063] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.063] CloseHandle (hObject=0x438) returned 1 [0080.063] GetProcessHeap () returned 0x3a00000 [0080.063] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.063] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.063] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.064] GetProcessHeap () returned 0x3a00000 [0080.064] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.064] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x41355b6d, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x41355b6d, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x7313b7f3, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-11~4.BIN")) returned 1 [0080.064] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.064] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.064] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.064] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.064] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.064] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.064] StrStrIW (lpFirst="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.064] lstrcmpW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.064] lstrcmpW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.064] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.064] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.064] GetTickCount () returned 0x1154562 [0080.064] GetTickCount () returned 0x1154562 [0080.064] GetTickCount () returned 0x1154562 [0080.064] GetTickCount () returned 0x1154562 [0080.064] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.065] GetProcessHeap () returned 0x3a00000 [0080.065] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.065] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0080.067] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.067] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0080.067] GetProcessHeap () returned 0x3a00000 [0080.067] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.067] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.067] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.068] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.068] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.068] CloseHandle (hObject=0x438) returned 1 [0080.068] GetProcessHeap () returned 0x3a00000 [0080.068] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.068] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.068] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.069] GetProcessHeap () returned 0x3a00000 [0080.069] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.069] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc44ebf9e, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xc44ebf9e, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf7186f57, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHFCB7~1.BIN")) returned 1 [0080.069] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.069] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.069] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.069] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.069] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.069] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.069] StrStrIW (lpFirst="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.069] lstrcmpW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.069] lstrcmpW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.069] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.069] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.069] GetTickCount () returned 0x1154562 [0080.070] GetTickCount () returned 0x1154562 [0080.070] GetTickCount () returned 0x1154562 [0080.070] GetTickCount () returned 0x1154562 [0080.070] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.070] GetProcessHeap () returned 0x3a00000 [0080.070] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.070] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0080.071] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.071] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x2000, lpOverlapped=0x0) returned 1 [0080.071] GetProcessHeap () returned 0x3a00000 [0080.071] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.071] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.071] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.071] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.072] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.072] CloseHandle (hObject=0x438) returned 1 [0080.072] GetProcessHeap () returned 0x3a00000 [0080.072] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.072] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.072] GetProcessHeap () returned 0x3a00000 [0080.072] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.072] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x444f8b5f, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x444f8b5f, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x57b398d2, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-11~1.BIN")) returned 1 [0080.072] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.072] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.073] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.073] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.073] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.073] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.073] StrStrIW (lpFirst="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.073] lstrcmpW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.073] lstrcmpW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.073] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.073] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.073] GetTickCount () returned 0x1154562 [0080.073] GetTickCount () returned 0x1154562 [0080.073] GetTickCount () returned 0x1154562 [0080.073] GetTickCount () returned 0x1154562 [0080.073] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.073] GetProcessHeap () returned 0x3a00000 [0080.073] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.073] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.075] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.075] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.075] GetProcessHeap () returned 0x3a00000 [0080.075] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.075] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.075] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.075] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.075] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.076] CloseHandle (hObject=0x438) returned 1 [0080.076] GetProcessHeap () returned 0x3a00000 [0080.076] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.076] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.076] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.076] GetProcessHeap () returned 0x3a00000 [0080.076] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.076] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69870cf2, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0x69870cf2, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x13731c69, ftLastWriteTime.dwHighDateTime=0x1d35e04, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-11~2.BIN")) returned 1 [0080.076] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0080.076] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0080.076] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0080.076] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0080.076] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0080.077] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 126 [0080.077] StrStrIW (lpFirst="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpSrch=".ebal") returned 0x0 [0080.077] lstrcmpW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.077] lstrcmpW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="taridd") returned -1 [0080.077] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.077] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.119] GetTickCount () returned 0x1154591 [0080.119] GetTickCount () returned 0x1154591 [0080.119] GetTickCount () returned 0x1154591 [0080.119] GetTickCount () returned 0x1154591 [0080.119] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.119] GetProcessHeap () returned 0x3a00000 [0080.119] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0080.119] ReadFile (in: hFile=0x438, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.122] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.122] WriteFile (in: hFile=0x438, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65af2d4*=0x1000, lpOverlapped=0x0) returned 1 [0080.122] GetProcessHeap () returned 0x3a00000 [0080.122] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0080.122] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.123] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.123] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.123] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.123] CloseHandle (hObject=0x438) returned 1 [0080.123] GetProcessHeap () returned 0x3a00000 [0080.123] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.123] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 145 [0080.123] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\shs-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal")) returned 1 [0080.127] GetProcessHeap () returned 0x3a00000 [0080.127] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.127] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69870cf2, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0x69870cf2, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x13731c69, ftLastWriteTime.dwHighDateTime=0x1d35e04, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-11~2.BIN")) returned 0 [0080.127] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0080.127] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0080.127] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows security health\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.128] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.129] CloseHandle (hObject=0x434) returned 1 [0080.129] GetProcessHeap () returned 0x3a00000 [0080.129] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.129] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb32cf2c, ftLastAccessTime.dwHighDateTime=0x1d4d600, ftLastWriteTime.dwLowDateTime=0xb32cf2c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 0 [0080.129] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0080.129] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0080.129] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\Windows Security Health\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\windows security health\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.156] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.157] CloseHandle (hObject=0x430) returned 1 [0080.157] GetProcessHeap () returned 0x3a00000 [0080.157] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.157] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbef9a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WinMSIPC", cAlternateFileName="")) returned 1 [0080.158] lstrcmpiW (lpString1="WinMSIPC", lpString2="Windows") returned 1 [0080.158] lstrcmpiW (lpString1="WinMSIPC", lpString2="$Recycle.bin") returned 1 [0080.158] lstrcmpiW (lpString1="WinMSIPC", lpString2="System Volume Information") returned 1 [0080.158] lstrcmpiW (lpString1="WinMSIPC", lpString2="Program Files") returned 1 [0080.158] lstrcmpiW (lpString1="WinMSIPC", lpString2="Program Files (x86)") returned 1 [0080.158] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC") returned 37 [0080.158] lstrcmpW (lpString1="WinMSIPC", lpString2=".") returned 1 [0080.158] lstrcmpW (lpString1="WinMSIPC", lpString2="..") returned 1 [0080.158] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.158] GetProcessHeap () returned 0x3a00000 [0080.158] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.158] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*") returned 39 [0080.158] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbef9a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0080.163] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.163] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.163] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.163] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.163] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.163] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\.") returned 39 [0080.163] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.163] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbef9a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.163] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.163] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.163] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.163] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.163] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.163] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\..") returned 40 [0080.163] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.163] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.163] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 1 [0080.164] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0080.164] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0080.164] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0080.164] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0080.164] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0080.164] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server") returned 44 [0080.164] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0080.164] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0080.164] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.164] GetProcessHeap () returned 0x3a00000 [0080.164] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.164] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*") returned 46 [0080.164] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0080.164] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.164] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.164] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.164] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.164] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.164] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\.") returned 46 [0080.164] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.164] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0080.164] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.164] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0080.164] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.164] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\." (normalized: "c:\\programdata\\microsoft\\winmsipc\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.165] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.165] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.165] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.165] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.165] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.165] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.165] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\..") returned 47 [0080.165] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.165] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.165] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0080.165] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.165] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0080.165] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.165] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\.." (normalized: "c:\\programdata\\microsoft\\winmsipc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.165] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0080.165] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0080.165] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0080.165] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\winmsipc\\server\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.168] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.169] CloseHandle (hObject=0x434) returned 1 [0080.169] GetProcessHeap () returned 0x3a00000 [0080.169] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.169] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 0 [0080.169] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0080.169] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0080.169] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WinMSIPC\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\winmsipc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.170] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.174] CloseHandle (hObject=0x430) returned 1 [0080.174] GetProcessHeap () returned 0x3a00000 [0080.174] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.174] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0080.174] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0080.174] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0080.174] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0080.174] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0080.174] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0080.174] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc") returned 36 [0080.174] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1 [0080.174] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1 [0080.174] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.174] GetProcessHeap () returned 0x3a00000 [0080.174] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.174] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*") returned 38 [0080.174] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0080.175] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.175] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.175] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.175] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.175] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.175] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.") returned 38 [0080.175] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.175] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0080.175] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.175] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0080.175] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.175] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.175] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.175] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.175] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.175] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.175] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.175] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.175] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\..") returned 39 [0080.175] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.175] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.175] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0080.175] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.175] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0080.175] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.175] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\.." (normalized: "c:\\programdata\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.176] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1 [0080.176] lstrcmpiW (lpString1="DMProfiles", lpString2="Windows") returned -1 [0080.176] lstrcmpiW (lpString1="DMProfiles", lpString2="$Recycle.bin") returned 1 [0080.176] lstrcmpiW (lpString1="DMProfiles", lpString2="System Volume Information") returned -1 [0080.176] lstrcmpiW (lpString1="DMProfiles", lpString2="Program Files") returned -1 [0080.176] lstrcmpiW (lpString1="DMProfiles", lpString2="Program Files (x86)") returned -1 [0080.176] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles") returned 47 [0080.176] lstrcmpW (lpString1="DMProfiles", lpString2=".") returned 1 [0080.176] lstrcmpW (lpString1="DMProfiles", lpString2="..") returned 1 [0080.176] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.176] GetProcessHeap () returned 0x3a00000 [0080.176] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.176] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*") returned 49 [0080.176] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0080.176] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.176] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.176] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.176] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.176] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.176] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\.") returned 49 [0080.176] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.176] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0080.176] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.176] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0080.176] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.176] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.176] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.177] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.177] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.177] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.177] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.177] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.177] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\..") returned 50 [0080.177] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.177] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.177] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0080.177] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.177] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0080.177] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\.." (normalized: "c:\\programdata\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.177] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0080.177] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0080.177] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0080.177] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\DMProfiles\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\dmprofiles\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.178] GetProcessHeap () returned 0x3a00000 [0080.178] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.178] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Profiles", cAlternateFileName="")) returned 1 [0080.178] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0080.178] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0080.178] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0080.178] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0080.178] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0080.178] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles") returned 45 [0080.178] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0080.178] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0080.178] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.178] GetProcessHeap () returned 0x3a00000 [0080.178] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.178] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*") returned 47 [0080.178] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0080.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.178] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.") returned 47 [0080.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.178] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0080.178] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.178] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0080.178] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.178] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.178] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.179] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.179] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.179] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.179] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.179] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\..") returned 48 [0080.179] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.179] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.179] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0080.179] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0080.179] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0080.179] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.179] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\programdata\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.179] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0080.179] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0080.179] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0080.179] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\Profiles\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\profiles\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0080.179] GetProcessHeap () returned 0x3a00000 [0080.179] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.179] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Profiles", cAlternateFileName="")) returned 0 [0080.179] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0080.179] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0080.179] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\WwanSvc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\wwansvc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.180] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.181] CloseHandle (hObject=0x430) returned 1 [0080.181] GetProcessHeap () returned 0x3a00000 [0080.181] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.181] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0080.181] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0080.181] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0080.181] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0080.182] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0080.183] CloseHandle (hObject=0x42c) returned 1 [0080.183] GetProcessHeap () returned 0x3a00000 [0080.183] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0080.183] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0080.183] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="Windows") returned -1 [0080.183] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="$Recycle.bin") returned 1 [0080.183] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="System Volume Information") returned -1 [0080.183] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="Program Files") returned -1 [0080.183] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="Program Files (x86)") returned -1 [0080.183] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive") returned 37 [0080.183] lstrcmpW (lpString1="Microsoft OneDrive", lpString2=".") returned 1 [0080.183] lstrcmpW (lpString1="Microsoft OneDrive", lpString2="..") returned 1 [0080.183] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.183] GetProcessHeap () returned 0x3a00000 [0080.183] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0080.183] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*") returned 39 [0080.183] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0080.185] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.185] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.185] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.185] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.185] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.185] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\.") returned 39 [0080.185] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.185] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.185] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.185] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.185] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.185] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.185] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.185] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\..") returned 40 [0080.185] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.185] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.185] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="setup", cAlternateFileName="")) returned 1 [0080.185] lstrcmpiW (lpString1="setup", lpString2="Windows") returned -1 [0080.185] lstrcmpiW (lpString1="setup", lpString2="$Recycle.bin") returned 1 [0080.185] lstrcmpiW (lpString1="setup", lpString2="System Volume Information") returned -1 [0080.185] lstrcmpiW (lpString1="setup", lpString2="Program Files") returned 1 [0080.185] lstrcmpiW (lpString1="setup", lpString2="Program Files (x86)") returned 1 [0080.185] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup") returned 43 [0080.185] lstrcmpW (lpString1="setup", lpString2=".") returned 1 [0080.185] lstrcmpW (lpString1="setup", lpString2="..") returned 1 [0080.185] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.185] GetProcessHeap () returned 0x3a00000 [0080.186] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.186] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*") returned 45 [0080.186] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0080.186] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.186] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.186] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.186] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.186] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.186] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\.") returned 45 [0080.186] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.186] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.186] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.186] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.186] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.186] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.186] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.186] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\..") returned 46 [0080.186] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.186] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.186] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="refcount.ini", cAlternateFileName="")) returned 1 [0080.186] lstrcmpiW (lpString1="refcount.ini", lpString2="Windows") returned -1 [0080.186] lstrcmpiW (lpString1="refcount.ini", lpString2="$Recycle.bin") returned 1 [0080.186] lstrcmpiW (lpString1="refcount.ini", lpString2="System Volume Information") returned -1 [0080.186] lstrcmpiW (lpString1="refcount.ini", lpString2="Program Files") returned 1 [0080.191] lstrcmpiW (lpString1="refcount.ini", lpString2="Program Files (x86)") returned 1 [0080.191] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\refcount.ini") returned 56 [0080.191] StrStrIW (lpFirst="refcount.ini", lpSrch=".ebal") returned 0x0 [0080.191] lstrcmpW (lpString1="refcount.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.191] lstrcmpW (lpString1="refcount.ini", lpString2="taridd") returned -1 [0080.191] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\refcount.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.191] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\refcount.ini" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\refcount.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.192] GetTickCount () returned 0x11545df [0080.192] GetTickCount () returned 0x11545df [0080.192] GetTickCount () returned 0x11545df [0080.192] GetTickCount () returned 0x11545df [0080.192] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.192] GetProcessHeap () returned 0x3a00000 [0080.192] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.192] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x0, lpOverlapped=0x0) returned 1 [0080.192] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.192] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x0, lpOverlapped=0x0) returned 1 [0080.192] GetProcessHeap () returned 0x3a00000 [0080.192] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.192] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.192] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.193] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.193] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.194] CloseHandle (hObject=0x434) returned 1 [0080.194] GetProcessHeap () returned 0x3a00000 [0080.194] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.194] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\refcount.ini_r00t_{8ew5f6}.ebal") returned 75 [0080.194] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\refcount.ini" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\refcount.ini"), lpNewFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\refcount.ini_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\refcount.ini_r00t_{8ew5f6}.ebal")) returned 1 [0080.195] GetProcessHeap () returned 0x3a00000 [0080.195] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.195] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="refcount.ini", cAlternateFileName="")) returned 0 [0080.195] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0080.195] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0080.195] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\setup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft onedrive\\setup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.235] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.236] CloseHandle (hObject=0x430) returned 1 [0080.236] GetProcessHeap () returned 0x3a00000 [0080.236] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.236] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="setup", cAlternateFileName="")) returned 0 [0080.237] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0080.237] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0080.237] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Microsoft OneDrive\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\microsoft onedrive\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0080.237] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0080.238] CloseHandle (hObject=0x42c) returned 1 [0080.238] GetProcessHeap () returned 0x3a00000 [0080.238] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0080.238] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Oracle", cAlternateFileName="")) returned 1 [0080.238] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0080.238] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0080.238] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0080.238] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0080.238] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0080.238] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle") returned 25 [0080.238] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1 [0080.238] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1 [0080.238] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Oracle", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.239] GetProcessHeap () returned 0x3a00000 [0080.239] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0080.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\*") returned 27 [0080.239] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0080.239] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.239] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.239] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.239] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.239] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\.") returned 27 [0080.239] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.239] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.239] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.239] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.239] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.239] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.239] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\..") returned 28 [0080.239] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.239] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.239] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Java", cAlternateFileName="")) returned 1 [0080.239] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0080.239] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0080.239] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0080.239] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0080.239] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0080.239] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java") returned 30 [0080.239] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0080.240] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0080.240] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.240] GetProcessHeap () returned 0x3a00000 [0080.240] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.240] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*") returned 32 [0080.240] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0080.240] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.240] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.240] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.240] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.241] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.241] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.") returned 32 [0080.241] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.241] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.241] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.241] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.241] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.241] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.241] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.241] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\..") returned 33 [0080.241] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.241] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.241] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".oracle_jre_usage", cAlternateFileName="ORACLE~1")) returned 1 [0080.241] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="Windows") returned -1 [0080.241] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="$Recycle.bin") returned 1 [0080.241] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="System Volume Information") returned -1 [0080.241] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="Program Files") returned -1 [0080.241] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="Program Files (x86)") returned -1 [0080.241] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage") returned 48 [0080.241] lstrcmpW (lpString1=".oracle_jre_usage", lpString2=".") returned 1 [0080.241] lstrcmpW (lpString1=".oracle_jre_usage", lpString2="..") returned 1 [0080.241] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.241] GetProcessHeap () returned 0x3a00000 [0080.241] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.241] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*") returned 50 [0080.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0080.242] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.242] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.242] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.242] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\.") returned 50 [0080.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.242] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.243] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.243] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.243] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.243] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.243] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.243] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\..") returned 51 [0080.243] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.243] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.243] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x70ca10d9, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17dfc292991c7c46.timestamp", cAlternateFileName="17DFC2~1.TIM")) returned 1 [0080.243] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="Windows") returned -1 [0080.243] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="$Recycle.bin") returned 1 [0080.243] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="System Volume Information") returned -1 [0080.243] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="Program Files") returned -1 [0080.243] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="Program Files (x86)") returned -1 [0080.243] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp") returned 75 [0080.243] StrStrIW (lpFirst="17dfc292991c7c46.timestamp", lpSrch=".ebal") returned 0x0 [0080.243] lstrcmpW (lpString1="17dfc292991c7c46.timestamp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.243] lstrcmpW (lpString1="17dfc292991c7c46.timestamp", lpString2="taridd") returned -1 [0080.243] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.243] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.244] GetTickCount () returned 0x115460e [0080.244] GetTickCount () returned 0x115460e [0080.244] GetTickCount () returned 0x115460e [0080.244] GetTickCount () returned 0x115460e [0080.244] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.244] GetProcessHeap () returned 0x3a00000 [0080.244] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.244] ReadFile (in: hFile=0x438, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af2d4*=0x33, lpOverlapped=0x0) returned 1 [0080.245] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffffcd, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.245] WriteFile (in: hFile=0x438, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af2d4*=0x33, lpOverlapped=0x0) returned 1 [0080.246] GetProcessHeap () returned 0x3a00000 [0080.246] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.246] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.246] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.246] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.246] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.247] CloseHandle (hObject=0x438) returned 1 [0080.247] GetProcessHeap () returned 0x3a00000 [0080.247] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.247] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal") returned 94 [0080.247] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal")) returned 1 [0080.247] GetProcessHeap () returned 0x3a00000 [0080.247] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.248] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x70ca10d9, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17dfc292991c7c46.timestamp", cAlternateFileName="17DFC2~1.TIM")) returned 0 [0080.248] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0080.248] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0080.248] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\oracle\\java\\.oracle_jre_usage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.249] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.253] CloseHandle (hObject=0x434) returned 1 [0080.253] GetProcessHeap () returned 0x3a00000 [0080.253] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.253] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 1 [0080.253] lstrcmpiW (lpString1="installcache_x64", lpString2="Windows") returned -1 [0080.253] lstrcmpiW (lpString1="installcache_x64", lpString2="$Recycle.bin") returned 1 [0080.253] lstrcmpiW (lpString1="installcache_x64", lpString2="System Volume Information") returned -1 [0080.253] lstrcmpiW (lpString1="installcache_x64", lpString2="Program Files") returned -1 [0080.253] lstrcmpiW (lpString1="installcache_x64", lpString2="Program Files (x86)") returned -1 [0080.253] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64") returned 47 [0080.253] lstrcmpW (lpString1="installcache_x64", lpString2=".") returned 1 [0080.253] lstrcmpW (lpString1="installcache_x64", lpString2="..") returned 1 [0080.253] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.253] GetProcessHeap () returned 0x3a00000 [0080.253] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.253] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*") returned 49 [0080.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0080.254] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.254] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.254] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.254] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.254] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.254] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\.") returned 49 [0080.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.254] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.254] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.254] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.254] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.254] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.254] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.254] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\..") returned 50 [0080.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.254] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa315c98a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4eba475, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="baseimagefam8", cAlternateFileName="BASEIM~1")) returned 1 [0080.254] lstrcmpiW (lpString1="baseimagefam8", lpString2="Windows") returned -1 [0080.254] lstrcmpiW (lpString1="baseimagefam8", lpString2="$Recycle.bin") returned 1 [0080.254] lstrcmpiW (lpString1="baseimagefam8", lpString2="System Volume Information") returned -1 [0080.255] lstrcmpiW (lpString1="baseimagefam8", lpString2="Program Files") returned -1 [0080.255] lstrcmpiW (lpString1="baseimagefam8", lpString2="Program Files (x86)") returned -1 [0080.255] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8") returned 61 [0080.255] StrStrIW (lpFirst="baseimagefam8", lpSrch=".ebal") returned 0x0 [0080.255] lstrcmpW (lpString1="baseimagefam8", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.255] lstrcmpW (lpString1="baseimagefam8", lpString2="taridd") returned -1 [0080.255] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.255] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.255] GetTickCount () returned 0x115461d [0080.256] GetTickCount () returned 0x115461d [0080.256] GetTickCount () returned 0x115461d [0080.256] GetTickCount () returned 0x115461d [0080.256] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.256] GetProcessHeap () returned 0x3a00000 [0080.256] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.256] ReadFile (in: hFile=0x438, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.260] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.260] WriteFile (in: hFile=0x438, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.260] GetProcessHeap () returned 0x3a00000 [0080.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.260] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.260] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.262] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.263] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.263] CloseHandle (hObject=0x438) returned 1 [0080.263] GetProcessHeap () returned 0x3a00000 [0080.263] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.263] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8_r00t_{8ew5f6}.ebal") returned 80 [0080.263] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\baseimagefam8_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\baseimagefam8_r00t_{8ew5f6}.ebal")) returned 1 [0080.264] GetProcessHeap () returned 0x3a00000 [0080.264] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.264] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa315c98a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4eba475, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="baseimagefam8", cAlternateFileName="BASEIM~1")) returned 0 [0080.264] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0080.269] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0080.269] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\installcache_x64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\oracle\\java\\installcache_x64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.270] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.271] CloseHandle (hObject=0x434) returned 1 [0080.271] GetProcessHeap () returned 0x3a00000 [0080.271] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.271] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="javapath", cAlternateFileName="")) returned 1 [0080.271] lstrcmpiW (lpString1="javapath", lpString2="Windows") returned -1 [0080.271] lstrcmpiW (lpString1="javapath", lpString2="$Recycle.bin") returned 1 [0080.271] lstrcmpiW (lpString1="javapath", lpString2="System Volume Information") returned -1 [0080.271] lstrcmpiW (lpString1="javapath", lpString2="Program Files") returned -1 [0080.271] lstrcmpiW (lpString1="javapath", lpString2="Program Files (x86)") returned -1 [0080.271] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath") returned 39 [0080.271] lstrcmpW (lpString1="javapath", lpString2=".") returned 1 [0080.271] lstrcmpW (lpString1="javapath", lpString2="..") returned 1 [0080.271] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.271] GetProcessHeap () returned 0x3a00000 [0080.271] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.271] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*") returned 41 [0080.271] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0080.271] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.271] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.271] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\.") returned 41 [0080.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.272] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.272] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.272] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.272] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\..") returned 42 [0080.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.272] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="java.exe", cAlternateFileName="")) returned 1 [0080.272] lstrcmpiW (lpString1="java.exe", lpString2="Windows") returned -1 [0080.272] lstrcmpiW (lpString1="java.exe", lpString2="$Recycle.bin") returned 1 [0080.272] lstrcmpiW (lpString1="java.exe", lpString2="System Volume Information") returned -1 [0080.272] lstrcmpiW (lpString1="java.exe", lpString2="Program Files") returned -1 [0080.272] lstrcmpiW (lpString1="java.exe", lpString2="Program Files (x86)") returned -1 [0080.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe") returned 48 [0080.272] StrStrIW (lpFirst="java.exe", lpSrch=".ebal") returned 0x0 [0080.272] lstrcmpW (lpString1="java.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.272] lstrcmpW (lpString1="java.exe", lpString2="taridd") returned -1 [0080.272] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.272] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\java.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.273] GetTickCount () returned 0x115462d [0080.273] GetTickCount () returned 0x115462d [0080.273] GetTickCount () returned 0x115462d [0080.273] GetTickCount () returned 0x115462d [0080.273] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.273] GetProcessHeap () returned 0x3a00000 [0080.273] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.273] ReadFile (in: hFile=0x438, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.275] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.275] WriteFile (in: hFile=0x438, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.275] GetProcessHeap () returned 0x3a00000 [0080.275] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.275] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.275] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.278] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.278] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.278] CloseHandle (hObject=0x438) returned 1 [0080.278] GetProcessHeap () returned 0x3a00000 [0080.278] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.278] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe_r00t_{8ew5f6}.ebal") returned 67 [0080.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\java.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\java.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\oracle\\java\\javapath\\java.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.279] GetProcessHeap () returned 0x3a00000 [0080.279] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.279] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0080.279] lstrcmpiW (lpString1="javaw.exe", lpString2="Windows") returned -1 [0080.279] lstrcmpiW (lpString1="javaw.exe", lpString2="$Recycle.bin") returned 1 [0080.279] lstrcmpiW (lpString1="javaw.exe", lpString2="System Volume Information") returned -1 [0080.279] lstrcmpiW (lpString1="javaw.exe", lpString2="Program Files") returned -1 [0080.279] lstrcmpiW (lpString1="javaw.exe", lpString2="Program Files (x86)") returned -1 [0080.279] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaw.exe") returned 49 [0080.279] StrStrIW (lpFirst="javaw.exe", lpSrch=".ebal") returned 0x0 [0080.279] lstrcmpW (lpString1="javaw.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.279] lstrcmpW (lpString1="javaw.exe", lpString2="taridd") returned -1 [0080.279] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaw.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.279] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaw.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\javaw.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.280] GetTickCount () returned 0x115462d [0080.280] GetTickCount () returned 0x115462d [0080.280] GetTickCount () returned 0x115462d [0080.280] GetTickCount () returned 0x115462d [0080.280] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.280] GetProcessHeap () returned 0x3a00000 [0080.280] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.280] ReadFile (in: hFile=0x438, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.312] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.312] WriteFile (in: hFile=0x438, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.312] GetProcessHeap () returned 0x3a00000 [0080.313] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.313] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.313] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.314] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.314] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.314] CloseHandle (hObject=0x438) returned 1 [0080.314] GetProcessHeap () returned 0x3a00000 [0080.314] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.314] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaw.exe_r00t_{8ew5f6}.ebal") returned 68 [0080.314] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaw.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\javaw.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaw.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\oracle\\java\\javapath\\javaw.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.316] GetProcessHeap () returned 0x3a00000 [0080.316] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.316] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0080.316] lstrcmpiW (lpString1="javaws.exe", lpString2="Windows") returned -1 [0080.316] lstrcmpiW (lpString1="javaws.exe", lpString2="$Recycle.bin") returned 1 [0080.316] lstrcmpiW (lpString1="javaws.exe", lpString2="System Volume Information") returned -1 [0080.316] lstrcmpiW (lpString1="javaws.exe", lpString2="Program Files") returned -1 [0080.316] lstrcmpiW (lpString1="javaws.exe", lpString2="Program Files (x86)") returned -1 [0080.316] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaws.exe") returned 50 [0080.317] StrStrIW (lpFirst="javaws.exe", lpSrch=".ebal") returned 0x0 [0080.317] lstrcmpW (lpString1="javaws.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.317] lstrcmpW (lpString1="javaws.exe", lpString2="taridd") returned -1 [0080.317] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaws.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.317] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaws.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\javaws.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.317] GetTickCount () returned 0x115465c [0080.317] GetTickCount () returned 0x115465c [0080.317] GetTickCount () returned 0x115465c [0080.317] GetTickCount () returned 0x115465c [0080.317] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af220*, pdwDataLen=0x65af2d0*=0x80) returned 1 [0080.317] GetProcessHeap () returned 0x3a00000 [0080.317] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.317] ReadFile (in: hFile=0x438, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.319] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.319] WriteFile (in: hFile=0x438, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af2d4*=0x2800, lpOverlapped=0x0) returned 1 [0080.319] GetProcessHeap () returned 0x3a00000 [0080.319] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.320] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.320] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af2d4*=0x300, lpOverlapped=0x0) returned 1 [0080.323] WriteFile (in: hFile=0x438, lpBuffer=0x65af220*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x65af220*, lpNumberOfBytesWritten=0x65af2d4*=0x80, lpOverlapped=0x0) returned 1 [0080.323] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af2d4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af2d4*=0x4, lpOverlapped=0x0) returned 1 [0080.323] CloseHandle (hObject=0x438) returned 1 [0080.323] GetProcessHeap () returned 0x3a00000 [0080.323] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.323] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaws.exe_r00t_{8ew5f6}.ebal") returned 69 [0080.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaws.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\javaws.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\javaws.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\oracle\\java\\javapath\\javaws.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.324] GetProcessHeap () returned 0x3a00000 [0080.324] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.324] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe", cAlternateFileName="")) returned 0 [0080.324] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0080.324] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0080.324] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\oracle\\java\\javapath\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.325] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.326] CloseHandle (hObject=0x434) returned 1 [0080.326] GetProcessHeap () returned 0x3a00000 [0080.326] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.326] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 1 [0080.326] lstrcmpiW (lpString1="javapath_target_474984", lpString2="Windows") returned -1 [0080.326] lstrcmpiW (lpString1="javapath_target_474984", lpString2="$Recycle.bin") returned 1 [0080.326] lstrcmpiW (lpString1="javapath_target_474984", lpString2="System Volume Information") returned -1 [0080.326] lstrcmpiW (lpString1="javapath_target_474984", lpString2="Program Files") returned -1 [0080.326] lstrcmpiW (lpString1="javapath_target_474984", lpString2="Program Files (x86)") returned -1 [0080.326] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984") returned 53 [0080.326] lstrcmpW (lpString1="javapath_target_474984", lpString2=".") returned 1 [0080.326] lstrcmpW (lpString1="javapath_target_474984", lpString2="..") returned 1 [0080.326] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.326] GetProcessHeap () returned 0x3a00000 [0080.326] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.326] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\*") returned 55 [0080.326] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0080.327] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.327] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.327] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.327] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.327] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.327] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\.") returned 55 [0080.327] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.327] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.327] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.327] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.327] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.327] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.330] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.330] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\..") returned 56 [0080.330] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.330] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.330] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9a23503, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0080.330] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0080.330] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0080.330] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0080.330] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0080.330] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0080.330] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0080.330] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0080.330] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0080.330] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf99b0e2d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x32bc4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="java.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAEX~1.EBA")) returned 1 [0080.330] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0080.330] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0080.331] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0080.331] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0080.331] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0080.331] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\java.exe_r00t_{8ew5f6}.ebal") returned 81 [0080.331] StrStrIW (lpFirst="java.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0080.331] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x32bc4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaw.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWE~1.EBA")) returned 1 [0080.331] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0080.331] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0080.331] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0080.331] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0080.331] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0080.331] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\javaw.exe_r00t_{8ew5f6}.ebal") returned 82 [0080.331] StrStrIW (lpFirst="javaw.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0080.331] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e3c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWS~1.EBA")) returned 1 [0080.331] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0080.331] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0080.331] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0080.331] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0080.331] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0080.331] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\javaws.exe_r00t_{8ew5f6}.ebal") returned 83 [0080.331] StrStrIW (lpFirst="javaws.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0080.331] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e3c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWS~1.EBA")) returned 0 [0080.331] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0080.331] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0080.331] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\javapath_target_474984\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\oracle\\java\\javapath_target_474984\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.332] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.333] CloseHandle (hObject=0x434) returned 1 [0080.333] GetProcessHeap () returned 0x3a00000 [0080.333] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.333] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 0 [0080.333] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0080.333] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\Java\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0080.333] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\Java\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\oracle\\java\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.334] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.334] CloseHandle (hObject=0x430) returned 1 [0080.335] GetProcessHeap () returned 0x3a00000 [0080.335] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.335] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Java", cAlternateFileName="")) returned 0 [0080.335] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0080.335] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Oracle\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 57 [0080.335] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Oracle\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\oracle\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0080.335] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0080.336] CloseHandle (hObject=0x42c) returned 1 [0080.336] GetProcessHeap () returned 0x3a00000 [0080.336] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0080.336] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0080.336] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0080.336] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0080.336] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0080.336] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0080.336] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0080.336] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache") returned 32 [0080.336] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1 [0080.336] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1 [0080.336] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.336] GetProcessHeap () returned 0x3a00000 [0080.336] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0080.336] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\*") returned 34 [0080.336] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0080.338] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.338] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.338] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.338] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.338] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.338] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\.") returned 34 [0080.338] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.338] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.338] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.338] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.338] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.339] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.339] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.339] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\..") returned 35 [0080.339] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.339] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.339] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0080.339] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0080.339] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0080.339] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0080.339] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0080.339] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0080.339] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 82 [0080.339] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0080.339] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0080.339] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.339] GetProcessHeap () returned 0x3a00000 [0080.339] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.339] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned 84 [0080.339] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0080.340] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.340] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.340] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.340] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.340] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.340] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\.") returned 84 [0080.340] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.340] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.340] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.340] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.340] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.340] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.340] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.340] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\..") returned 85 [0080.340] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.340] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.340] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.340] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.340] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.340] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.340] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.340] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.340] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 91 [0080.340] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.340] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.340] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.340] GetProcessHeap () returned 0x3a00000 [0080.340] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.340] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned 93 [0080.341] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0080.341] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.341] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.341] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.341] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.341] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.341] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\.") returned 93 [0080.341] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.341] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.341] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.341] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.341] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.341] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.341] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.342] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\..") returned 94 [0080.342] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.342] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.342] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0080.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0080.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0080.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0080.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0080.342] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0080.342] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 112 [0080.342] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0080.342] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0080.342] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.342] GetProcessHeap () returned 0x3a00000 [0080.342] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.342] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned 114 [0080.342] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0080.342] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.342] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.342] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.342] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.342] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.342] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\.") returned 114 [0080.342] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.342] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.342] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.342] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.342] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.342] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.342] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.342] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\..") returned 115 [0080.342] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.343] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.343] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.343] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.343] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.343] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.343] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.343] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.343] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0080.344] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.344] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.344] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.344] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.344] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.344] GetTickCount () returned 0x115467b [0080.344] GetTickCount () returned 0x115467b [0080.344] GetTickCount () returned 0x115467b [0080.344] GetTickCount () returned 0x115467b [0080.344] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.344] GetProcessHeap () returned 0x3a00000 [0080.344] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.344] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.346] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.346] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.346] GetProcessHeap () returned 0x3a00000 [0080.346] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.346] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.347] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.348] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.348] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.349] CloseHandle (hObject=0x43c) returned 1 [0080.349] GetProcessHeap () returned 0x3a00000 [0080.349] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.349] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 140 [0080.349] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.349] GetProcessHeap () returned 0x3a00000 [0080.349] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.349] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.349] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0080.349] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0080.350] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0080.350] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0080.350] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0080.350] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0080.350] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".ebal") returned 0x0 [0080.350] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.350] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="taridd") returned 1 [0080.350] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.350] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.350] GetTickCount () returned 0x115467b [0080.350] GetTickCount () returned 0x115467b [0080.350] GetTickCount () returned 0x115467b [0080.350] GetTickCount () returned 0x115467b [0080.351] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.351] GetProcessHeap () returned 0x3a00000 [0080.351] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.351] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.352] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.352] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.352] GetProcessHeap () returned 0x3a00000 [0080.352] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.353] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.353] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.436] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.439] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.439] CloseHandle (hObject=0x43c) returned 1 [0080.439] GetProcessHeap () returned 0x3a00000 [0080.439] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.439] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal") returned 157 [0080.439] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.440] GetProcessHeap () returned 0x3a00000 [0080.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.440] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.440] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0080.440] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 144 [0080.440] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.442] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.443] CloseHandle (hObject=0x438) returned 1 [0080.443] GetProcessHeap () returned 0x3a00000 [0080.443] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.443] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0080.443] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0080.443] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.443] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.444] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.445] CloseHandle (hObject=0x434) returned 1 [0080.445] GetProcessHeap () returned 0x3a00000 [0080.445] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.445] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.445] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0080.445] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.445] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.445] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.446] CloseHandle (hObject=0x430) returned 1 [0080.446] GetProcessHeap () returned 0x3a00000 [0080.446] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.446] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0080.446] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0080.446] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0080.446] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0080.446] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0080.446] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0080.447] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 71 [0080.447] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0080.447] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0080.447] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.447] GetProcessHeap () returned 0x3a00000 [0080.447] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.447] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned 73 [0080.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0080.447] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.447] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.447] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.447] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.447] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.447] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\.") returned 73 [0080.447] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.447] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.448] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\..") returned 74 [0080.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.448] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x354d9570, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0080.448] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0080.448] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0080.448] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0080.448] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0080.448] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0080.448] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm") returned 81 [0080.448] StrStrIW (lpFirst="state.rsm", lpSrch=".ebal") returned 0x0 [0080.448] lstrcmpW (lpString1="state.rsm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.448] lstrcmpW (lpString1="state.rsm", lpString2="taridd") returned -1 [0080.448] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.448] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.448] GetTickCount () returned 0x11546d9 [0080.448] GetTickCount () returned 0x11546d9 [0080.448] GetTickCount () returned 0x11546d9 [0080.448] GetTickCount () returned 0x11546d9 [0080.448] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.449] GetProcessHeap () returned 0x3a00000 [0080.449] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.449] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x272, lpOverlapped=0x0) returned 1 [0080.450] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffd8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.450] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x272, lpOverlapped=0x0) returned 1 [0080.450] GetProcessHeap () returned 0x3a00000 [0080.450] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.450] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.450] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.450] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.451] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.451] CloseHandle (hObject=0x434) returned 1 [0080.451] GetProcessHeap () returned 0x3a00000 [0080.451] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.451] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm_r00t_{8ew5f6}.ebal") returned 100 [0080.451] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm_r00t_{8ew5f6}.ebal")) returned 1 [0080.455] GetProcessHeap () returned 0x3a00000 [0080.455] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.455] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xcef30371, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0080.455] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0080.455] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0080.455] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0080.455] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0080.455] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0080.455] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe") returned 88 [0080.455] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch=".ebal") returned 0x0 [0080.455] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.455] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="taridd") returned 1 [0080.455] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.455] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.456] GetTickCount () returned 0x11546e9 [0080.456] GetTickCount () returned 0x11546e9 [0080.456] GetTickCount () returned 0x11546e9 [0080.456] GetTickCount () returned 0x11546e9 [0080.456] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.456] GetProcessHeap () returned 0x3a00000 [0080.456] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.456] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.458] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.458] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.458] GetProcessHeap () returned 0x3a00000 [0080.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.458] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.458] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.460] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.460] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.460] CloseHandle (hObject=0x434) returned 1 [0080.460] GetProcessHeap () returned 0x3a00000 [0080.460] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.460] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal") returned 107 [0080.460] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.462] GetProcessHeap () returned 0x3a00000 [0080.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.462] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xcef30371, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0080.462] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0080.462] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0080.462] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.462] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.463] CloseHandle (hObject=0x430) returned 1 [0080.463] GetProcessHeap () returned 0x3a00000 [0080.463] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.463] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0080.463] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0080.463] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0080.463] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0080.463] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0080.463] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0080.463] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 82 [0080.464] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0080.464] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0080.464] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.464] GetProcessHeap () returned 0x3a00000 [0080.464] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.464] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned 84 [0080.464] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0080.464] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.464] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.464] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.464] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.464] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.464] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\.") returned 84 [0080.464] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.464] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.465] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.465] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.465] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.465] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\..") returned 85 [0080.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.465] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.465] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.465] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.465] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.465] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.465] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.465] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 91 [0080.465] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.465] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.465] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.465] GetProcessHeap () returned 0x3a00000 [0080.465] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.465] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned 93 [0080.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0080.467] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.467] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.467] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.467] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.467] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.467] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\.") returned 93 [0080.467] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.467] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.467] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.467] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.467] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.467] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.467] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.467] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\..") returned 94 [0080.467] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.467] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.467] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0080.467] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0080.468] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0080.468] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0080.468] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0080.468] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0080.468] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 117 [0080.468] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0080.468] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0080.468] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.468] GetProcessHeap () returned 0x3a00000 [0080.468] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.468] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned 119 [0080.468] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0080.469] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.469] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.469] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.469] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.469] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.469] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\.") returned 119 [0080.469] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.469] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.469] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.469] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.469] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.469] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.469] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.469] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\..") returned 120 [0080.469] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.469] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.469] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb69f0b00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xb69f0b00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xb69f0b00, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.469] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.469] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.469] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.469] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.469] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.469] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0080.469] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.469] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.469] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.469] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.469] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.470] GetTickCount () returned 0x11546f8 [0080.470] GetTickCount () returned 0x11546f8 [0080.470] GetTickCount () returned 0x11546f8 [0080.470] GetTickCount () returned 0x11546f8 [0080.470] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.470] GetProcessHeap () returned 0x3a00000 [0080.470] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.470] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.473] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.473] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.473] GetProcessHeap () returned 0x3a00000 [0080.473] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.473] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.473] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.475] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.475] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.475] CloseHandle (hObject=0x43c) returned 1 [0080.475] GetProcessHeap () returned 0x3a00000 [0080.475] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 145 [0080.475] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.476] GetProcessHeap () returned 0x3a00000 [0080.476] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.476] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x5197e500, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0080.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0080.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0080.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0080.476] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0080.476] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0080.476] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".ebal") returned 0x0 [0080.476] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.476] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="taridd") returned 1 [0080.476] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.476] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.477] GetTickCount () returned 0x11546f8 [0080.477] GetTickCount () returned 0x11546f8 [0080.477] GetTickCount () returned 0x11546f8 [0080.477] GetTickCount () returned 0x11546f8 [0080.477] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.477] GetProcessHeap () returned 0x3a00000 [0080.477] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.477] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.492] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.492] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.493] GetProcessHeap () returned 0x3a00000 [0080.493] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.493] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.493] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.493] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.493] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.494] CloseHandle (hObject=0x43c) returned 1 [0080.494] GetProcessHeap () returned 0x3a00000 [0080.494] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.494] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal") returned 165 [0080.494] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.496] GetProcessHeap () returned 0x3a00000 [0080.496] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.496] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x5197e500, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.496] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0080.496] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 149 [0080.496] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.496] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.497] CloseHandle (hObject=0x438) returned 1 [0080.497] GetProcessHeap () returned 0x3a00000 [0080.497] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.497] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0080.497] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0080.497] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.497] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.498] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.499] CloseHandle (hObject=0x434) returned 1 [0080.499] GetProcessHeap () returned 0x3a00000 [0080.499] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.499] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.499] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0080.499] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.500] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.500] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.501] CloseHandle (hObject=0x430) returned 1 [0080.501] GetProcessHeap () returned 0x3a00000 [0080.501] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.501] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0080.501] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Windows") returned -1 [0080.501] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$Recycle.bin") returned 1 [0080.501] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="System Volume Information") returned -1 [0080.501] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files") returned -1 [0080.501] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files (x86)") returned -1 [0080.501] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 71 [0080.501] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0080.501] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0080.501] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.501] GetProcessHeap () returned 0x3a00000 [0080.501] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.501] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned 73 [0080.501] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0080.502] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.502] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.502] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.502] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.502] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\.") returned 73 [0080.502] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.502] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.502] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.502] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.502] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.502] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.502] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\..") returned 74 [0080.502] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.502] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.502] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40b2b5b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd40b2b5b, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x3639a1f2, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0080.502] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0080.502] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0080.502] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0080.502] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0080.502] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0080.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm") returned 81 [0080.503] StrStrIW (lpFirst="state.rsm", lpSrch=".ebal") returned 0x0 [0080.503] lstrcmpW (lpString1="state.rsm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.503] lstrcmpW (lpString1="state.rsm", lpString2="taridd") returned -1 [0080.503] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.503] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.503] GetTickCount () returned 0x1154717 [0080.503] GetTickCount () returned 0x1154717 [0080.503] GetTickCount () returned 0x1154717 [0080.503] GetTickCount () returned 0x1154717 [0080.503] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.504] GetProcessHeap () returned 0x3a00000 [0080.504] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.504] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x27e, lpOverlapped=0x0) returned 1 [0080.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffd82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.505] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x27e, lpOverlapped=0x0) returned 1 [0080.505] GetProcessHeap () returned 0x3a00000 [0080.505] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.505] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.506] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.506] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.506] CloseHandle (hObject=0x434) returned 1 [0080.506] GetProcessHeap () returned 0x3a00000 [0080.506] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.506] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm_r00t_{8ew5f6}.ebal") returned 100 [0080.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm_r00t_{8ew5f6}.ebal")) returned 1 [0080.507] GetProcessHeap () returned 0x3a00000 [0080.507] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.507] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd4040448, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0080.507] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0080.507] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0080.507] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0080.507] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0080.507] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0080.507] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe") returned 88 [0080.507] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch=".ebal") returned 0x0 [0080.507] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.507] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="taridd") returned 1 [0080.507] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.508] GetTickCount () returned 0x1154717 [0080.508] GetTickCount () returned 0x1154717 [0080.508] GetTickCount () returned 0x1154717 [0080.508] GetTickCount () returned 0x1154717 [0080.508] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.508] GetProcessHeap () returned 0x3a00000 [0080.508] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.508] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.513] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.513] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.513] GetProcessHeap () returned 0x3a00000 [0080.513] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.513] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.513] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.519] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.519] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.519] CloseHandle (hObject=0x434) returned 1 [0080.520] GetProcessHeap () returned 0x3a00000 [0080.520] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.520] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal") returned 107 [0080.520] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.523] GetProcessHeap () returned 0x3a00000 [0080.523] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.523] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd4040448, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0080.523] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0080.523] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0080.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.524] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.525] CloseHandle (hObject=0x430) returned 1 [0080.525] GetProcessHeap () returned 0x3a00000 [0080.525] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.525] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0080.525] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Windows") returned -1 [0080.525] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0080.525] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="System Volume Information") returned -1 [0080.525] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files") returned -1 [0080.525] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0080.525] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 83 [0080.525] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0080.525] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0080.525] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.525] GetProcessHeap () returned 0x3a00000 [0080.525] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.525] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned 85 [0080.525] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0080.527] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.527] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.527] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.527] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.527] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.527] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\.") returned 85 [0080.527] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.527] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.527] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.527] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.527] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.527] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.527] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.527] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\..") returned 86 [0080.528] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.528] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.528] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.528] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.528] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.528] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.528] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.528] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.528] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 92 [0080.528] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.528] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.528] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.528] GetProcessHeap () returned 0x3a00000 [0080.528] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.528] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned 94 [0080.528] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0080.528] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.528] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.528] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.528] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.528] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.528] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\.") returned 94 [0080.528] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.528] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.528] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.528] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.528] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.528] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.528] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.529] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\..") returned 95 [0080.529] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.529] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.529] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0080.529] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0080.529] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0080.529] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0080.529] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0080.529] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0080.529] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 113 [0080.529] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0080.529] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0080.529] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.529] GetProcessHeap () returned 0x3a00000 [0080.529] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.529] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned 115 [0080.529] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0080.529] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.529] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.529] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.529] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.529] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.529] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\.") returned 115 [0080.529] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.529] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.529] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.529] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.529] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.529] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.529] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.529] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\..") returned 116 [0080.530] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.530] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.530] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf81cb00, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xdf81cb00, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xdf81cb00, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.530] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.530] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.530] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.530] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.530] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.530] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 122 [0080.530] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.530] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.530] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.530] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.530] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.530] GetTickCount () returned 0x1154737 [0080.530] GetTickCount () returned 0x1154737 [0080.530] GetTickCount () returned 0x1154737 [0080.530] GetTickCount () returned 0x1154737 [0080.531] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.531] GetProcessHeap () returned 0x3a00000 [0080.531] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.531] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.534] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.534] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.534] GetProcessHeap () returned 0x3a00000 [0080.534] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.534] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.534] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.537] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.537] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.538] CloseHandle (hObject=0x43c) returned 1 [0080.538] GetProcessHeap () returned 0x3a00000 [0080.538] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.538] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 141 [0080.538] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.538] GetProcessHeap () returned 0x3a00000 [0080.538] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.538] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x93af200, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.538] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0080.539] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0080.539] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0080.539] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0080.539] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0080.539] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 139 [0080.539] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".ebal") returned 0x0 [0080.539] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.539] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="taridd") returned 1 [0080.539] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.539] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.539] GetTickCount () returned 0x1154737 [0080.539] GetTickCount () returned 0x1154737 [0080.539] GetTickCount () returned 0x1154737 [0080.539] GetTickCount () returned 0x1154737 [0080.539] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.539] GetProcessHeap () returned 0x3a00000 [0080.539] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.539] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.542] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.542] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.563] GetProcessHeap () returned 0x3a00000 [0080.563] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.563] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.563] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.564] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.564] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.564] CloseHandle (hObject=0x43c) returned 1 [0080.564] GetProcessHeap () returned 0x3a00000 [0080.564] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.564] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal") returned 158 [0080.564] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.565] GetProcessHeap () returned 0x3a00000 [0080.565] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.565] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x93af200, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.565] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0080.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 145 [0080.565] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.567] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.567] CloseHandle (hObject=0x438) returned 1 [0080.568] GetProcessHeap () returned 0x3a00000 [0080.568] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.568] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0080.568] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0080.568] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0080.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.576] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.577] CloseHandle (hObject=0x434) returned 1 [0080.577] GetProcessHeap () returned 0x3a00000 [0080.577] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.577] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.577] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0080.577] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0080.577] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.578] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.579] CloseHandle (hObject=0x430) returned 1 [0080.579] GetProcessHeap () returned 0x3a00000 [0080.579] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.579] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0080.579] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Windows") returned -1 [0080.579] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0080.579] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="System Volume Information") returned -1 [0080.579] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files") returned -1 [0080.579] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0080.579] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 83 [0080.579] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0080.579] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0080.579] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.579] GetProcessHeap () returned 0x3a00000 [0080.579] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.579] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned 85 [0080.579] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0080.580] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.580] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.580] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.580] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.580] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.580] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\.") returned 85 [0080.580] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.580] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.580] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.580] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.580] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.580] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.580] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.580] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\..") returned 86 [0080.580] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.580] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.580] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.580] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.580] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.580] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.580] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.580] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.580] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 92 [0080.580] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.580] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.580] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.580] GetProcessHeap () returned 0x3a00000 [0080.580] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.580] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned 94 [0080.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0080.581] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.581] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.581] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.581] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.581] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.581] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\.") returned 94 [0080.581] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.581] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.581] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.581] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.581] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.581] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.581] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.581] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\..") returned 95 [0080.581] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.581] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0080.581] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0080.581] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0080.581] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0080.581] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0080.581] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0080.581] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 116 [0080.581] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0080.581] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0080.581] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.581] GetProcessHeap () returned 0x3a00000 [0080.581] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.582] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned 118 [0080.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0080.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.582] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.582] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\.") returned 118 [0080.582] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.582] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.582] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.582] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.582] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.582] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.582] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.582] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\..") returned 119 [0080.582] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.582] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.582] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe1e42500, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.582] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.582] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.582] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.582] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.582] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.582] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 125 [0080.582] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.582] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.582] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.582] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.583] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.583] GetTickCount () returned 0x1154766 [0080.583] GetTickCount () returned 0x1154766 [0080.583] GetTickCount () returned 0x1154766 [0080.583] GetTickCount () returned 0x1154766 [0080.583] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.583] GetProcessHeap () returned 0x3a00000 [0080.583] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.583] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.585] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.586] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.586] GetProcessHeap () returned 0x3a00000 [0080.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.586] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.586] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.588] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.588] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.588] CloseHandle (hObject=0x43c) returned 1 [0080.588] GetProcessHeap () returned 0x3a00000 [0080.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.588] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 144 [0080.588] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.589] GetProcessHeap () returned 0x3a00000 [0080.589] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.589] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xcce7900, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.589] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0080.589] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0080.589] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0080.589] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0080.589] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0080.589] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 145 [0080.589] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".ebal") returned 0x0 [0080.589] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.589] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="taridd") returned 1 [0080.589] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.589] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.590] GetTickCount () returned 0x1154766 [0080.590] GetTickCount () returned 0x1154766 [0080.590] GetTickCount () returned 0x1154766 [0080.590] GetTickCount () returned 0x1154766 [0080.590] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.590] GetProcessHeap () returned 0x3a00000 [0080.590] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.590] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.592] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.592] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.592] GetProcessHeap () returned 0x3a00000 [0080.592] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.592] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.592] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.593] CloseHandle (hObject=0x43c) returned 1 [0080.593] GetProcessHeap () returned 0x3a00000 [0080.593] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.593] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal") returned 164 [0080.593] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.594] GetProcessHeap () returned 0x3a00000 [0080.594] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.594] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xcce7900, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.594] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0080.594] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 148 [0080.594] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.595] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.596] CloseHandle (hObject=0x438) returned 1 [0080.596] GetProcessHeap () returned 0x3a00000 [0080.596] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.596] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0080.597] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0080.597] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0080.597] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.597] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.598] CloseHandle (hObject=0x434) returned 1 [0080.598] GetProcessHeap () returned 0x3a00000 [0080.598] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.598] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.598] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0080.598] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0080.598] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.610] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.611] CloseHandle (hObject=0x430) returned 1 [0080.611] GetProcessHeap () returned 0x3a00000 [0080.611] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.611] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0080.611] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Windows") returned -1 [0080.611] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0080.612] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="System Volume Information") returned -1 [0080.612] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files") returned -1 [0080.612] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0080.612] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 83 [0080.612] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0080.612] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0080.612] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.612] GetProcessHeap () returned 0x3a00000 [0080.612] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.612] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned 85 [0080.612] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0080.614] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.614] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.614] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.614] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.614] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.614] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\.") returned 85 [0080.614] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.614] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.614] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.614] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.614] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.614] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.614] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.614] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\..") returned 86 [0080.614] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.614] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.614] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.614] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.614] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.614] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.614] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.614] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.614] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 92 [0080.614] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.614] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.614] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.614] GetProcessHeap () returned 0x3a00000 [0080.615] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.615] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned 94 [0080.615] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0080.615] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.615] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.615] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.615] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.615] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.615] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\.") returned 94 [0080.615] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.615] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.615] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.615] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.615] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.615] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.615] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.615] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\..") returned 95 [0080.615] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.615] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.615] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0080.615] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0080.615] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0080.615] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0080.615] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0080.615] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0080.615] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 115 [0080.615] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0080.615] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0080.615] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.616] GetProcessHeap () returned 0x3a00000 [0080.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.616] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned 117 [0080.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0080.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.616] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.616] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.616] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\.") returned 117 [0080.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.616] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.616] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.616] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.616] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\..") returned 118 [0080.616] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.616] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.616] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe1e42500, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.616] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.616] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.617] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.617] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.617] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.617] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 124 [0080.617] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.617] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.617] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.617] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.617] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.617] GetTickCount () returned 0x1154785 [0080.617] GetTickCount () returned 0x1154785 [0080.617] GetTickCount () returned 0x1154785 [0080.617] GetTickCount () returned 0x1154785 [0080.617] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.617] GetProcessHeap () returned 0x3a00000 [0080.617] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.617] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.619] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.619] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.619] GetProcessHeap () returned 0x3a00000 [0080.619] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.619] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.620] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.621] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.621] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.622] CloseHandle (hObject=0x43c) returned 1 [0080.622] GetProcessHeap () returned 0x3a00000 [0080.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.622] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 143 [0080.622] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.622] GetProcessHeap () returned 0x3a00000 [0080.622] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.622] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xb9d4c00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.623] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0080.623] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0080.623] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0080.623] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0080.623] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0080.623] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 141 [0080.623] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".ebal") returned 0x0 [0080.623] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.623] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="taridd") returned 1 [0080.623] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.623] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.624] GetTickCount () returned 0x1154785 [0080.624] GetTickCount () returned 0x1154785 [0080.624] GetTickCount () returned 0x1154785 [0080.624] GetTickCount () returned 0x1154785 [0080.624] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.624] GetProcessHeap () returned 0x3a00000 [0080.624] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.624] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.626] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.626] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.626] GetProcessHeap () returned 0x3a00000 [0080.626] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.626] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.626] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.627] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.627] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.627] CloseHandle (hObject=0x43c) returned 1 [0080.627] GetProcessHeap () returned 0x3a00000 [0080.627] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.627] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal") returned 160 [0080.627] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.628] GetProcessHeap () returned 0x3a00000 [0080.628] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.628] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xb9d4c00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.628] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0080.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 147 [0080.628] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.630] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.630] CloseHandle (hObject=0x438) returned 1 [0080.631] GetProcessHeap () returned 0x3a00000 [0080.631] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.631] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0080.631] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0080.631] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0080.631] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.631] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.632] CloseHandle (hObject=0x434) returned 1 [0080.632] GetProcessHeap () returned 0x3a00000 [0080.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.632] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.632] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0080.632] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0080.632] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.633] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.634] CloseHandle (hObject=0x430) returned 1 [0080.634] GetProcessHeap () returned 0x3a00000 [0080.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.634] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0080.634] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Windows") returned -1 [0080.634] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0080.634] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="System Volume Information") returned -1 [0080.634] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files") returned -1 [0080.634] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0080.634] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 82 [0080.634] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0080.634] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0080.634] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.634] GetProcessHeap () returned 0x3a00000 [0080.634] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.634] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned 84 [0080.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0080.635] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.635] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.635] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.635] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.635] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.635] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\.") returned 84 [0080.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.635] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.635] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.635] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.635] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.635] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.635] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.635] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\..") returned 85 [0080.635] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.635] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.635] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.635] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.635] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.635] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.635] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.635] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 91 [0080.635] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.635] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.635] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.636] GetProcessHeap () returned 0x3a00000 [0080.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.636] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned 93 [0080.636] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0080.636] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.636] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.636] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.636] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.636] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.636] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\.") returned 93 [0080.636] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.636] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.636] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.636] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.636] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.636] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.636] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.636] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\..") returned 94 [0080.636] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.636] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.636] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0080.636] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0080.636] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0080.636] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0080.636] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0080.636] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0080.636] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 117 [0080.636] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0080.636] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0080.636] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.637] GetProcessHeap () returned 0x3a00000 [0080.637] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.637] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned 119 [0080.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0080.637] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.637] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.637] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.637] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.637] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.637] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\.") returned 119 [0080.637] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.637] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.637] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.637] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.637] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.637] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.637] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.637] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\..") returned 120 [0080.637] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.637] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.637] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8abe5b00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x8abe5b00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x8abe5b00, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.637] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.637] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.637] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.637] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.637] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.637] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 126 [0080.637] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.638] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.638] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.638] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.638] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.638] GetTickCount () returned 0x1154794 [0080.638] GetTickCount () returned 0x1154794 [0080.638] GetTickCount () returned 0x1154794 [0080.638] GetTickCount () returned 0x1154794 [0080.639] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.639] GetProcessHeap () returned 0x3a00000 [0080.639] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.639] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.641] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.641] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.641] GetProcessHeap () returned 0x3a00000 [0080.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.641] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.641] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.643] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.643] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.643] CloseHandle (hObject=0x43c) returned 1 [0080.643] GetProcessHeap () returned 0x3a00000 [0080.643] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.643] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 145 [0080.644] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.644] GetProcessHeap () returned 0x3a00000 [0080.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.644] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.644] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0080.644] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0080.644] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0080.644] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0080.644] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0080.644] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 146 [0080.644] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".ebal") returned 0x0 [0080.644] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.644] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="taridd") returned 1 [0080.645] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.645] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.645] GetTickCount () returned 0x11547a4 [0080.645] GetTickCount () returned 0x11547a4 [0080.645] GetTickCount () returned 0x11547a4 [0080.645] GetTickCount () returned 0x11547a4 [0080.645] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.646] GetProcessHeap () returned 0x3a00000 [0080.646] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.646] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.647] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.647] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.647] GetProcessHeap () returned 0x3a00000 [0080.648] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.648] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.648] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.671] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.672] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.672] CloseHandle (hObject=0x43c) returned 1 [0080.672] GetProcessHeap () returned 0x3a00000 [0080.672] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.672] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal") returned 165 [0080.672] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.674] GetProcessHeap () returned 0x3a00000 [0080.674] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.674] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.674] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0080.674] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 149 [0080.674] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.675] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.676] CloseHandle (hObject=0x438) returned 1 [0080.676] GetProcessHeap () returned 0x3a00000 [0080.676] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.677] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0080.677] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0080.677] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.677] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.677] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.678] CloseHandle (hObject=0x434) returned 1 [0080.678] GetProcessHeap () returned 0x3a00000 [0080.678] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.678] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.678] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0080.678] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.678] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.679] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.680] CloseHandle (hObject=0x430) returned 1 [0080.680] GetProcessHeap () returned 0x3a00000 [0080.680] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.680] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0080.680] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Windows") returned -1 [0080.680] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0080.680] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="System Volume Information") returned -1 [0080.680] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files") returned -1 [0080.680] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0080.680] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 82 [0080.680] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0080.680] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0080.680] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.680] GetProcessHeap () returned 0x3a00000 [0080.680] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.680] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned 84 [0080.680] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0080.680] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.680] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.680] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.680] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.680] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.680] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\.") returned 84 [0080.680] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.680] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.680] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.681] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.681] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.681] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.681] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\..") returned 85 [0080.681] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.681] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.681] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.681] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.681] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.681] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.681] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 91 [0080.681] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.681] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.681] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.681] GetProcessHeap () returned 0x3a00000 [0080.681] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.681] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned 93 [0080.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0080.681] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.681] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.681] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.681] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.681] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.681] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\.") returned 93 [0080.681] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.681] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.682] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.682] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.682] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.682] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.682] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.682] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\..") returned 94 [0080.682] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.682] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.682] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0080.682] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0080.682] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0080.682] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0080.682] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0080.682] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0080.682] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 114 [0080.682] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0080.682] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0080.682] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.682] GetProcessHeap () returned 0x3a00000 [0080.682] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.682] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned 116 [0080.682] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0080.682] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.682] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.682] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.682] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.682] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.682] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\.") returned 116 [0080.682] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.682] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.682] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.683] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.683] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.683] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.683] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.683] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\..") returned 117 [0080.683] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.683] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.683] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898d2e00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x898d2e00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x898d2e00, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.683] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.683] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.683] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.683] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.683] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.683] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0080.683] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.683] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.683] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.683] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.683] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.683] GetTickCount () returned 0x11547c3 [0080.683] GetTickCount () returned 0x11547c3 [0080.683] GetTickCount () returned 0x11547c3 [0080.683] GetTickCount () returned 0x11547c3 [0080.683] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.684] GetProcessHeap () returned 0x3a00000 [0080.684] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.684] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.685] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.685] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.686] GetProcessHeap () returned 0x3a00000 [0080.686] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.686] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.686] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.688] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.688] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.688] CloseHandle (hObject=0x43c) returned 1 [0080.688] GetProcessHeap () returned 0x3a00000 [0080.688] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.688] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 142 [0080.688] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.689] GetProcessHeap () returned 0x3a00000 [0080.689] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.689] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.689] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0080.689] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0080.689] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0080.689] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0080.689] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0080.689] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0080.689] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".ebal") returned 0x0 [0080.689] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.689] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="taridd") returned 1 [0080.689] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.689] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.690] GetTickCount () returned 0x11547d3 [0080.690] GetTickCount () returned 0x11547d3 [0080.690] GetTickCount () returned 0x11547d3 [0080.690] GetTickCount () returned 0x11547d3 [0080.690] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.690] GetProcessHeap () returned 0x3a00000 [0080.690] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.690] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.692] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.692] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.692] GetProcessHeap () returned 0x3a00000 [0080.692] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.692] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.692] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.693] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.693] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.693] CloseHandle (hObject=0x43c) returned 1 [0080.693] GetProcessHeap () returned 0x3a00000 [0080.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.693] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal") returned 159 [0080.693] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.694] GetProcessHeap () returned 0x3a00000 [0080.694] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.694] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.694] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0080.694] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 146 [0080.694] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.696] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.697] CloseHandle (hObject=0x438) returned 1 [0080.697] GetProcessHeap () returned 0x3a00000 [0080.697] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.697] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0080.697] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0080.697] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.697] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.698] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.698] CloseHandle (hObject=0x434) returned 1 [0080.699] GetProcessHeap () returned 0x3a00000 [0080.699] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.699] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.699] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0080.699] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.699] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.699] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.700] CloseHandle (hObject=0x430) returned 1 [0080.700] GetProcessHeap () returned 0x3a00000 [0080.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.700] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0080.700] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Windows") returned -1 [0080.700] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0080.700] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="System Volume Information") returned -1 [0080.700] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files") returned -1 [0080.700] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0080.700] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 82 [0080.700] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0080.700] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0080.700] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.700] GetProcessHeap () returned 0x3a00000 [0080.700] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.700] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned 84 [0080.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0080.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.701] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\.") returned 84 [0080.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.701] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.701] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\..") returned 85 [0080.701] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.701] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.701] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.701] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.701] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.702] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.702] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.702] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.702] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 91 [0080.702] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.702] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.702] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.702] GetProcessHeap () returned 0x3a00000 [0080.702] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.702] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned 93 [0080.702] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0080.702] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.702] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.702] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.702] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.702] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.702] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\.") returned 93 [0080.702] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.702] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.702] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.702] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.702] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.702] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.703] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.703] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\..") returned 94 [0080.703] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.703] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.703] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0080.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0080.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0080.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0080.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0080.703] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0080.703] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 115 [0080.703] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0080.703] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0080.703] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.703] GetProcessHeap () returned 0x3a00000 [0080.703] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.703] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned 117 [0080.703] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0080.703] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.703] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.703] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.703] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.703] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.703] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\.") returned 117 [0080.703] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.703] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.703] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.704] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.704] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.704] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.704] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.704] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\..") returned 118 [0080.704] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.704] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.704] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d1a600, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x98d1a600, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0x98d1a600, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.704] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.704] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.704] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.704] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.704] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.704] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0080.704] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.704] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.704] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.704] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.704] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.705] GetTickCount () returned 0x11547e3 [0080.705] GetTickCount () returned 0x11547e3 [0080.705] GetTickCount () returned 0x11547e3 [0080.705] GetTickCount () returned 0x11547e3 [0080.705] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.705] GetProcessHeap () returned 0x3a00000 [0080.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.705] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.707] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.707] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.707] GetProcessHeap () returned 0x3a00000 [0080.707] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.707] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.707] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.714] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.715] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.715] CloseHandle (hObject=0x43c) returned 1 [0080.715] GetProcessHeap () returned 0x3a00000 [0080.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.715] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 143 [0080.715] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.716] GetProcessHeap () returned 0x3a00000 [0080.716] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.716] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.716] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0080.716] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0080.716] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0080.716] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0080.716] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0080.716] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0080.716] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".ebal") returned 0x0 [0080.716] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.716] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="taridd") returned 1 [0080.716] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.716] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.719] GetTickCount () returned 0x11547f2 [0080.719] GetTickCount () returned 0x11547f2 [0080.720] GetTickCount () returned 0x11547f2 [0080.720] GetTickCount () returned 0x11547f2 [0080.720] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.720] GetProcessHeap () returned 0x3a00000 [0080.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.720] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.723] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.724] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.724] GetProcessHeap () returned 0x3a00000 [0080.724] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.724] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.724] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.725] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.725] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.725] CloseHandle (hObject=0x43c) returned 1 [0080.725] GetProcessHeap () returned 0x3a00000 [0080.725] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.725] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal") returned 163 [0080.725] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.726] GetProcessHeap () returned 0x3a00000 [0080.726] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.726] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.726] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0080.726] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 147 [0080.726] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.730] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.731] CloseHandle (hObject=0x438) returned 1 [0080.731] GetProcessHeap () returned 0x3a00000 [0080.731] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.731] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0080.731] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0080.731] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.731] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.731] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.732] CloseHandle (hObject=0x434) returned 1 [0080.732] GetProcessHeap () returned 0x3a00000 [0080.732] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.732] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.732] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0080.732] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.732] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.737] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.738] CloseHandle (hObject=0x430) returned 1 [0080.738] GetProcessHeap () returned 0x3a00000 [0080.738] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.738] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0080.738] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Windows") returned -1 [0080.738] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0080.738] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="System Volume Information") returned -1 [0080.738] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files") returned -1 [0080.738] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0080.738] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 82 [0080.738] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0080.738] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0080.738] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.738] GetProcessHeap () returned 0x3a00000 [0080.738] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.738] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned 84 [0080.738] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0080.738] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.738] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.738] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.738] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.738] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.738] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\.") returned 84 [0080.738] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.738] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.738] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.739] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.739] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\..") returned 85 [0080.739] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.739] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.739] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.739] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.739] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.739] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.739] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.739] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 91 [0080.739] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.739] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.739] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.739] GetProcessHeap () returned 0x3a00000 [0080.739] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.739] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned 93 [0080.739] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0080.739] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.739] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.739] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.739] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.739] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\.") returned 93 [0080.739] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.739] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.739] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.739] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.740] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.740] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.740] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.740] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\..") returned 94 [0080.740] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.740] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.740] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0080.740] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0080.740] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0080.740] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0080.740] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0080.740] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0080.740] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 112 [0080.740] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0080.740] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0080.740] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.740] GetProcessHeap () returned 0x3a00000 [0080.740] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.740] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned 114 [0080.740] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0080.740] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.740] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.740] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.740] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.740] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.740] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\.") returned 114 [0080.740] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.740] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.741] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.741] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.741] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.741] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.741] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.741] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\..") returned 115 [0080.741] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.741] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.741] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966f4c00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x966f4c00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0x966f4c00, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.741] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.741] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.741] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.741] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.741] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.741] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab") returned 121 [0080.741] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.741] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.741] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.741] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.741] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.741] GetTickCount () returned 0x1154802 [0080.741] GetTickCount () returned 0x1154802 [0080.741] GetTickCount () returned 0x1154802 [0080.741] GetTickCount () returned 0x1154802 [0080.741] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.742] GetProcessHeap () returned 0x3a00000 [0080.742] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.742] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.745] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.745] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.745] GetProcessHeap () returned 0x3a00000 [0080.745] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.745] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.746] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.747] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.747] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.747] CloseHandle (hObject=0x43c) returned 1 [0080.751] GetProcessHeap () returned 0x3a00000 [0080.751] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.751] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 140 [0080.751] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.752] GetProcessHeap () returned 0x3a00000 [0080.752] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.752] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.752] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Windows") returned -1 [0080.752] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$Recycle.bin") returned 1 [0080.752] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="System Volume Information") returned 1 [0080.752] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files") returned 1 [0080.752] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="Program Files (x86)") returned 1 [0080.752] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi") returned 138 [0080.752] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi", lpSrch=".ebal") returned 0x0 [0080.752] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.752] lstrcmpW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="taridd") returned 1 [0080.752] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.752] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.753] GetTickCount () returned 0x1154811 [0080.753] GetTickCount () returned 0x1154811 [0080.753] GetTickCount () returned 0x1154811 [0080.753] GetTickCount () returned 0x1154811 [0080.753] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.753] GetProcessHeap () returned 0x3a00000 [0080.753] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.753] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.755] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.755] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.755] GetProcessHeap () returned 0x3a00000 [0080.755] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.755] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.755] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.756] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.756] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.756] CloseHandle (hObject=0x43c) returned 1 [0080.756] GetProcessHeap () returned 0x3a00000 [0080.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.756] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal") returned 157 [0080.756] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\vc_runtimeminimum_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.757] GetProcessHeap () returned 0x3a00000 [0080.757] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.757] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.757] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0080.757] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 144 [0080.757] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.759] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.760] CloseHandle (hObject=0x438) returned 1 [0080.760] GetProcessHeap () returned 0x3a00000 [0080.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.760] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0080.760] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0080.760] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.760] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.760] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.761] CloseHandle (hObject=0x434) returned 1 [0080.761] GetProcessHeap () returned 0x3a00000 [0080.761] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.761] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.761] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0080.761] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.761] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.762] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.763] CloseHandle (hObject=0x430) returned 1 [0080.763] GetProcessHeap () returned 0x3a00000 [0080.763] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.763] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0080.763] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Windows") returned -1 [0080.763] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$Recycle.bin") returned 1 [0080.763] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="System Volume Information") returned -1 [0080.763] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files") returned -1 [0080.763] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files (x86)") returned -1 [0080.763] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 71 [0080.763] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0080.763] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0080.763] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.763] GetProcessHeap () returned 0x3a00000 [0080.763] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.763] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned 73 [0080.763] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0080.763] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.763] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.763] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.763] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.763] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.764] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\.") returned 73 [0080.764] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.764] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.764] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.764] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.764] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.764] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.764] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.764] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\..") returned 74 [0080.764] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.764] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.764] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x359ea6b6, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0080.764] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0080.764] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0080.764] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0080.764] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0080.764] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0080.764] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm") returned 81 [0080.764] StrStrIW (lpFirst="state.rsm", lpSrch=".ebal") returned 0x0 [0080.764] lstrcmpW (lpString1="state.rsm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.764] lstrcmpW (lpString1="state.rsm", lpString2="taridd") returned -1 [0080.764] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.764] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.773] GetTickCount () returned 0x1154821 [0080.773] GetTickCount () returned 0x1154821 [0080.773] GetTickCount () returned 0x1154821 [0080.773] GetTickCount () returned 0x1154821 [0080.773] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.773] GetProcessHeap () returned 0x3a00000 [0080.773] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.773] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x272, lpOverlapped=0x0) returned 1 [0080.774] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffd8e, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.774] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x272, lpOverlapped=0x0) returned 1 [0080.775] GetProcessHeap () returned 0x3a00000 [0080.775] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.775] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.775] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.776] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.776] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.776] CloseHandle (hObject=0x434) returned 1 [0080.776] GetProcessHeap () returned 0x3a00000 [0080.776] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.776] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm_r00t_{8ew5f6}.ebal") returned 100 [0080.776] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm_r00t_{8ew5f6}.ebal")) returned 1 [0080.777] GetProcessHeap () returned 0x3a00000 [0080.777] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.777] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd0a02b30, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0080.777] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Windows") returned -1 [0080.777] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$Recycle.bin") returned 1 [0080.777] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="System Volume Information") returned 1 [0080.777] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files") returned 1 [0080.777] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="Program Files (x86)") returned 1 [0080.777] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe") returned 88 [0080.777] StrStrIW (lpFirst="vcredist_x64.exe", lpSrch=".ebal") returned 0x0 [0080.777] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.777] lstrcmpW (lpString1="vcredist_x64.exe", lpString2="taridd") returned 1 [0080.777] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.777] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.778] GetTickCount () returned 0x1154821 [0080.778] GetTickCount () returned 0x1154821 [0080.778] GetTickCount () returned 0x1154821 [0080.778] GetTickCount () returned 0x1154821 [0080.778] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.778] GetProcessHeap () returned 0x3a00000 [0080.778] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.778] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.780] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.780] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.829] GetProcessHeap () returned 0x3a00000 [0080.829] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.829] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.829] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.831] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.831] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.831] CloseHandle (hObject=0x434) returned 1 [0080.831] GetProcessHeap () returned 0x3a00000 [0080.831] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.831] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal") returned 107 [0080.831] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.833] GetProcessHeap () returned 0x3a00000 [0080.833] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.833] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd0a02b30, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0080.833] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0080.833] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0080.833] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.834] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.835] CloseHandle (hObject=0x430) returned 1 [0080.835] GetProcessHeap () returned 0x3a00000 [0080.835] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.835] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0080.835] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Windows") returned -1 [0080.836] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0080.836] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="System Volume Information") returned -1 [0080.836] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files") returned -1 [0080.836] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0080.836] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 82 [0080.836] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0080.836] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0080.836] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.836] GetProcessHeap () returned 0x3a00000 [0080.836] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.836] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned 84 [0080.836] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0080.836] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.836] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.836] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.836] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.836] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.836] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\.") returned 84 [0080.836] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.836] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.836] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.836] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.836] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.836] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.836] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.836] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\..") returned 85 [0080.836] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.836] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.836] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.836] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.837] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.837] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.837] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.837] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.837] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 91 [0080.837] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.837] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.837] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.837] GetProcessHeap () returned 0x3a00000 [0080.837] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.837] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned 93 [0080.837] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0080.837] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.837] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.837] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.837] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.837] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.837] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\.") returned 93 [0080.837] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.837] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.837] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.837] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.837] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.837] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.837] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.837] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\..") returned 94 [0080.837] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.837] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.837] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0080.838] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0080.838] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0080.838] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0080.838] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0080.838] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0080.838] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 114 [0080.838] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0080.838] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0080.838] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.838] GetProcessHeap () returned 0x3a00000 [0080.838] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.838] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned 116 [0080.838] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0080.838] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.838] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.838] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.838] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.838] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.838] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\.") returned 116 [0080.838] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.838] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.838] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.838] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.838] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.838] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.838] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.838] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\..") returned 117 [0080.838] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.838] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.838] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4bd6800, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xa4bd6800, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xa4bd6800, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.839] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.839] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.839] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.839] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.839] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.839] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab") returned 123 [0080.839] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.839] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.839] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.839] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.839] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.839] GetTickCount () returned 0x1154860 [0080.839] GetTickCount () returned 0x1154860 [0080.839] GetTickCount () returned 0x1154860 [0080.839] GetTickCount () returned 0x1154860 [0080.839] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.839] GetProcessHeap () returned 0x3a00000 [0080.839] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.840] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.841] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.841] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.841] GetProcessHeap () returned 0x3a00000 [0080.841] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.841] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.842] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.844] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.844] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.844] CloseHandle (hObject=0x43c) returned 1 [0080.844] GetProcessHeap () returned 0x3a00000 [0080.844] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.844] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 142 [0080.844] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.845] GetProcessHeap () returned 0x3a00000 [0080.845] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.845] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x683e3c00, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.845] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Windows") returned -1 [0080.845] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$Recycle.bin") returned 1 [0080.845] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="System Volume Information") returned 1 [0080.845] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files") returned 1 [0080.845] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="Program Files (x86)") returned 1 [0080.845] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi") returned 140 [0080.845] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi", lpSrch=".ebal") returned 0x0 [0080.845] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.845] lstrcmpW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="taridd") returned 1 [0080.845] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.845] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.845] GetTickCount () returned 0x115486f [0080.845] GetTickCount () returned 0x115486f [0080.845] GetTickCount () returned 0x115486f [0080.846] GetTickCount () returned 0x115486f [0080.846] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.846] GetProcessHeap () returned 0x3a00000 [0080.846] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.846] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.847] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.847] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.848] GetProcessHeap () returned 0x3a00000 [0080.848] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.848] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.848] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.848] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.848] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.849] CloseHandle (hObject=0x43c) returned 1 [0080.849] GetProcessHeap () returned 0x3a00000 [0080.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.849] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal") returned 159 [0080.849] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\vc_runtimeminimum_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.849] GetProcessHeap () returned 0x3a00000 [0080.849] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.849] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x683e3c00, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.849] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0080.849] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 146 [0080.850] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.851] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.852] CloseHandle (hObject=0x438) returned 1 [0080.852] GetProcessHeap () returned 0x3a00000 [0080.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.852] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0080.852] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0080.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0080.852] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.853] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.859] CloseHandle (hObject=0x434) returned 1 [0080.859] GetProcessHeap () returned 0x3a00000 [0080.859] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.859] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.859] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0080.859] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0080.859] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.860] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.861] CloseHandle (hObject=0x430) returned 1 [0080.861] GetProcessHeap () returned 0x3a00000 [0080.861] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.861] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0080.861] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Windows") returned -1 [0080.861] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0080.861] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="System Volume Information") returned -1 [0080.861] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files") returned -1 [0080.861] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0080.861] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 83 [0080.861] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0080.861] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0080.861] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.861] GetProcessHeap () returned 0x3a00000 [0080.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.861] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned 85 [0080.861] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0080.861] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.861] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.861] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.861] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.861] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.861] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\.") returned 85 [0080.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.861] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.862] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.862] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.862] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\..") returned 86 [0080.862] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.862] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.862] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0080.862] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0080.862] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0080.862] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0080.862] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0080.862] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0080.862] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 92 [0080.862] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0080.862] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0080.862] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.862] GetProcessHeap () returned 0x3a00000 [0080.862] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.862] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned 94 [0080.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0080.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.862] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.862] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.862] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.862] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.862] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\.") returned 94 [0080.862] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.862] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.863] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.863] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.863] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.863] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.863] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.863] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\..") returned 95 [0080.863] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.863] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.863] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0080.863] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0080.863] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0080.863] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0080.863] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0080.863] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0080.863] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned 118 [0080.863] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0080.863] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0080.863] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.863] GetProcessHeap () returned 0x3a00000 [0080.863] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0080.863] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*") returned 120 [0080.863] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0080.863] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.863] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.863] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.863] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.863] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.863] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\.") returned 120 [0080.863] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.863] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.864] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.864] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.864] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.864] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.864] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.864] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\..") returned 121 [0080.864] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.864] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.864] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90b3300, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe90b3300, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe90b3300, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0080.864] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0080.864] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0080.864] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0080.864] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0080.864] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0080.864] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab") returned 127 [0080.864] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0080.864] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.864] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0080.864] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.864] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.864] GetTickCount () returned 0x115487f [0080.864] GetTickCount () returned 0x115487f [0080.864] GetTickCount () returned 0x115487f [0080.865] GetTickCount () returned 0x115487f [0080.865] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.865] GetProcessHeap () returned 0x3a00000 [0080.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.865] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.901] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.901] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.901] GetProcessHeap () returned 0x3a00000 [0080.901] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.902] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.902] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.903] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.903] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.904] CloseHandle (hObject=0x43c) returned 1 [0080.904] GetProcessHeap () returned 0x3a00000 [0080.904] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.904] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 146 [0080.904] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0080.905] GetProcessHeap () returned 0x3a00000 [0080.905] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.905] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x11932d00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0080.905] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Windows") returned -1 [0080.905] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$Recycle.bin") returned 1 [0080.905] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="System Volume Information") returned 1 [0080.905] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files") returned 1 [0080.905] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="Program Files (x86)") returned 1 [0080.905] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi") returned 147 [0080.905] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi", lpSrch=".ebal") returned 0x0 [0080.905] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.905] lstrcmpW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="taridd") returned 1 [0080.905] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRunt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.905] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0080.906] GetTickCount () returned 0x11548ae [0080.906] GetTickCount () returned 0x11548ae [0080.906] GetTickCount () returned 0x11548ae [0080.906] GetTickCount () returned 0x11548ae [0080.906] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0080.906] GetProcessHeap () returned 0x3a00000 [0080.906] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.906] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.908] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.908] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0080.908] GetProcessHeap () returned 0x3a00000 [0080.908] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.908] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.908] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0080.909] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0080.909] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0080.909] CloseHandle (hObject=0x43c) returned 1 [0080.909] GetProcessHeap () returned 0x3a00000 [0080.909] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0080.909] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal") returned 166 [0080.909] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\vc_runtimeadditional_x64.msi_r00t_{8ew5f6}.ebal")) returned 1 [0080.911] GetProcessHeap () returned 0x3a00000 [0080.911] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0080.911] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x11932d00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0080.911] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0080.911] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 150 [0080.911] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0080.911] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0080.913] CloseHandle (hObject=0x438) returned 1 [0080.913] GetProcessHeap () returned 0x3a00000 [0080.913] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0080.913] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0080.913] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0080.913] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 124 [0080.913] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.913] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0080.914] CloseHandle (hObject=0x434) returned 1 [0080.914] GetProcessHeap () returned 0x3a00000 [0080.914] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.914] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0080.914] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0080.914] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0080.914] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.915] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.916] CloseHandle (hObject=0x430) returned 1 [0080.916] GetProcessHeap () returned 0x3a00000 [0080.916] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.916] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0080.916] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Windows") returned -1 [0080.916] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$Recycle.bin") returned 1 [0080.916] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="System Volume Information") returned -1 [0080.916] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files") returned -1 [0080.916] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files (x86)") returned -1 [0080.916] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 71 [0080.916] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0080.916] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0080.916] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.916] GetProcessHeap () returned 0x3a00000 [0080.916] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.916] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*") returned 73 [0080.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0080.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.916] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\.") returned 73 [0080.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.916] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.916] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.916] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.917] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.917] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.917] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.917] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\..") returned 74 [0080.917] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.917] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.917] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x37687158, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0080.917] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0080.917] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0080.917] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0080.917] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0080.917] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0080.917] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm") returned 81 [0080.917] StrStrIW (lpFirst="state.rsm", lpSrch=".ebal") returned 0x0 [0080.917] lstrcmpW (lpString1="state.rsm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.917] lstrcmpW (lpString1="state.rsm", lpString2="taridd") returned -1 [0080.917] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.917] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.917] GetTickCount () returned 0x11548ae [0080.917] GetTickCount () returned 0x11548ae [0080.917] GetTickCount () returned 0x11548ae [0080.917] GetTickCount () returned 0x11548ae [0080.917] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.917] GetProcessHeap () returned 0x3a00000 [0080.917] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.918] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2ee, lpOverlapped=0x0) returned 1 [0080.919] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffd12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.919] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2ee, lpOverlapped=0x0) returned 1 [0080.919] GetProcessHeap () returned 0x3a00000 [0080.919] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.919] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.919] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.919] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.919] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.919] CloseHandle (hObject=0x434) returned 1 [0080.919] GetProcessHeap () returned 0x3a00000 [0080.919] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.920] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm_r00t_{8ew5f6}.ebal") returned 100 [0080.920] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm_r00t_{8ew5f6}.ebal")) returned 1 [0080.920] GetProcessHeap () returned 0x3a00000 [0080.920] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.920] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc6f54ba, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0080.920] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Windows") returned -1 [0080.920] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$Recycle.bin") returned 1 [0080.920] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="System Volume Information") returned 1 [0080.920] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files") returned 1 [0080.920] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="Program Files (x86)") returned 1 [0080.920] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe") returned 89 [0080.920] StrStrIW (lpFirst="VC_redist.x64.exe", lpSrch=".ebal") returned 0x0 [0080.920] lstrcmpW (lpString1="VC_redist.x64.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.920] lstrcmpW (lpString1="VC_redist.x64.exe", lpString2="taridd") returned 1 [0080.920] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.920] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.922] GetTickCount () returned 0x11548bd [0080.922] GetTickCount () returned 0x11548bd [0080.922] GetTickCount () returned 0x11548bd [0080.922] GetTickCount () returned 0x11548bd [0080.922] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.922] GetProcessHeap () returned 0x3a00000 [0080.922] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.922] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.924] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.924] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0080.924] GetProcessHeap () returned 0x3a00000 [0080.924] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.924] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.924] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.928] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.928] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.929] CloseHandle (hObject=0x434) returned 1 [0080.929] GetProcessHeap () returned 0x3a00000 [0080.929] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.929] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe_r00t_{8ew5f6}.ebal") returned 108 [0080.929] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\vc_redist.x64.exe_r00t_{8ew5f6}.ebal")) returned 1 [0080.935] GetProcessHeap () returned 0x3a00000 [0080.935] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.935] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc6f54ba, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0080.935] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0080.935] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0080.935] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0080.937] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0080.938] CloseHandle (hObject=0x430) returned 1 [0080.938] GetProcessHeap () returned 0x3a00000 [0080.938] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0080.938] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0080.938] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Windows") returned -1 [0080.938] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$Recycle.bin") returned 1 [0080.938] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="System Volume Information") returned -1 [0080.938] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files") returned -1 [0080.938] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files (x86)") returned -1 [0080.938] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 71 [0080.939] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0080.939] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0080.939] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0080.939] GetProcessHeap () returned 0x3a00000 [0080.939] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0080.939] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned 73 [0080.939] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0080.941] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0080.941] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0080.941] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0080.941] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0080.941] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0080.941] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\.") returned 73 [0080.941] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0080.941] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0080.941] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0080.941] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0080.941] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0080.941] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0080.941] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0080.941] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\..") returned 74 [0080.941] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0080.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0080.941] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x35efb7db, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0080.941] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0080.941] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0080.941] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0080.941] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0080.941] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0080.941] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm") returned 81 [0080.942] StrStrIW (lpFirst="state.rsm", lpSrch=".ebal") returned 0x0 [0080.942] lstrcmpW (lpString1="state.rsm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.942] lstrcmpW (lpString1="state.rsm", lpString2="taridd") returned -1 [0080.942] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.942] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.942] GetTickCount () returned 0x11548cd [0080.942] GetTickCount () returned 0x11548cd [0080.942] GetTickCount () returned 0x11548cd [0080.942] GetTickCount () returned 0x11548cd [0080.943] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.943] GetProcessHeap () returned 0x3a00000 [0080.943] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.943] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x27e, lpOverlapped=0x0) returned 1 [0080.944] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffd82, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0080.944] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x27e, lpOverlapped=0x0) returned 1 [0080.944] GetProcessHeap () returned 0x3a00000 [0080.944] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0080.944] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.944] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0080.945] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0080.945] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0080.945] CloseHandle (hObject=0x434) returned 1 [0080.945] GetProcessHeap () returned 0x3a00000 [0080.945] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0080.945] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm_r00t_{8ew5f6}.ebal") returned 100 [0080.945] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm_r00t_{8ew5f6}.ebal")) returned 1 [0080.946] GetProcessHeap () returned 0x3a00000 [0080.946] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0080.946] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd2547a05, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0080.946] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Windows") returned -1 [0080.946] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$Recycle.bin") returned 1 [0080.946] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="System Volume Information") returned 1 [0080.946] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files") returned 1 [0080.946] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="Program Files (x86)") returned 1 [0080.946] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe") returned 88 [0080.946] StrStrIW (lpFirst="vcredist_x86.exe", lpSrch=".ebal") returned 0x0 [0080.946] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0080.946] lstrcmpW (lpString1="vcredist_x86.exe", lpString2="taridd") returned 1 [0080.946] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0080.946] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0080.947] GetTickCount () returned 0x11548cd [0080.947] GetTickCount () returned 0x11548cd [0080.947] GetTickCount () returned 0x11548cd [0080.947] GetTickCount () returned 0x11548cd [0080.947] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0080.947] GetProcessHeap () returned 0x3a00000 [0080.947] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0080.947] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.031] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.031] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.032] GetProcessHeap () returned 0x3a00000 [0081.032] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.032] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.032] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.033] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.033] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.033] CloseHandle (hObject=0x434) returned 1 [0081.033] GetProcessHeap () returned 0x3a00000 [0081.033] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.033] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal") returned 107 [0081.033] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal")) returned 1 [0081.036] GetProcessHeap () returned 0x3a00000 [0081.036] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.036] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd2547a05, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0081.036] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0081.036] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0081.036] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.036] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.037] CloseHandle (hObject=0x430) returned 1 [0081.037] GetProcessHeap () returned 0x3a00000 [0081.037] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.037] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0081.037] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Windows") returned -1 [0081.038] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$Recycle.bin") returned 1 [0081.038] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="System Volume Information") returned -1 [0081.038] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files") returned -1 [0081.038] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files (x86)") returned -1 [0081.038] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 71 [0081.038] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0081.038] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0081.038] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.038] GetProcessHeap () returned 0x3a00000 [0081.038] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.038] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*") returned 73 [0081.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0081.039] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.039] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.039] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.039] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.039] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.039] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\.") returned 73 [0081.039] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.039] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.039] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.039] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.039] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.039] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.039] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.039] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\..") returned 74 [0081.039] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.039] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.039] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x3714fdce, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0081.039] lstrcmpiW (lpString1="state.rsm", lpString2="Windows") returned -1 [0081.039] lstrcmpiW (lpString1="state.rsm", lpString2="$Recycle.bin") returned 1 [0081.039] lstrcmpiW (lpString1="state.rsm", lpString2="System Volume Information") returned -1 [0081.039] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files") returned 1 [0081.039] lstrcmpiW (lpString1="state.rsm", lpString2="Program Files (x86)") returned 1 [0081.039] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm") returned 81 [0081.039] StrStrIW (lpFirst="state.rsm", lpSrch=".ebal") returned 0x0 [0081.039] lstrcmpW (lpString1="state.rsm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.039] lstrcmpW (lpString1="state.rsm", lpString2="taridd") returned -1 [0081.039] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.039] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.040] GetTickCount () returned 0x115492b [0081.040] GetTickCount () returned 0x115492b [0081.040] GetTickCount () returned 0x115492b [0081.040] GetTickCount () returned 0x115492b [0081.040] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.040] GetProcessHeap () returned 0x3a00000 [0081.040] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.040] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2ee, lpOverlapped=0x0) returned 1 [0081.045] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffd12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.045] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2ee, lpOverlapped=0x0) returned 1 [0081.045] GetProcessHeap () returned 0x3a00000 [0081.045] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.045] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.045] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.045] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.045] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.045] CloseHandle (hObject=0x434) returned 1 [0081.045] GetProcessHeap () returned 0x3a00000 [0081.045] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.045] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm_r00t_{8ew5f6}.ebal") returned 100 [0081.045] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm_r00t_{8ew5f6}.ebal")) returned 1 [0081.046] GetProcessHeap () returned 0x3a00000 [0081.046] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.046] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd99f4dad, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0081.046] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Windows") returned -1 [0081.046] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$Recycle.bin") returned 1 [0081.046] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="System Volume Information") returned 1 [0081.046] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files") returned 1 [0081.046] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="Program Files (x86)") returned 1 [0081.046] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe") returned 89 [0081.046] StrStrIW (lpFirst="VC_redist.x86.exe", lpSrch=".ebal") returned 0x0 [0081.046] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.046] lstrcmpW (lpString1="VC_redist.x86.exe", lpString2="taridd") returned 1 [0081.046] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.046] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.047] GetTickCount () returned 0x115493a [0081.047] GetTickCount () returned 0x115493a [0081.047] GetTickCount () returned 0x115493a [0081.047] GetTickCount () returned 0x115493a [0081.047] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.047] GetProcessHeap () returned 0x3a00000 [0081.047] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.047] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.050] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.050] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.051] GetProcessHeap () returned 0x3a00000 [0081.051] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.051] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.051] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.056] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.056] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.056] CloseHandle (hObject=0x434) returned 1 [0081.056] GetProcessHeap () returned 0x3a00000 [0081.056] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.056] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe_r00t_{8ew5f6}.ebal") returned 108 [0081.056] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\vc_redist.x86.exe_r00t_{8ew5f6}.ebal")) returned 1 [0081.061] GetProcessHeap () returned 0x3a00000 [0081.061] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.061] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd99f4dad, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0081.062] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0081.062] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0081.062] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.062] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.063] CloseHandle (hObject=0x430) returned 1 [0081.063] GetProcessHeap () returned 0x3a00000 [0081.063] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.063] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0081.063] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Windows") returned -1 [0081.063] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0081.063] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="System Volume Information") returned -1 [0081.063] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files") returned -1 [0081.063] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0081.063] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 82 [0081.063] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0081.063] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0081.063] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.063] GetProcessHeap () returned 0x3a00000 [0081.063] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.063] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned 84 [0081.063] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0081.064] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.064] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.064] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.064] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.064] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.064] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\.") returned 84 [0081.064] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.064] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.064] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.064] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.064] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.064] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.064] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.064] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\..") returned 85 [0081.064] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.064] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.064] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0081.064] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0081.064] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0081.064] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0081.064] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0081.064] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0081.064] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 91 [0081.064] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0081.064] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0081.064] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.064] GetProcessHeap () returned 0x3a00000 [0081.064] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.064] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned 93 [0081.064] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0081.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.065] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\.") returned 93 [0081.065] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.065] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.065] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.065] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.065] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.065] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.065] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.065] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\..") returned 94 [0081.065] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.065] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.065] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0081.065] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0081.065] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0081.065] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0081.065] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0081.065] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0081.065] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 115 [0081.065] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0081.065] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0081.065] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.065] GetProcessHeap () returned 0x3a00000 [0081.065] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.065] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned 117 [0081.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0081.066] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.066] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.066] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.066] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.066] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.066] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\.") returned 117 [0081.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.066] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.066] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\..") returned 118 [0081.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.066] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6151ff00, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x6151ff00, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x6151ff00, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0081.066] lstrcmpiW (lpString1="cab1.cab", lpString2="Windows") returned -1 [0081.066] lstrcmpiW (lpString1="cab1.cab", lpString2="$Recycle.bin") returned 1 [0081.066] lstrcmpiW (lpString1="cab1.cab", lpString2="System Volume Information") returned -1 [0081.066] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files") returned -1 [0081.067] lstrcmpiW (lpString1="cab1.cab", lpString2="Program Files (x86)") returned -1 [0081.067] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab") returned 124 [0081.067] StrStrIW (lpFirst="cab1.cab", lpSrch=".ebal") returned 0x0 [0081.067] lstrcmpW (lpString1="cab1.cab", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.067] lstrcmpW (lpString1="cab1.cab", lpString2="taridd") returned -1 [0081.067] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.067] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.067] GetTickCount () returned 0x115494a [0081.067] GetTickCount () returned 0x115494a [0081.067] GetTickCount () returned 0x115494a [0081.067] GetTickCount () returned 0x115494a [0081.067] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0081.067] GetProcessHeap () returned 0x3a00000 [0081.067] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.067] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0081.069] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.069] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0081.069] GetProcessHeap () returned 0x3a00000 [0081.069] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.069] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.069] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0081.071] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0081.071] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0081.072] CloseHandle (hObject=0x43c) returned 1 [0081.072] GetProcessHeap () returned 0x3a00000 [0081.072] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.072] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 143 [0081.072] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal")) returned 1 [0081.073] GetProcessHeap () returned 0x3a00000 [0081.073] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.073] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5dbe7800, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0081.073] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Windows") returned -1 [0081.073] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$Recycle.bin") returned 1 [0081.073] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="System Volume Information") returned 1 [0081.073] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files") returned 1 [0081.073] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="Program Files (x86)") returned 1 [0081.073] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi") returned 144 [0081.073] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi", lpSrch=".ebal") returned 0x0 [0081.073] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.073] lstrcmpW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="taridd") returned 1 [0081.073] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRunti", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.073] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.074] GetTickCount () returned 0x115494a [0081.074] GetTickCount () returned 0x115494a [0081.074] GetTickCount () returned 0x115494a [0081.074] GetTickCount () returned 0x115494a [0081.074] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0081.074] GetProcessHeap () returned 0x3a00000 [0081.074] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.074] ReadFile (in: hFile=0x43c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0081.076] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.076] WriteFile (in: hFile=0x43c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x2800, lpOverlapped=0x0) returned 1 [0081.076] GetProcessHeap () returned 0x3a00000 [0081.076] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.076] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.076] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0081.077] WriteFile (in: hFile=0x43c, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0081.077] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0081.077] CloseHandle (hObject=0x43c) returned 1 [0081.077] GetProcessHeap () returned 0x3a00000 [0081.077] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.077] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal") returned 163 [0081.077] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi"), lpNewFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\vc_runtimeadditional_x86.msi_r00t_{8ew5f6}.ebal")) returned 1 [0081.078] GetProcessHeap () returned 0x3a00000 [0081.078] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.078] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5dbe7800, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0081.078] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0081.078] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 147 [0081.078] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.080] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.081] CloseHandle (hObject=0x438) returned 1 [0081.081] GetProcessHeap () returned 0x3a00000 [0081.081] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.081] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0081.081] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0081.081] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0081.081] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.087] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.088] CloseHandle (hObject=0x434) returned 1 [0081.088] GetProcessHeap () returned 0x3a00000 [0081.088] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.088] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0081.088] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0081.088] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0081.088] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.089] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.090] CloseHandle (hObject=0x430) returned 1 [0081.090] GetProcessHeap () returned 0x3a00000 [0081.090] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.090] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0081.090] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0081.090] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Package Cache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0081.090] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\Package Cache\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\package cache\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.091] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.092] CloseHandle (hObject=0x42c) returned 1 [0081.092] GetProcessHeap () returned 0x3a00000 [0081.092] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.092] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0081.092] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="Windows") returned -1 [0081.092] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="$Recycle.bin") returned 1 [0081.092] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="System Volume Information") returned -1 [0081.092] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="Program Files") returned 1 [0081.092] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="Program Files (x86)") returned 1 [0081.092] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft") returned 46 [0081.092] lstrcmpW (lpString1="regid.1991-06.com.microsoft", lpString2=".") returned 1 [0081.092] lstrcmpW (lpString1="regid.1991-06.com.microsoft", lpString2="..") returned 1 [0081.092] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.092] GetProcessHeap () returned 0x3a00000 [0081.092] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.092] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*") returned 48 [0081.092] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0081.094] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.094] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.094] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.094] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.094] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.094] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\.") returned 48 [0081.094] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.094] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.094] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.095] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.095] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.095] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\." (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.095] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.095] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.095] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.095] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.095] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\..") returned 49 [0081.095] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.095] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.095] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.095] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.095] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.095] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.095] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\.." (normalized: "c:\\programdata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.095] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x4af5600b, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf1446700, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0081.095] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="Windows") returned -1 [0081.095] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="$Recycle.bin") returned 1 [0081.095] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="System Volume Information") returned -1 [0081.095] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="Program Files") returned 1 [0081.095] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="Program Files (x86)") returned 1 [0081.095] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned 129 [0081.095] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpSrch=".ebal") returned 0x0 [0081.095] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.095] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="taridd") returned -1 [0081.095] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run E", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.095] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.096] GetTickCount () returned 0x1154969 [0081.096] GetTickCount () returned 0x1154969 [0081.096] GetTickCount () returned 0x1154969 [0081.096] GetTickCount () returned 0x1154969 [0081.096] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0081.096] GetProcessHeap () returned 0x3a00000 [0081.096] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.096] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x430, lpOverlapped=0x0) returned 1 [0081.098] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffbd0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.098] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x430, lpOverlapped=0x0) returned 1 [0081.098] GetProcessHeap () returned 0x3a00000 [0081.098] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.098] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.098] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0081.098] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0081.098] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0081.098] CloseHandle (hObject=0x430) returned 1 [0081.098] GetProcessHeap () returned 0x3a00000 [0081.098] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.098] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal") returned 148 [0081.098] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag_r00t_{8ew5f6}.ebal")) returned 1 [0081.099] GetProcessHeap () returned 0x3a00000 [0081.099] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.099] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbfefc00, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0xda9f4a95, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbfefc00, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0081.099] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="Windows") returned -1 [0081.099] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="$Recycle.bin") returned 1 [0081.099] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="System Volume Information") returned -1 [0081.099] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="Program Files") returned 1 [0081.099] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="Program Files (x86)") returned 1 [0081.099] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned 125 [0081.099] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpSrch=".ebal") returned 0x0 [0081.099] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.099] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="taridd") returned -1 [0081.099] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run L", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.100] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.100] GetTickCount () returned 0x1154969 [0081.100] GetTickCount () returned 0x1154969 [0081.100] GetTickCount () returned 0x1154969 [0081.100] GetTickCount () returned 0x1154969 [0081.100] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0081.100] GetProcessHeap () returned 0x3a00000 [0081.101] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.101] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x42c, lpOverlapped=0x0) returned 1 [0081.102] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffbd4, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.102] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x42c, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x42c, lpOverlapped=0x0) returned 1 [0081.102] GetProcessHeap () returned 0x3a00000 [0081.102] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.102] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.102] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0081.155] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0081.155] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0081.155] CloseHandle (hObject=0x430) returned 1 [0081.165] GetProcessHeap () returned 0x3a00000 [0081.165] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.165] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal") returned 144 [0081.165] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag_r00t_{8ew5f6}.ebal")) returned 1 [0081.167] GetProcessHeap () returned 0x3a00000 [0081.168] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.168] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x53fba98c, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf1446700, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~4.SWI")) returned 1 [0081.168] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="Windows") returned -1 [0081.168] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="$Recycle.bin") returned 1 [0081.168] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="System Volume Information") returned -1 [0081.168] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="Program Files") returned 1 [0081.168] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="Program Files (x86)") returned 1 [0081.168] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned 128 [0081.168] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpSrch=".ebal") returned 0x0 [0081.168] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.168] lstrcmpW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="taridd") returned -1 [0081.168] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run L", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.168] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.168] GetTickCount () returned 0x11549a8 [0081.168] GetTickCount () returned 0x11549a8 [0081.168] GetTickCount () returned 0x11549a8 [0081.168] GetTickCount () returned 0x11549a8 [0081.168] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0081.169] GetProcessHeap () returned 0x3a00000 [0081.169] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.169] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x42f, lpOverlapped=0x0) returned 1 [0081.170] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffbd1, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.170] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x42f, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x42f, lpOverlapped=0x0) returned 1 [0081.170] GetProcessHeap () returned 0x3a00000 [0081.170] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.170] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.170] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0081.171] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0081.171] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0081.171] CloseHandle (hObject=0x430) returned 1 [0081.171] GetProcessHeap () returned 0x3a00000 [0081.171] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.171] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal") returned 147 [0081.171] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag_r00t_{8ew5f6}.ebal")) returned 1 [0081.172] GetProcessHeap () returned 0x3a00000 [0081.172] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.172] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x6f2e8f23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0081.172] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="Windows") returned -1 [0081.172] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="$Recycle.bin") returned 1 [0081.172] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="System Volume Information") returned -1 [0081.172] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="Program Files") returned 1 [0081.172] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="Program Files (x86)") returned 1 [0081.172] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned 97 [0081.172] StrStrIW (lpFirst="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpSrch=".ebal") returned 0x0 [0081.172] lstrcmpW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.172] lstrcmpW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="taridd") returned -1 [0081.172] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.172] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.172] GetTickCount () returned 0x11549b7 [0081.172] GetTickCount () returned 0x11549b7 [0081.172] GetTickCount () returned 0x11549b7 [0081.172] GetTickCount () returned 0x11549b7 [0081.172] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0081.173] GetProcessHeap () returned 0x3a00000 [0081.173] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.173] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x3e5, lpOverlapped=0x0) returned 1 [0081.174] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xfffffc1b, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.174] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x3e5, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x3e5, lpOverlapped=0x0) returned 1 [0081.174] GetProcessHeap () returned 0x3a00000 [0081.174] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.174] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.174] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0081.174] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0081.175] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0081.175] CloseHandle (hObject=0x430) returned 1 [0081.175] GetProcessHeap () returned 0x3a00000 [0081.175] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.175] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal") returned 116 [0081.175] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), lpNewFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag_r00t_{8ew5f6}.ebal")) returned 1 [0081.175] GetProcessHeap () returned 0x3a00000 [0081.175] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.175] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x6f2e8f23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 0 [0081.176] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0081.176] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0081.176] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\regid.1991-06.com.microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\regid.1991-06.com.microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.176] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.177] CloseHandle (hObject=0x42c) returned 1 [0081.177] GetProcessHeap () returned 0x3a00000 [0081.177] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.177] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0081.177] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="Windows") returned -1 [0081.177] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="$Recycle.bin") returned 1 [0081.177] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="System Volume Information") returned -1 [0081.177] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="Program Files") returned 1 [0081.177] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="Program Files (x86)") returned 1 [0081.177] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution") returned 39 [0081.177] lstrcmpW (lpString1="SoftwareDistribution", lpString2=".") returned 1 [0081.177] lstrcmpW (lpString1="SoftwareDistribution", lpString2="..") returned 1 [0081.177] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\SoftwareDistribution", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.177] GetProcessHeap () returned 0x3a00000 [0081.177] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.177] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*") returned 41 [0081.177] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0081.178] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.178] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.178] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.178] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.178] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.178] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\.") returned 41 [0081.178] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.178] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.178] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.178] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.178] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.178] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.178] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.178] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\..") returned 42 [0081.178] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.178] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.178] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0081.178] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0081.178] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0081.178] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\SoftwareDistribution\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\softwaredistribution\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.178] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.179] CloseHandle (hObject=0x42c) returned 1 [0081.179] GetProcessHeap () returned 0x3a00000 [0081.180] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.180] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0081.180] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0081.180] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0081.180] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0081.180] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0081.180] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0081.180] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu") returned 29 [0081.180] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0081.180] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0081.180] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Start Menu", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.180] GetProcessHeap () returned 0x3a00000 [0081.180] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.180] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Start Menu\\*") returned 31 [0081.180] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Start Menu\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="䬸Τ￿￿扨@￿￿䬸Τ\x05")) returned 0xffffffff [0081.180] GetProcessHeap () returned 0x3a00000 [0081.180] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.180] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0081.180] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0081.180] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0081.180] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0081.180] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0081.180] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0081.180] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates") returned 28 [0081.180] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0081.180] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0081.180] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\Templates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.180] GetProcessHeap () returned 0x3a00000 [0081.181] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.181] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\Templates\\*") returned 30 [0081.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\Templates\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="䬸Τ￿￿扨@￿￿䬸Τ\x05")) returned 0xffffffff [0081.181] GetProcessHeap () returned 0x3a00000 [0081.181] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.181] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0081.181] lstrcmpiW (lpString1="USOPrivate", lpString2="Windows") returned -1 [0081.181] lstrcmpiW (lpString1="USOPrivate", lpString2="$Recycle.bin") returned 1 [0081.181] lstrcmpiW (lpString1="USOPrivate", lpString2="System Volume Information") returned 1 [0081.181] lstrcmpiW (lpString1="USOPrivate", lpString2="Program Files") returned 1 [0081.181] lstrcmpiW (lpString1="USOPrivate", lpString2="Program Files (x86)") returned 1 [0081.181] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate") returned 29 [0081.181] lstrcmpW (lpString1="USOPrivate", lpString2=".") returned 1 [0081.181] lstrcmpW (lpString1="USOPrivate", lpString2="..") returned 1 [0081.181] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\USOPrivate", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.181] GetProcessHeap () returned 0x3a00000 [0081.181] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.181] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\*") returned 31 [0081.181] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0081.181] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.181] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.181] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.181] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.181] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.181] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\.") returned 31 [0081.181] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.181] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.181] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.181] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.182] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.182] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.182] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\..") returned 32 [0081.182] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.182] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.182] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2bb800e, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0081.182] lstrcmpiW (lpString1="UpdateStore", lpString2="Windows") returned -1 [0081.182] lstrcmpiW (lpString1="UpdateStore", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1="UpdateStore", lpString2="System Volume Information") returned 1 [0081.182] lstrcmpiW (lpString1="UpdateStore", lpString2="Program Files") returned 1 [0081.182] lstrcmpiW (lpString1="UpdateStore", lpString2="Program Files (x86)") returned 1 [0081.182] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore") returned 41 [0081.182] lstrcmpW (lpString1="UpdateStore", lpString2=".") returned 1 [0081.182] lstrcmpW (lpString1="UpdateStore", lpString2="..") returned 1 [0081.182] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.182] GetProcessHeap () returned 0x3a00000 [0081.182] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.182] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*") returned 43 [0081.182] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2bb800e, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0081.182] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.182] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.182] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.182] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.182] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\.") returned 43 [0081.182] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.182] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2bb800e, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.182] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.182] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.182] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.183] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.183] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.183] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\..") returned 44 [0081.183] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.183] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.183] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc9086d4, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xdc9086d4, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xdc9086d4, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateCspStore.xml", cAlternateFileName="UPDATE~2.XML")) returned 1 [0081.183] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="Windows") returned -1 [0081.183] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="$Recycle.bin") returned 1 [0081.183] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="System Volume Information") returned 1 [0081.183] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="Program Files") returned 1 [0081.183] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="Program Files (x86)") returned 1 [0081.183] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\UpdateCspStore.xml") returned 60 [0081.183] StrStrIW (lpFirst="UpdateCspStore.xml", lpSrch=".ebal") returned 0x0 [0081.183] lstrcmpW (lpString1="UpdateCspStore.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.183] lstrcmpW (lpString1="UpdateCspStore.xml", lpString2="taridd") returned 1 [0081.183] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\UpdateCspStore.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.183] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\UpdateCspStore.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatecspstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.184] GetTickCount () returned 0x11549b7 [0081.184] GetTickCount () returned 0x11549b7 [0081.184] GetTickCount () returned 0x11549b7 [0081.184] GetTickCount () returned 0x11549b7 [0081.184] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.184] GetProcessHeap () returned 0x3a00000 [0081.184] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.184] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x1a, lpOverlapped=0x0) returned 1 [0081.185] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffffe6, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.185] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x1a, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x1a, lpOverlapped=0x0) returned 1 [0081.185] GetProcessHeap () returned 0x3a00000 [0081.185] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.185] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.185] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.189] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.189] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.189] CloseHandle (hObject=0x434) returned 1 [0081.189] GetProcessHeap () returned 0x3a00000 [0081.189] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.189] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\UpdateCspStore.xml_r00t_{8ew5f6}.ebal") returned 79 [0081.189] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\UpdateCspStore.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatecspstore.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\UpdateCspStore.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatecspstore.xml_r00t_{8ew5f6}.ebal")) returned 1 [0081.190] GetProcessHeap () returned 0x3a00000 [0081.190] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.190] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x241e602, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x2b91bea, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0xb5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 1 [0081.190] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="Windows") returned -1 [0081.190] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="$Recycle.bin") returned 1 [0081.190] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="System Volume Information") returned 1 [0081.190] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="Program Files") returned 1 [0081.190] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="Program Files (x86)") returned 1 [0081.190] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned 93 [0081.190] StrStrIW (lpFirst="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpSrch=".ebal") returned 0x0 [0081.190] lstrcmpW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.190] lstrcmpW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="taridd") returned 1 [0081.190] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.190] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.190] GetTickCount () returned 0x11549c7 [0081.190] GetTickCount () returned 0x11549c7 [0081.190] GetTickCount () returned 0x11549c7 [0081.190] GetTickCount () returned 0x11549c7 [0081.190] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.190] GetProcessHeap () returned 0x3a00000 [0081.190] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.190] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0xb5b, lpOverlapped=0x0) returned 1 [0081.191] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff4a5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.191] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0xb5b, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0xb5b, lpOverlapped=0x0) returned 1 [0081.193] GetProcessHeap () returned 0x3a00000 [0081.193] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.193] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.193] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.193] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.193] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.193] CloseHandle (hObject=0x434) returned 1 [0081.193] GetProcessHeap () returned 0x3a00000 [0081.193] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.193] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal") returned 112 [0081.193] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal")) returned 1 [0081.194] GetProcessHeap () returned 0x3a00000 [0081.194] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.194] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x241e602, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x2b91bea, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0xb5b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 0 [0081.194] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0081.194] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0081.194] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\UpdateStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\usoprivate\\updatestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.195] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.196] CloseHandle (hObject=0x430) returned 1 [0081.196] GetProcessHeap () returned 0x3a00000 [0081.196] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.196] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2bb800e, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0 [0081.196] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0081.196] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOPrivate\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 61 [0081.196] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOPrivate\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\usoprivate\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.196] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.197] CloseHandle (hObject=0x42c) returned 1 [0081.197] GetProcessHeap () returned 0x3a00000 [0081.197] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.197] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0081.197] lstrcmpiW (lpString1="USOShared", lpString2="Windows") returned -1 [0081.197] lstrcmpiW (lpString1="USOShared", lpString2="$Recycle.bin") returned 1 [0081.197] lstrcmpiW (lpString1="USOShared", lpString2="System Volume Information") returned 1 [0081.198] lstrcmpiW (lpString1="USOShared", lpString2="Program Files") returned 1 [0081.198] lstrcmpiW (lpString1="USOShared", lpString2="Program Files (x86)") returned 1 [0081.198] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared") returned 28 [0081.198] lstrcmpW (lpString1="USOShared", lpString2=".") returned 1 [0081.198] lstrcmpW (lpString1="USOShared", lpString2="..") returned 1 [0081.198] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\USOShared", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.198] GetProcessHeap () returned 0x3a00000 [0081.198] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.198] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\*") returned 30 [0081.198] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0081.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.198] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\.") returned 30 [0081.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.198] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.198] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\..") returned 31 [0081.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.198] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xeeb92e75, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xeeb92e75, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0081.198] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0081.198] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0081.198] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0081.198] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0081.198] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0081.199] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs") returned 33 [0081.199] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0081.199] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0081.199] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\USOShared\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.199] GetProcessHeap () returned 0x3a00000 [0081.199] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.199] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*") returned 35 [0081.199] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xeeb92e75, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xeebb90da, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0081.201] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.201] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.201] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.201] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.201] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.201] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\.") returned 35 [0081.201] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.201] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xeeb92e75, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xeebb90da, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.202] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.202] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.202] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.202] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.202] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.202] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\..") returned 36 [0081.202] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.202] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.202] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x58d51fd9, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x597705f5, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUx.001.etl", cAlternateFileName="NOBE5B~1.ETL")) returned 1 [0081.202] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="Windows") returned -1 [0081.202] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="$Recycle.bin") returned 1 [0081.202] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="System Volume Information") returned -1 [0081.202] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="Program Files") returned -1 [0081.202] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="Program Files (x86)") returned -1 [0081.202] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.001.etl") returned 56 [0081.202] StrStrIW (lpFirst="NotificationUx.001.etl", lpSrch=".ebal") returned 0x0 [0081.202] lstrcmpW (lpString1="NotificationUx.001.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.202] lstrcmpW (lpString1="NotificationUx.001.etl", lpString2="taridd") returned -1 [0081.202] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.001.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.202] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.203] GetTickCount () returned 0x11549d7 [0081.203] GetTickCount () returned 0x11549d7 [0081.203] GetTickCount () returned 0x11549d7 [0081.203] GetTickCount () returned 0x11549d7 [0081.203] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.203] GetProcessHeap () returned 0x3a00000 [0081.203] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.204] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.217] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.217] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.217] GetProcessHeap () returned 0x3a00000 [0081.217] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.217] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.217] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.217] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.218] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.218] CloseHandle (hObject=0x434) returned 1 [0081.218] GetProcessHeap () returned 0x3a00000 [0081.218] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.218] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.001.etl_r00t_{8ew5f6}.ebal") returned 75 [0081.218] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationux.001.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.001.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationux.001.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.219] GetProcessHeap () returned 0x3a00000 [0081.219] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.219] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7cf76e0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x852e502, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUx.002.etl", cAlternateFileName="NOTIFI~2.ETL")) returned 1 [0081.219] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="Windows") returned -1 [0081.219] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="$Recycle.bin") returned 1 [0081.219] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="System Volume Information") returned -1 [0081.219] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="Program Files") returned -1 [0081.219] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="Program Files (x86)") returned -1 [0081.219] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.002.etl") returned 56 [0081.219] StrStrIW (lpFirst="NotificationUx.002.etl", lpSrch=".ebal") returned 0x0 [0081.219] lstrcmpW (lpString1="NotificationUx.002.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.219] lstrcmpW (lpString1="NotificationUx.002.etl", lpString2="taridd") returned -1 [0081.219] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.002.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.219] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.220] GetTickCount () returned 0x11549e6 [0081.220] GetTickCount () returned 0x11549e6 [0081.220] GetTickCount () returned 0x11549e6 [0081.220] GetTickCount () returned 0x11549e6 [0081.220] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.220] GetProcessHeap () returned 0x3a00000 [0081.220] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.220] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.222] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.222] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.222] GetProcessHeap () returned 0x3a00000 [0081.222] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.222] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.222] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.222] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.223] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.223] CloseHandle (hObject=0x434) returned 1 [0081.223] GetProcessHeap () returned 0x3a00000 [0081.223] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.223] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.002.etl_r00t_{8ew5f6}.ebal") returned 75 [0081.223] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationux.002.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUx.002.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationux.002.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.223] GetProcessHeap () returned 0x3a00000 [0081.223] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.223] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2d822f20, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x2efd472c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.001.etl", cAlternateFileName="NO604C~1.ETL")) returned 1 [0081.223] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="Windows") returned -1 [0081.223] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="$Recycle.bin") returned 1 [0081.223] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="System Volume Information") returned -1 [0081.224] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="Program Files") returned -1 [0081.224] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="Program Files (x86)") returned -1 [0081.224] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.001.etl") returned 62 [0081.224] StrStrIW (lpFirst="NotificationUxBroker.001.etl", lpSrch=".ebal") returned 0x0 [0081.224] lstrcmpW (lpString1="NotificationUxBroker.001.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.224] lstrcmpW (lpString1="NotificationUxBroker.001.etl", lpString2="taridd") returned -1 [0081.224] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.001.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.224] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.225] GetTickCount () returned 0x11549e6 [0081.225] GetTickCount () returned 0x11549e6 [0081.225] GetTickCount () returned 0x11549e6 [0081.225] GetTickCount () returned 0x11549e6 [0081.225] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.225] GetProcessHeap () returned 0x3a00000 [0081.225] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.225] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.227] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.227] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.227] GetProcessHeap () returned 0x3a00000 [0081.227] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.227] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.227] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.228] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.228] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.228] CloseHandle (hObject=0x434) returned 1 [0081.228] GetProcessHeap () returned 0x3a00000 [0081.228] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.228] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.228] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.001.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.001.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.228] GetProcessHeap () returned 0x3a00000 [0081.228] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.228] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfe554d51, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0xfe782447, ftLastWriteTime.dwHighDateTime=0x1d3375a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.002.etl", cAlternateFileName="NO8BA4~1.ETL")) returned 1 [0081.228] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="Windows") returned -1 [0081.228] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="$Recycle.bin") returned 1 [0081.229] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="System Volume Information") returned -1 [0081.229] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="Program Files") returned -1 [0081.229] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="Program Files (x86)") returned -1 [0081.229] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.002.etl") returned 62 [0081.229] StrStrIW (lpFirst="NotificationUxBroker.002.etl", lpSrch=".ebal") returned 0x0 [0081.229] lstrcmpW (lpString1="NotificationUxBroker.002.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.229] lstrcmpW (lpString1="NotificationUxBroker.002.etl", lpString2="taridd") returned -1 [0081.229] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.002.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.229] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.230] GetTickCount () returned 0x11549e6 [0081.230] GetTickCount () returned 0x11549e6 [0081.230] GetTickCount () returned 0x11549e6 [0081.230] GetTickCount () returned 0x11549e6 [0081.230] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.230] GetProcessHeap () returned 0x3a00000 [0081.230] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.230] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.232] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.232] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.232] GetProcessHeap () returned 0x3a00000 [0081.232] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.233] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.233] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.233] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.233] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.233] CloseHandle (hObject=0x434) returned 1 [0081.233] GetProcessHeap () returned 0x3a00000 [0081.233] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.233] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.233] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.002.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.002.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.257] GetProcessHeap () returned 0x3a00000 [0081.257] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.257] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfdf01be1, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfdfc06a7, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.003.etl", cAlternateFileName="NO3670~1.ETL")) returned 1 [0081.257] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="Windows") returned -1 [0081.257] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="$Recycle.bin") returned 1 [0081.257] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="System Volume Information") returned -1 [0081.257] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="Program Files") returned -1 [0081.257] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="Program Files (x86)") returned -1 [0081.257] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.003.etl") returned 62 [0081.258] StrStrIW (lpFirst="NotificationUxBroker.003.etl", lpSrch=".ebal") returned 0x0 [0081.258] lstrcmpW (lpString1="NotificationUxBroker.003.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.258] lstrcmpW (lpString1="NotificationUxBroker.003.etl", lpString2="taridd") returned -1 [0081.258] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.003.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.258] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.258] GetTickCount () returned 0x1154a05 [0081.258] GetTickCount () returned 0x1154a05 [0081.258] GetTickCount () returned 0x1154a05 [0081.258] GetTickCount () returned 0x1154a05 [0081.258] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.258] GetProcessHeap () returned 0x3a00000 [0081.258] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.258] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.260] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.260] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.260] GetProcessHeap () returned 0x3a00000 [0081.260] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.260] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.260] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.261] CloseHandle (hObject=0x434) returned 1 [0081.261] GetProcessHeap () returned 0x3a00000 [0081.261] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.261] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.261] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.003.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.003.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.261] GetProcessHeap () returned 0x3a00000 [0081.261] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.261] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x588b3c6a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x59ae67c8, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.004.etl", cAlternateFileName="NO2FB3~1.ETL")) returned 1 [0081.261] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="Windows") returned -1 [0081.261] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="$Recycle.bin") returned 1 [0081.261] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="System Volume Information") returned -1 [0081.261] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="Program Files") returned -1 [0081.262] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="Program Files (x86)") returned -1 [0081.262] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.004.etl") returned 62 [0081.262] StrStrIW (lpFirst="NotificationUxBroker.004.etl", lpSrch=".ebal") returned 0x0 [0081.262] lstrcmpW (lpString1="NotificationUxBroker.004.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.262] lstrcmpW (lpString1="NotificationUxBroker.004.etl", lpString2="taridd") returned -1 [0081.262] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.004.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.262] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] GetTickCount () returned 0x1154a05 [0081.262] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.262] GetProcessHeap () returned 0x3a00000 [0081.262] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.262] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.264] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.264] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.264] GetProcessHeap () returned 0x3a00000 [0081.264] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.264] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.264] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.265] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.265] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.265] CloseHandle (hObject=0x434) returned 1 [0081.265] GetProcessHeap () returned 0x3a00000 [0081.265] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.265] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.265] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.004.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.004.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.265] GetProcessHeap () returned 0x3a00000 [0081.265] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.265] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xb4b94410, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0xb50917ed, ftLastWriteTime.dwHighDateTime=0x1d336d7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.005.etl", cAlternateFileName="NO74F7~1.ETL")) returned 1 [0081.265] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="Windows") returned -1 [0081.265] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="$Recycle.bin") returned 1 [0081.266] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="System Volume Information") returned -1 [0081.266] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="Program Files") returned -1 [0081.266] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="Program Files (x86)") returned -1 [0081.266] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.005.etl") returned 62 [0081.266] StrStrIW (lpFirst="NotificationUxBroker.005.etl", lpSrch=".ebal") returned 0x0 [0081.266] lstrcmpW (lpString1="NotificationUxBroker.005.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.266] lstrcmpW (lpString1="NotificationUxBroker.005.etl", lpString2="taridd") returned -1 [0081.266] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.005.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.266] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.270] GetTickCount () returned 0x1154a15 [0081.270] GetTickCount () returned 0x1154a15 [0081.270] GetTickCount () returned 0x1154a15 [0081.270] GetTickCount () returned 0x1154a15 [0081.270] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.270] GetProcessHeap () returned 0x3a00000 [0081.270] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.270] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.272] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.272] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.272] GetProcessHeap () returned 0x3a00000 [0081.272] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.272] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.272] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.273] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.273] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.273] CloseHandle (hObject=0x434) returned 1 [0081.273] GetProcessHeap () returned 0x3a00000 [0081.273] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.273] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.273] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.005.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.005.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.273] GetProcessHeap () returned 0x3a00000 [0081.273] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.273] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x86d6bb14, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0x8728eea2, ftLastWriteTime.dwHighDateTime=0x1d336d7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.006.etl", cAlternateFileName="NOC92C~1.ETL")) returned 1 [0081.274] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="Windows") returned -1 [0081.274] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="$Recycle.bin") returned 1 [0081.274] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="System Volume Information") returned -1 [0081.274] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="Program Files") returned -1 [0081.274] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="Program Files (x86)") returned -1 [0081.274] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.006.etl") returned 62 [0081.274] StrStrIW (lpFirst="NotificationUxBroker.006.etl", lpSrch=".ebal") returned 0x0 [0081.274] lstrcmpW (lpString1="NotificationUxBroker.006.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.274] lstrcmpW (lpString1="NotificationUxBroker.006.etl", lpString2="taridd") returned -1 [0081.274] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.006.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.274] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.274] GetTickCount () returned 0x1154a15 [0081.274] GetTickCount () returned 0x1154a15 [0081.274] GetTickCount () returned 0x1154a15 [0081.274] GetTickCount () returned 0x1154a15 [0081.274] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.274] GetProcessHeap () returned 0x3a00000 [0081.274] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.274] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.276] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.276] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.276] GetProcessHeap () returned 0x3a00000 [0081.276] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.276] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.276] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.276] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.277] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.277] CloseHandle (hObject=0x434) returned 1 [0081.277] GetProcessHeap () returned 0x3a00000 [0081.277] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.277] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.277] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.006.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.006.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.277] GetProcessHeap () returned 0x3a00000 [0081.277] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.277] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe7f77c60, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xebc8ba4e, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.007.etl", cAlternateFileName="NOAEB3~1.ETL")) returned 1 [0081.277] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="Windows") returned -1 [0081.277] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="$Recycle.bin") returned 1 [0081.277] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="System Volume Information") returned -1 [0081.277] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="Program Files") returned -1 [0081.278] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="Program Files (x86)") returned -1 [0081.278] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.007.etl") returned 62 [0081.278] StrStrIW (lpFirst="NotificationUxBroker.007.etl", lpSrch=".ebal") returned 0x0 [0081.278] lstrcmpW (lpString1="NotificationUxBroker.007.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.278] lstrcmpW (lpString1="NotificationUxBroker.007.etl", lpString2="taridd") returned -1 [0081.278] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.007.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.278] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.279] GetTickCount () returned 0x1154a15 [0081.279] GetTickCount () returned 0x1154a15 [0081.279] GetTickCount () returned 0x1154a15 [0081.279] GetTickCount () returned 0x1154a15 [0081.279] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.279] GetProcessHeap () returned 0x3a00000 [0081.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.279] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.296] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.296] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.303] GetProcessHeap () returned 0x3a00000 [0081.304] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.304] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.304] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.304] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.304] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.304] CloseHandle (hObject=0x434) returned 1 [0081.304] GetProcessHeap () returned 0x3a00000 [0081.304] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.304] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.304] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.007.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.007.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.305] GetProcessHeap () returned 0x3a00000 [0081.305] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.305] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe1017621, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe10d621a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.008.etl", cAlternateFileName="NO6494~1.ETL")) returned 1 [0081.305] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="Windows") returned -1 [0081.305] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="$Recycle.bin") returned 1 [0081.305] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="System Volume Information") returned -1 [0081.305] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="Program Files") returned -1 [0081.305] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="Program Files (x86)") returned -1 [0081.305] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.008.etl") returned 62 [0081.305] StrStrIW (lpFirst="NotificationUxBroker.008.etl", lpSrch=".ebal") returned 0x0 [0081.305] lstrcmpW (lpString1="NotificationUxBroker.008.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.305] lstrcmpW (lpString1="NotificationUxBroker.008.etl", lpString2="taridd") returned -1 [0081.305] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.008.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.305] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.306] GetTickCount () returned 0x1154a34 [0081.306] GetTickCount () returned 0x1154a34 [0081.306] GetTickCount () returned 0x1154a34 [0081.306] GetTickCount () returned 0x1154a34 [0081.306] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.306] GetProcessHeap () returned 0x3a00000 [0081.306] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.306] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.309] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.309] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.310] GetProcessHeap () returned 0x3a00000 [0081.310] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.310] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.310] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.310] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.310] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.310] CloseHandle (hObject=0x434) returned 1 [0081.310] GetProcessHeap () returned 0x3a00000 [0081.310] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.310] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.310] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.008.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.008.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.311] GetProcessHeap () returned 0x3a00000 [0081.311] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.311] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2fb7ebe4, ftLastAccessTime.dwHighDateTime=0x1d327d1, ftLastWriteTime.dwLowDateTime=0x2fc89ca0, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.009.etl", cAlternateFileName="NO492C~1.ETL")) returned 1 [0081.311] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="Windows") returned -1 [0081.311] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="$Recycle.bin") returned 1 [0081.311] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="System Volume Information") returned -1 [0081.311] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="Program Files") returned -1 [0081.311] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="Program Files (x86)") returned -1 [0081.311] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.009.etl") returned 62 [0081.311] StrStrIW (lpFirst="NotificationUxBroker.009.etl", lpSrch=".ebal") returned 0x0 [0081.311] lstrcmpW (lpString1="NotificationUxBroker.009.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.311] lstrcmpW (lpString1="NotificationUxBroker.009.etl", lpString2="taridd") returned -1 [0081.311] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.009.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.311] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.316] GetTickCount () returned 0x1154a44 [0081.316] GetTickCount () returned 0x1154a44 [0081.316] GetTickCount () returned 0x1154a44 [0081.316] GetTickCount () returned 0x1154a44 [0081.316] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.316] GetProcessHeap () returned 0x3a00000 [0081.316] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.316] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.318] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.318] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.318] GetProcessHeap () returned 0x3a00000 [0081.318] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.318] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.318] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.318] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.319] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.319] CloseHandle (hObject=0x434) returned 1 [0081.319] GetProcessHeap () returned 0x3a00000 [0081.319] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.319] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.009.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.009.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.319] GetProcessHeap () returned 0x3a00000 [0081.319] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.319] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xd855139b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xd87b395e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.010.etl", cAlternateFileName="NO0EF1~1.ETL")) returned 1 [0081.319] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="Windows") returned -1 [0081.319] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="$Recycle.bin") returned 1 [0081.319] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="System Volume Information") returned -1 [0081.320] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="Program Files") returned -1 [0081.320] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="Program Files (x86)") returned -1 [0081.320] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.010.etl") returned 62 [0081.320] StrStrIW (lpFirst="NotificationUxBroker.010.etl", lpSrch=".ebal") returned 0x0 [0081.320] lstrcmpW (lpString1="NotificationUxBroker.010.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.320] lstrcmpW (lpString1="NotificationUxBroker.010.etl", lpString2="taridd") returned -1 [0081.320] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.010.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.320] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.320] GetTickCount () returned 0x1154a44 [0081.320] GetTickCount () returned 0x1154a44 [0081.320] GetTickCount () returned 0x1154a44 [0081.320] GetTickCount () returned 0x1154a44 [0081.320] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.320] GetProcessHeap () returned 0x3a00000 [0081.320] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.320] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.322] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.322] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.322] GetProcessHeap () returned 0x3a00000 [0081.322] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.322] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.322] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.322] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.322] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.323] CloseHandle (hObject=0x434) returned 1 [0081.323] GetProcessHeap () returned 0x3a00000 [0081.323] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.323] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.323] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.010.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.010.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.323] GetProcessHeap () returned 0x3a00000 [0081.323] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.323] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x1ff683d6, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x20000d39, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.011.etl", cAlternateFileName="NOC3D2~1.ETL")) returned 1 [0081.323] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="Windows") returned -1 [0081.323] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="$Recycle.bin") returned 1 [0081.323] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="System Volume Information") returned -1 [0081.324] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="Program Files") returned -1 [0081.324] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="Program Files (x86)") returned -1 [0081.324] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.011.etl") returned 62 [0081.324] StrStrIW (lpFirst="NotificationUxBroker.011.etl", lpSrch=".ebal") returned 0x0 [0081.324] lstrcmpW (lpString1="NotificationUxBroker.011.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.324] lstrcmpW (lpString1="NotificationUxBroker.011.etl", lpString2="taridd") returned -1 [0081.324] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.011.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.324] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.325] GetTickCount () returned 0x1154a44 [0081.325] GetTickCount () returned 0x1154a44 [0081.325] GetTickCount () returned 0x1154a44 [0081.325] GetTickCount () returned 0x1154a44 [0081.325] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.325] GetProcessHeap () returned 0x3a00000 [0081.325] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.325] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.326] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.327] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.327] GetProcessHeap () returned 0x3a00000 [0081.327] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.327] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.327] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.327] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.327] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.327] CloseHandle (hObject=0x434) returned 1 [0081.327] GetProcessHeap () returned 0x3a00000 [0081.327] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.327] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.327] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.011.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.011.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.328] GetProcessHeap () returned 0x3a00000 [0081.328] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.328] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x46e2de3d, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x46eecb64, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.012.etl", cAlternateFileName="NOA86A~1.ETL")) returned 1 [0081.328] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="Windows") returned -1 [0081.328] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="$Recycle.bin") returned 1 [0081.328] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="System Volume Information") returned -1 [0081.328] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="Program Files") returned -1 [0081.328] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="Program Files (x86)") returned -1 [0081.328] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.012.etl") returned 62 [0081.328] StrStrIW (lpFirst="NotificationUxBroker.012.etl", lpSrch=".ebal") returned 0x0 [0081.328] lstrcmpW (lpString1="NotificationUxBroker.012.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.328] lstrcmpW (lpString1="NotificationUxBroker.012.etl", lpString2="taridd") returned -1 [0081.328] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.012.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.328] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.012.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.012.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.329] GetTickCount () returned 0x1154a54 [0081.329] GetTickCount () returned 0x1154a54 [0081.329] GetTickCount () returned 0x1154a54 [0081.329] GetTickCount () returned 0x1154a54 [0081.329] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.329] GetProcessHeap () returned 0x3a00000 [0081.329] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.329] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.330] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.331] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.331] GetProcessHeap () returned 0x3a00000 [0081.331] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.331] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.331] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.331] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.331] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.331] CloseHandle (hObject=0x434) returned 1 [0081.331] GetProcessHeap () returned 0x3a00000 [0081.331] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.331] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.331] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.012.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.012.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.012.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.332] GetProcessHeap () returned 0x3a00000 [0081.332] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.332] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x235d058f, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x23917bad, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.013.etl", cAlternateFileName="NO3128~1.ETL")) returned 1 [0081.332] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="Windows") returned -1 [0081.332] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="$Recycle.bin") returned 1 [0081.332] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="System Volume Information") returned -1 [0081.332] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="Program Files") returned -1 [0081.332] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="Program Files (x86)") returned -1 [0081.332] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.013.etl") returned 62 [0081.332] StrStrIW (lpFirst="NotificationUxBroker.013.etl", lpSrch=".ebal") returned 0x0 [0081.332] lstrcmpW (lpString1="NotificationUxBroker.013.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.332] lstrcmpW (lpString1="NotificationUxBroker.013.etl", lpString2="taridd") returned -1 [0081.332] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.013.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.332] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.013.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.013.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.332] GetTickCount () returned 0x1154a54 [0081.333] GetTickCount () returned 0x1154a54 [0081.333] GetTickCount () returned 0x1154a54 [0081.333] GetTickCount () returned 0x1154a54 [0081.333] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.333] GetProcessHeap () returned 0x3a00000 [0081.333] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.333] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.334] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.334] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.335] GetProcessHeap () returned 0x3a00000 [0081.335] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.335] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.335] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.335] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.335] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.335] CloseHandle (hObject=0x434) returned 1 [0081.335] GetProcessHeap () returned 0x3a00000 [0081.335] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.335] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.335] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.013.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.013.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.013.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.336] GetProcessHeap () returned 0x3a00000 [0081.336] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.336] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x8f69453d, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0x8f779518, ftLastWriteTime.dwHighDateTime=0x1d327b9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.014.etl", cAlternateFileName="NO43D2~1.ETL")) returned 1 [0081.336] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="Windows") returned -1 [0081.336] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="$Recycle.bin") returned 1 [0081.336] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="System Volume Information") returned -1 [0081.336] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="Program Files") returned -1 [0081.336] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="Program Files (x86)") returned -1 [0081.336] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.014.etl") returned 62 [0081.336] StrStrIW (lpFirst="NotificationUxBroker.014.etl", lpSrch=".ebal") returned 0x0 [0081.336] lstrcmpW (lpString1="NotificationUxBroker.014.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.336] lstrcmpW (lpString1="NotificationUxBroker.014.etl", lpString2="taridd") returned -1 [0081.336] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.014.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.336] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.014.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.014.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.337] GetTickCount () returned 0x1154a54 [0081.337] GetTickCount () returned 0x1154a54 [0081.337] GetTickCount () returned 0x1154a54 [0081.337] GetTickCount () returned 0x1154a54 [0081.337] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.337] GetProcessHeap () returned 0x3a00000 [0081.337] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.337] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.339] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.339] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.339] GetProcessHeap () returned 0x3a00000 [0081.339] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.339] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.339] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.339] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.339] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.339] CloseHandle (hObject=0x434) returned 1 [0081.339] GetProcessHeap () returned 0x3a00000 [0081.339] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.339] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.340] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.014.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.014.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.014.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.340] GetProcessHeap () returned 0x3a00000 [0081.340] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.340] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7fb3688d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7fc1b6b8, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.015.etl", cAlternateFileName="NOTIFI~4.ETL")) returned 1 [0081.340] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="Windows") returned -1 [0081.340] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="$Recycle.bin") returned 1 [0081.340] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="System Volume Information") returned -1 [0081.340] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="Program Files") returned -1 [0081.340] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="Program Files (x86)") returned -1 [0081.340] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.015.etl") returned 62 [0081.340] StrStrIW (lpFirst="NotificationUxBroker.015.etl", lpSrch=".ebal") returned 0x0 [0081.340] lstrcmpW (lpString1="NotificationUxBroker.015.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.340] lstrcmpW (lpString1="NotificationUxBroker.015.etl", lpString2="taridd") returned -1 [0081.340] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.015.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.340] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.015.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.015.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.342] GetTickCount () returned 0x1154a54 [0081.342] GetTickCount () returned 0x1154a54 [0081.342] GetTickCount () returned 0x1154a54 [0081.342] GetTickCount () returned 0x1154a54 [0081.342] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.342] GetProcessHeap () returned 0x3a00000 [0081.342] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.342] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.355] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.355] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.355] GetProcessHeap () returned 0x3a00000 [0081.355] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.355] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.356] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.356] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.356] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.356] CloseHandle (hObject=0x434) returned 1 [0081.356] GetProcessHeap () returned 0x3a00000 [0081.356] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.356] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.356] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.015.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.015.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.015.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.357] GetProcessHeap () returned 0x3a00000 [0081.357] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.357] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xcb502d29, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xcb5c1a4e, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.016.etl", cAlternateFileName="NOTIFI~3.ETL")) returned 1 [0081.357] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="Windows") returned -1 [0081.357] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="$Recycle.bin") returned 1 [0081.357] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="System Volume Information") returned -1 [0081.357] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="Program Files") returned -1 [0081.357] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="Program Files (x86)") returned -1 [0081.357] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.016.etl") returned 62 [0081.357] StrStrIW (lpFirst="NotificationUxBroker.016.etl", lpSrch=".ebal") returned 0x0 [0081.357] lstrcmpW (lpString1="NotificationUxBroker.016.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.357] lstrcmpW (lpString1="NotificationUxBroker.016.etl", lpString2="taridd") returned -1 [0081.357] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.016.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.357] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.016.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.016.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.358] GetTickCount () returned 0x1154a63 [0081.358] GetTickCount () returned 0x1154a63 [0081.358] GetTickCount () returned 0x1154a63 [0081.358] GetTickCount () returned 0x1154a63 [0081.358] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.358] GetProcessHeap () returned 0x3a00000 [0081.358] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.374] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.380] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.380] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.380] GetProcessHeap () returned 0x3a00000 [0081.380] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.380] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.380] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.380] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.380] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.381] CloseHandle (hObject=0x434) returned 1 [0081.381] GetProcessHeap () returned 0x3a00000 [0081.381] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.381] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.381] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.016.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.016.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.016.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.381] GetProcessHeap () returned 0x3a00000 [0081.382] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.382] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7b53cfc, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x8be7d51, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.017.etl", cAlternateFileName="NOTIFI~1.ETL")) returned 1 [0081.382] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="Windows") returned -1 [0081.382] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="$Recycle.bin") returned 1 [0081.382] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="System Volume Information") returned -1 [0081.382] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="Program Files") returned -1 [0081.382] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="Program Files (x86)") returned -1 [0081.382] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.017.etl") returned 62 [0081.382] StrStrIW (lpFirst="NotificationUxBroker.017.etl", lpSrch=".ebal") returned 0x0 [0081.382] lstrcmpW (lpString1="NotificationUxBroker.017.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.382] lstrcmpW (lpString1="NotificationUxBroker.017.etl", lpString2="taridd") returned -1 [0081.382] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.017.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.382] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.017.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.017.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.383] GetTickCount () returned 0x1154a82 [0081.383] GetTickCount () returned 0x1154a82 [0081.383] GetTickCount () returned 0x1154a82 [0081.383] GetTickCount () returned 0x1154a82 [0081.383] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.383] GetProcessHeap () returned 0x3a00000 [0081.383] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.383] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.386] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.386] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.386] GetProcessHeap () returned 0x3a00000 [0081.386] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.386] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.386] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.386] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.387] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.387] CloseHandle (hObject=0x434) returned 1 [0081.387] GetProcessHeap () returned 0x3a00000 [0081.387] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.387] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal") returned 81 [0081.387] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.017.etl" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.017.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\notificationuxbroker.017.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.387] GetProcessHeap () returned 0x3a00000 [0081.387] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.387] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xeebb90da, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xeebb90da, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0081.387] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="Windows") returned -1 [0081.387] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="$Recycle.bin") returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="System Volume Information") returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="Program Files") returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="Program Files (x86)") returned 1 [0081.388] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl") returned 68 [0081.388] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xde371631, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="Windows") returned -1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="$Recycle.bin") returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="System Volume Information") returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="Program Files") returned 1 [0081.388] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="Program Files (x86)") returned 1 [0081.388] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl") returned 68 [0081.388] StrStrIW (lpFirst="UpdateSessionOrchestration.002.etl", lpSrch=".ebal") returned 0x0 [0081.388] lstrcmpW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.388] lstrcmpW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="taridd") returned 1 [0081.388] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.388] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.388] GetTickCount () returned 0x1154a82 [0081.388] GetTickCount () returned 0x1154a82 [0081.388] GetTickCount () returned 0x1154a82 [0081.388] GetTickCount () returned 0x1154a82 [0081.388] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.388] GetProcessHeap () returned 0x3a00000 [0081.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.389] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.390] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.390] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.390] GetProcessHeap () returned 0x3a00000 [0081.390] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.390] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.390] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.391] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.391] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.391] CloseHandle (hObject=0x434) returned 1 [0081.391] GetProcessHeap () returned 0x3a00000 [0081.391] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.391] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.391] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.002.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.392] GetProcessHeap () returned 0x3a00000 [0081.392] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.392] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2a522d7b, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x4e6dab1f, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1 [0081.392] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="Windows") returned -1 [0081.392] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="$Recycle.bin") returned 1 [0081.392] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="System Volume Information") returned 1 [0081.392] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="Program Files") returned 1 [0081.392] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="Program Files (x86)") returned 1 [0081.392] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl") returned 68 [0081.392] StrStrIW (lpFirst="UpdateSessionOrchestration.003.etl", lpSrch=".ebal") returned 0x0 [0081.392] lstrcmpW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.392] lstrcmpW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="taridd") returned 1 [0081.392] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.392] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.392] GetTickCount () returned 0x1154a92 [0081.392] GetTickCount () returned 0x1154a92 [0081.392] GetTickCount () returned 0x1154a92 [0081.392] GetTickCount () returned 0x1154a92 [0081.392] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.393] GetProcessHeap () returned 0x3a00000 [0081.393] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.393] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.394] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.394] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.394] GetProcessHeap () returned 0x3a00000 [0081.394] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.394] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.394] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.394] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.395] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.395] CloseHandle (hObject=0x434) returned 1 [0081.395] GetProcessHeap () returned 0x3a00000 [0081.395] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.395] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.395] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.003.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.395] GetProcessHeap () returned 0x3a00000 [0081.395] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.395] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2cbb43aa, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x5454d5b0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1 [0081.395] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="Windows") returned -1 [0081.395] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="$Recycle.bin") returned 1 [0081.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="System Volume Information") returned 1 [0081.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="Program Files") returned 1 [0081.396] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="Program Files (x86)") returned 1 [0081.396] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl") returned 68 [0081.396] StrStrIW (lpFirst="UpdateSessionOrchestration.004.etl", lpSrch=".ebal") returned 0x0 [0081.396] lstrcmpW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.396] lstrcmpW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="taridd") returned 1 [0081.396] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.396] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.396] GetTickCount () returned 0x1154a92 [0081.396] GetTickCount () returned 0x1154a92 [0081.396] GetTickCount () returned 0x1154a92 [0081.396] GetTickCount () returned 0x1154a92 [0081.396] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.396] GetProcessHeap () returned 0x3a00000 [0081.396] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.396] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.398] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.398] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.398] GetProcessHeap () returned 0x3a00000 [0081.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.398] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.398] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.398] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.398] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.398] CloseHandle (hObject=0x434) returned 1 [0081.398] GetProcessHeap () returned 0x3a00000 [0081.398] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.398] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.398] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.004.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.410] GetProcessHeap () returned 0x3a00000 [0081.410] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.410] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x60de6047, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x60de6047, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1 [0081.410] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="Windows") returned -1 [0081.410] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="$Recycle.bin") returned 1 [0081.410] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="System Volume Information") returned 1 [0081.410] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="Program Files") returned 1 [0081.410] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="Program Files (x86)") returned 1 [0081.410] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl") returned 68 [0081.410] StrStrIW (lpFirst="UpdateSessionOrchestration.005.etl", lpSrch=".ebal") returned 0x0 [0081.410] lstrcmpW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.410] lstrcmpW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="taridd") returned 1 [0081.411] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.411] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.411] GetTickCount () returned 0x1154aa2 [0081.411] GetTickCount () returned 0x1154aa2 [0081.411] GetTickCount () returned 0x1154aa2 [0081.411] GetTickCount () returned 0x1154aa2 [0081.411] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.411] GetProcessHeap () returned 0x3a00000 [0081.411] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.411] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x1000, lpOverlapped=0x0) returned 1 [0081.413] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.413] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x1000, lpOverlapped=0x0) returned 1 [0081.413] GetProcessHeap () returned 0x3a00000 [0081.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.413] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.413] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.413] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.413] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.413] CloseHandle (hObject=0x434) returned 1 [0081.413] GetProcessHeap () returned 0x3a00000 [0081.413] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.413] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.414] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.005.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.414] GetProcessHeap () returned 0x3a00000 [0081.414] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.414] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa72ae253, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xcb3f3780, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1 [0081.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="Windows") returned -1 [0081.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="$Recycle.bin") returned 1 [0081.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="System Volume Information") returned 1 [0081.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="Program Files") returned 1 [0081.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="Program Files (x86)") returned 1 [0081.414] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl") returned 68 [0081.414] StrStrIW (lpFirst="UpdateSessionOrchestration.006.etl", lpSrch=".ebal") returned 0x0 [0081.414] lstrcmpW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.414] lstrcmpW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="taridd") returned 1 [0081.414] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.414] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.415] GetTickCount () returned 0x1154aa2 [0081.415] GetTickCount () returned 0x1154aa2 [0081.415] GetTickCount () returned 0x1154aa2 [0081.415] GetTickCount () returned 0x1154aa2 [0081.415] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.415] GetProcessHeap () returned 0x3a00000 [0081.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.415] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.416] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.416] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.417] GetProcessHeap () returned 0x3a00000 [0081.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.417] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.417] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.417] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.417] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.417] CloseHandle (hObject=0x434) returned 1 [0081.417] GetProcessHeap () returned 0x3a00000 [0081.417] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.417] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.417] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.006.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.418] GetProcessHeap () returned 0x3a00000 [0081.418] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.418] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x5ca8efbc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x8784f695, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UP52FC~1.ETL")) returned 1 [0081.418] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="Windows") returned -1 [0081.418] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="$Recycle.bin") returned 1 [0081.418] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="System Volume Information") returned 1 [0081.418] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="Program Files") returned 1 [0081.418] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="Program Files (x86)") returned 1 [0081.418] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl") returned 68 [0081.418] StrStrIW (lpFirst="UpdateSessionOrchestration.007.etl", lpSrch=".ebal") returned 0x0 [0081.418] lstrcmpW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.418] lstrcmpW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="taridd") returned 1 [0081.418] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.418] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.418] GetTickCount () returned 0x1154aa2 [0081.418] GetTickCount () returned 0x1154aa2 [0081.419] GetTickCount () returned 0x1154aa2 [0081.419] GetTickCount () returned 0x1154aa2 [0081.419] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.419] GetProcessHeap () returned 0x3a00000 [0081.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.419] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.428] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.428] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.428] GetProcessHeap () returned 0x3a00000 [0081.428] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.428] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.428] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.428] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.428] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.428] CloseHandle (hObject=0x434) returned 1 [0081.429] GetProcessHeap () returned 0x3a00000 [0081.429] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.429] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.429] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.007.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.433] GetProcessHeap () returned 0x3a00000 [0081.433] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.433] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4346f4fe, ftLastAccessTime.dwHighDateTime=0x1d41dc4, ftLastWriteTime.dwLowDateTime=0x4346f4fe, ftLastWriteTime.dwHighDateTime=0x1d41dc4, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPA721~1.ETL")) returned 1 [0081.433] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="Windows") returned -1 [0081.433] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="$Recycle.bin") returned 1 [0081.433] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="System Volume Information") returned 1 [0081.433] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="Program Files") returned 1 [0081.433] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="Program Files (x86)") returned 1 [0081.433] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl") returned 68 [0081.433] StrStrIW (lpFirst="UpdateSessionOrchestration.008.etl", lpSrch=".ebal") returned 0x0 [0081.433] lstrcmpW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.433] lstrcmpW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="taridd") returned 1 [0081.433] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.433] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.433] GetTickCount () returned 0x1154ab1 [0081.433] GetTickCount () returned 0x1154ab1 [0081.433] GetTickCount () returned 0x1154ab1 [0081.433] GetTickCount () returned 0x1154ab1 [0081.434] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.434] GetProcessHeap () returned 0x3a00000 [0081.434] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.434] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.435] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.435] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.435] GetProcessHeap () returned 0x3a00000 [0081.435] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.435] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.435] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.436] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.436] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.436] CloseHandle (hObject=0x434) returned 1 [0081.436] GetProcessHeap () returned 0x3a00000 [0081.436] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.436] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.436] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.008.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.439] GetProcessHeap () returned 0x3a00000 [0081.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.439] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x745a10f, ftLastAccessTime.dwHighDateTime=0x1d3aafc, ftLastWriteTime.dwLowDateTime=0x318cac0d, ftLastWriteTime.dwHighDateTime=0x1d3aafc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPFC55~1.ETL")) returned 1 [0081.439] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="Windows") returned -1 [0081.439] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="$Recycle.bin") returned 1 [0081.439] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="System Volume Information") returned 1 [0081.439] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="Program Files") returned 1 [0081.439] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="Program Files (x86)") returned 1 [0081.439] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl") returned 68 [0081.439] StrStrIW (lpFirst="UpdateSessionOrchestration.009.etl", lpSrch=".ebal") returned 0x0 [0081.439] lstrcmpW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.439] lstrcmpW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="taridd") returned 1 [0081.439] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.439] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.439] GetTickCount () returned 0x1154ac1 [0081.439] GetTickCount () returned 0x1154ac1 [0081.439] GetTickCount () returned 0x1154ac1 [0081.439] GetTickCount () returned 0x1154ac1 [0081.439] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.440] GetProcessHeap () returned 0x3a00000 [0081.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.440] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.441] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.441] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.441] GetProcessHeap () returned 0x3a00000 [0081.441] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.441] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.441] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.441] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.441] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.442] CloseHandle (hObject=0x434) returned 1 [0081.442] GetProcessHeap () returned 0x3a00000 [0081.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.442] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.442] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.009.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.442] GetProcessHeap () returned 0x3a00000 [0081.442] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.442] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd59be406, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xd59be406, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.010.etl", cAlternateFileName="UPB13B~1.ETL")) returned 1 [0081.442] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="Windows") returned -1 [0081.442] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="$Recycle.bin") returned 1 [0081.442] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="System Volume Information") returned 1 [0081.442] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="Program Files") returned 1 [0081.443] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="Program Files (x86)") returned 1 [0081.443] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl") returned 68 [0081.443] StrStrIW (lpFirst="UpdateSessionOrchestration.010.etl", lpSrch=".ebal") returned 0x0 [0081.443] lstrcmpW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.443] lstrcmpW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="taridd") returned 1 [0081.443] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.443] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.443] GetTickCount () returned 0x1154ac1 [0081.443] GetTickCount () returned 0x1154ac1 [0081.443] GetTickCount () returned 0x1154ac1 [0081.443] GetTickCount () returned 0x1154ac1 [0081.443] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.443] GetProcessHeap () returned 0x3a00000 [0081.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.443] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x1000, lpOverlapped=0x0) returned 1 [0081.445] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.445] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x1000, lpOverlapped=0x0) returned 1 [0081.445] GetProcessHeap () returned 0x3a00000 [0081.445] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.445] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.445] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.445] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.445] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.446] CloseHandle (hObject=0x434) returned 1 [0081.446] GetProcessHeap () returned 0x3a00000 [0081.446] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.446] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.446] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.010.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.446] GetProcessHeap () returned 0x3a00000 [0081.446] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.446] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x198319d2, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3f449663, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.011.etl", cAlternateFileName="UP076F~1.ETL")) returned 1 [0081.446] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="Windows") returned -1 [0081.446] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="$Recycle.bin") returned 1 [0081.446] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="System Volume Information") returned 1 [0081.446] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="Program Files") returned 1 [0081.446] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="Program Files (x86)") returned 1 [0081.446] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl") returned 68 [0081.446] StrStrIW (lpFirst="UpdateSessionOrchestration.011.etl", lpSrch=".ebal") returned 0x0 [0081.447] lstrcmpW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.447] lstrcmpW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="taridd") returned 1 [0081.447] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.447] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.447] GetTickCount () returned 0x1154ac1 [0081.447] GetTickCount () returned 0x1154ac1 [0081.447] GetTickCount () returned 0x1154ac1 [0081.447] GetTickCount () returned 0x1154ac1 [0081.447] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.447] GetProcessHeap () returned 0x3a00000 [0081.447] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.447] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.450] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.450] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.450] GetProcessHeap () returned 0x3a00000 [0081.450] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.450] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.450] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.450] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.450] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.450] CloseHandle (hObject=0x434) returned 1 [0081.450] GetProcessHeap () returned 0x3a00000 [0081.450] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.450] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.450] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.011.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.451] GetProcessHeap () returned 0x3a00000 [0081.451] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.451] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1c505b8c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x58b60423, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.012.etl", cAlternateFileName="UPEBF6~1.ETL")) returned 1 [0081.451] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="Windows") returned -1 [0081.451] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="$Recycle.bin") returned 1 [0081.451] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="System Volume Information") returned 1 [0081.451] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="Program Files") returned 1 [0081.451] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="Program Files (x86)") returned 1 [0081.451] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl") returned 68 [0081.451] StrStrIW (lpFirst="UpdateSessionOrchestration.012.etl", lpSrch=".ebal") returned 0x0 [0081.451] lstrcmpW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.451] lstrcmpW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="taridd") returned 1 [0081.451] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.451] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.012.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.452] GetTickCount () returned 0x1154ac1 [0081.452] GetTickCount () returned 0x1154ac1 [0081.452] GetTickCount () returned 0x1154ac1 [0081.452] GetTickCount () returned 0x1154ac1 [0081.452] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.452] GetProcessHeap () returned 0x3a00000 [0081.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.452] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.456] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.456] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.456] GetProcessHeap () returned 0x3a00000 [0081.456] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.456] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.456] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.457] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.457] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.457] CloseHandle (hObject=0x434) returned 1 [0081.457] GetProcessHeap () returned 0x3a00000 [0081.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.457] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.012.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.012.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.457] GetProcessHeap () returned 0x3a00000 [0081.458] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.458] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdaf93ab4, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0x87be9f6, ftLastWriteTime.dwHighDateTime=0x1d38c44, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.013.etl", cAlternateFileName="UP8DEE~1.ETL")) returned 1 [0081.458] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="Windows") returned -1 [0081.458] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="$Recycle.bin") returned 1 [0081.458] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="System Volume Information") returned 1 [0081.458] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="Program Files") returned 1 [0081.458] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="Program Files (x86)") returned 1 [0081.458] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl") returned 68 [0081.458] StrStrIW (lpFirst="UpdateSessionOrchestration.013.etl", lpSrch=".ebal") returned 0x0 [0081.458] lstrcmpW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.458] lstrcmpW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="taridd") returned 1 [0081.458] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.458] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.013.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.458] GetTickCount () returned 0x1154ad1 [0081.458] GetTickCount () returned 0x1154ad1 [0081.458] GetTickCount () returned 0x1154ad1 [0081.458] GetTickCount () returned 0x1154ad1 [0081.458] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.458] GetProcessHeap () returned 0x3a00000 [0081.458] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.459] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.460] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.460] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.461] GetProcessHeap () returned 0x3a00000 [0081.461] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.461] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.461] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.461] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.461] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.461] CloseHandle (hObject=0x434) returned 1 [0081.461] GetProcessHeap () returned 0x3a00000 [0081.461] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.461] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.461] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.013.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.013.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.462] GetProcessHeap () returned 0x3a00000 [0081.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.462] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1977635c, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x1977635c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.014.etl", cAlternateFileName="UP38BA~1.ETL")) returned 1 [0081.462] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="Windows") returned -1 [0081.462] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="$Recycle.bin") returned 1 [0081.462] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="System Volume Information") returned 1 [0081.462] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="Program Files") returned 1 [0081.462] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="Program Files (x86)") returned 1 [0081.462] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl") returned 68 [0081.462] StrStrIW (lpFirst="UpdateSessionOrchestration.014.etl", lpSrch=".ebal") returned 0x0 [0081.462] lstrcmpW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.462] lstrcmpW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="taridd") returned 1 [0081.462] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.462] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.014.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.464] GetTickCount () returned 0x1154ad1 [0081.465] GetTickCount () returned 0x1154ad1 [0081.465] GetTickCount () returned 0x1154ad1 [0081.465] GetTickCount () returned 0x1154ad1 [0081.465] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.465] GetProcessHeap () returned 0x3a00000 [0081.465] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.465] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.468] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.468] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.469] GetProcessHeap () returned 0x3a00000 [0081.469] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.469] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.469] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.469] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.469] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.469] CloseHandle (hObject=0x434) returned 1 [0081.469] GetProcessHeap () returned 0x3a00000 [0081.469] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.469] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.469] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.014.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.014.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.470] GetProcessHeap () returned 0x3a00000 [0081.470] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.470] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfc820227, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0x2521b8a4, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.015.etl", cAlternateFileName="UPE286~1.ETL")) returned 1 [0081.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="Windows") returned -1 [0081.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="$Recycle.bin") returned 1 [0081.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="System Volume Information") returned 1 [0081.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="Program Files") returned 1 [0081.470] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="Program Files (x86)") returned 1 [0081.470] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl") returned 68 [0081.470] StrStrIW (lpFirst="UpdateSessionOrchestration.015.etl", lpSrch=".ebal") returned 0x0 [0081.470] lstrcmpW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.470] lstrcmpW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="taridd") returned 1 [0081.470] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.470] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.015.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.471] GetTickCount () returned 0x1154ae0 [0081.471] GetTickCount () returned 0x1154ae0 [0081.471] GetTickCount () returned 0x1154ae0 [0081.471] GetTickCount () returned 0x1154ae0 [0081.471] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.471] GetProcessHeap () returned 0x3a00000 [0081.471] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.471] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.494] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.495] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.495] GetProcessHeap () returned 0x3a00000 [0081.495] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.495] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.495] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.495] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.495] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.495] CloseHandle (hObject=0x434) returned 1 [0081.495] GetProcessHeap () returned 0x3a00000 [0081.495] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.495] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.495] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.015.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.015.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.496] GetProcessHeap () returned 0x3a00000 [0081.496] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.496] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfd9caf15, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfd9caf15, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.016.etl", cAlternateFileName="UP9D42~1.ETL")) returned 1 [0081.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="Windows") returned -1 [0081.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="$Recycle.bin") returned 1 [0081.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="System Volume Information") returned 1 [0081.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="Program Files") returned 1 [0081.497] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="Program Files (x86)") returned 1 [0081.497] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl") returned 68 [0081.497] StrStrIW (lpFirst="UpdateSessionOrchestration.016.etl", lpSrch=".ebal") returned 0x0 [0081.497] lstrcmpW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.497] lstrcmpW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="taridd") returned 1 [0081.497] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.497] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.016.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.498] GetTickCount () returned 0x1154af0 [0081.498] GetTickCount () returned 0x1154af0 [0081.498] GetTickCount () returned 0x1154af0 [0081.498] GetTickCount () returned 0x1154af0 [0081.498] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.498] GetProcessHeap () returned 0x3a00000 [0081.498] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.498] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x1000, lpOverlapped=0x0) returned 1 [0081.500] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffff000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.500] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x1000, lpOverlapped=0x0) returned 1 [0081.500] GetProcessHeap () returned 0x3a00000 [0081.500] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.500] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.500] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.501] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.501] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.501] CloseHandle (hObject=0x434) returned 1 [0081.501] GetProcessHeap () returned 0x3a00000 [0081.501] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.501] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.501] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.016.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.016.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.502] GetProcessHeap () returned 0x3a00000 [0081.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.502] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xda210f79, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xb10a27a8, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.017.etl", cAlternateFileName="UPB8BA~1.ETL")) returned 1 [0081.502] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="Windows") returned -1 [0081.502] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="$Recycle.bin") returned 1 [0081.502] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="System Volume Information") returned 1 [0081.502] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="Program Files") returned 1 [0081.502] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="Program Files (x86)") returned 1 [0081.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl") returned 68 [0081.502] StrStrIW (lpFirst="UpdateSessionOrchestration.017.etl", lpSrch=".ebal") returned 0x0 [0081.502] lstrcmpW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.502] lstrcmpW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="taridd") returned 1 [0081.502] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.502] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.017.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.502] GetTickCount () returned 0x1154aff [0081.502] GetTickCount () returned 0x1154aff [0081.502] GetTickCount () returned 0x1154aff [0081.502] GetTickCount () returned 0x1154aff [0081.502] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.502] GetProcessHeap () returned 0x3a00000 [0081.503] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.503] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.505] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.505] GetProcessHeap () returned 0x3a00000 [0081.505] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.505] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.505] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.505] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.506] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.506] CloseHandle (hObject=0x434) returned 1 [0081.506] GetProcessHeap () returned 0x3a00000 [0081.506] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.506] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.506] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.017.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.017.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.506] GetProcessHeap () returned 0x3a00000 [0081.506] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.506] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe0798fd2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x79d33ce, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.018.etl", cAlternateFileName="UPAC79~1.ETL")) returned 1 [0081.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="Windows") returned -1 [0081.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="$Recycle.bin") returned 1 [0081.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="System Volume Information") returned 1 [0081.506] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="Program Files") returned 1 [0081.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="Program Files (x86)") returned 1 [0081.507] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl") returned 68 [0081.507] StrStrIW (lpFirst="UpdateSessionOrchestration.018.etl", lpSrch=".ebal") returned 0x0 [0081.507] lstrcmpW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.507] lstrcmpW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="taridd") returned 1 [0081.507] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.507] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.018.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.507] GetTickCount () returned 0x1154aff [0081.507] GetTickCount () returned 0x1154aff [0081.507] GetTickCount () returned 0x1154aff [0081.507] GetTickCount () returned 0x1154aff [0081.507] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.507] GetProcessHeap () returned 0x3a00000 [0081.507] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.507] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.510] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.510] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.510] GetProcessHeap () returned 0x3a00000 [0081.510] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.510] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.510] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.510] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.510] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.510] CloseHandle (hObject=0x434) returned 1 [0081.511] GetProcessHeap () returned 0x3a00000 [0081.511] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.511] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.511] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.018.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.018.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.511] GetProcessHeap () returned 0x3a00000 [0081.511] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.511] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd7a24386, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x56762f51, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.019.etl", cAlternateFileName="UP1E42~1.ETL")) returned 1 [0081.511] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="Windows") returned -1 [0081.511] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="$Recycle.bin") returned 1 [0081.511] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="System Volume Information") returned 1 [0081.511] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="Program Files") returned 1 [0081.511] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="Program Files (x86)") returned 1 [0081.511] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl") returned 68 [0081.511] StrStrIW (lpFirst="UpdateSessionOrchestration.019.etl", lpSrch=".ebal") returned 0x0 [0081.511] lstrcmpW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.511] lstrcmpW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="taridd") returned 1 [0081.511] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.512] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.019.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.512] GetTickCount () returned 0x1154aff [0081.512] GetTickCount () returned 0x1154aff [0081.512] GetTickCount () returned 0x1154aff [0081.512] GetTickCount () returned 0x1154aff [0081.512] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.512] GetProcessHeap () returned 0x3a00000 [0081.512] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.512] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.514] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.514] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.514] GetProcessHeap () returned 0x3a00000 [0081.514] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.514] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.514] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.514] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.515] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.515] CloseHandle (hObject=0x434) returned 1 [0081.515] GetProcessHeap () returned 0x3a00000 [0081.515] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.515] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.515] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.019.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.019.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.515] GetProcessHeap () returned 0x3a00000 [0081.515] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.515] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1fc4717b, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x46bc7f04, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.020.etl", cAlternateFileName="UP597C~1.ETL")) returned 1 [0081.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="Windows") returned -1 [0081.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="$Recycle.bin") returned 1 [0081.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="System Volume Information") returned 1 [0081.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="Program Files") returned 1 [0081.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="Program Files (x86)") returned 1 [0081.516] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl") returned 68 [0081.516] StrStrIW (lpFirst="UpdateSessionOrchestration.020.etl", lpSrch=".ebal") returned 0x0 [0081.516] lstrcmpW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.516] lstrcmpW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="taridd") returned 1 [0081.516] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.516] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.020.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.516] GetTickCount () returned 0x1154b0f [0081.516] GetTickCount () returned 0x1154b0f [0081.516] GetTickCount () returned 0x1154b0f [0081.516] GetTickCount () returned 0x1154b0f [0081.516] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.516] GetProcessHeap () returned 0x3a00000 [0081.516] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.516] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.518] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.518] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.518] GetProcessHeap () returned 0x3a00000 [0081.518] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.518] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.518] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.518] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.518] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.518] CloseHandle (hObject=0x434) returned 1 [0081.518] GetProcessHeap () returned 0x3a00000 [0081.518] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.518] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.518] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.020.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.020.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.519] GetProcessHeap () returned 0x3a00000 [0081.519] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.519] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x22cb9437, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x911dff9b, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.021.etl", cAlternateFileName="UP0CB7~1.ETL")) returned 1 [0081.519] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="Windows") returned -1 [0081.519] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="$Recycle.bin") returned 1 [0081.519] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="System Volume Information") returned 1 [0081.519] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="Program Files") returned 1 [0081.519] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="Program Files (x86)") returned 1 [0081.519] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl") returned 68 [0081.519] StrStrIW (lpFirst="UpdateSessionOrchestration.021.etl", lpSrch=".ebal") returned 0x0 [0081.519] lstrcmpW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.519] lstrcmpW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="taridd") returned 1 [0081.519] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.519] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.021.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.520] GetTickCount () returned 0x1154b0f [0081.520] GetTickCount () returned 0x1154b0f [0081.520] GetTickCount () returned 0x1154b0f [0081.520] GetTickCount () returned 0x1154b0f [0081.520] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.520] GetProcessHeap () returned 0x3a00000 [0081.520] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.520] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.521] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.521] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.521] GetProcessHeap () returned 0x3a00000 [0081.522] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.522] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.522] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.522] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.522] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.522] CloseHandle (hObject=0x434) returned 1 [0081.522] GetProcessHeap () returned 0x3a00000 [0081.522] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.522] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.522] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.021.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.021.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.523] GetProcessHeap () returned 0x3a00000 [0081.523] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.523] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8f4581c2, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0xb62eafb0, ftLastWriteTime.dwHighDateTime=0x1d327b9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.022.etl", cAlternateFileName="UPBE04~1.ETL")) returned 1 [0081.523] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="Windows") returned -1 [0081.523] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="$Recycle.bin") returned 1 [0081.523] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="System Volume Information") returned 1 [0081.523] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="Program Files") returned 1 [0081.523] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="Program Files (x86)") returned 1 [0081.523] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl") returned 68 [0081.523] StrStrIW (lpFirst="UpdateSessionOrchestration.022.etl", lpSrch=".ebal") returned 0x0 [0081.523] lstrcmpW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.523] lstrcmpW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="taridd") returned 1 [0081.523] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.523] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.022.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.523] GetTickCount () returned 0x1154b0f [0081.523] GetTickCount () returned 0x1154b0f [0081.523] GetTickCount () returned 0x1154b0f [0081.523] GetTickCount () returned 0x1154b0f [0081.523] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.524] GetProcessHeap () returned 0x3a00000 [0081.524] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.524] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.525] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.525] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.525] GetProcessHeap () returned 0x3a00000 [0081.525] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.525] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.525] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.526] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.526] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.526] CloseHandle (hObject=0x434) returned 1 [0081.526] GetProcessHeap () returned 0x3a00000 [0081.526] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.526] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.526] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.022.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.022.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.526] GetProcessHeap () returned 0x3a00000 [0081.526] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.527] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7f83b96b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x82808de1, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.023.etl", cAlternateFileName="UPA620~1.ETL")) returned 1 [0081.527] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="Windows") returned -1 [0081.527] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="$Recycle.bin") returned 1 [0081.527] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="System Volume Information") returned 1 [0081.527] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="Program Files") returned 1 [0081.527] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="Program Files (x86)") returned 1 [0081.527] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl") returned 68 [0081.527] StrStrIW (lpFirst="UpdateSessionOrchestration.023.etl", lpSrch=".ebal") returned 0x0 [0081.527] lstrcmpW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.527] lstrcmpW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="taridd") returned 1 [0081.527] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.527] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.023.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.527] GetTickCount () returned 0x1154b0f [0081.527] GetTickCount () returned 0x1154b0f [0081.527] GetTickCount () returned 0x1154b0f [0081.527] GetTickCount () returned 0x1154b0f [0081.527] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.527] GetProcessHeap () returned 0x3a00000 [0081.527] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.528] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.529] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.529] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.529] GetProcessHeap () returned 0x3a00000 [0081.529] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.529] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.529] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.529] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.529] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.530] CloseHandle (hObject=0x434) returned 1 [0081.530] GetProcessHeap () returned 0x3a00000 [0081.530] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.530] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.530] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.023.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.023.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.531] GetProcessHeap () returned 0x3a00000 [0081.531] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.531] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcae2810e, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xf21e09d1, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.024.etl", cAlternateFileName="UP14AB~1.ETL")) returned 1 [0081.531] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="Windows") returned -1 [0081.531] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="$Recycle.bin") returned 1 [0081.531] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="System Volume Information") returned 1 [0081.531] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="Program Files") returned 1 [0081.531] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="Program Files (x86)") returned 1 [0081.531] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl") returned 68 [0081.531] StrStrIW (lpFirst="UpdateSessionOrchestration.024.etl", lpSrch=".ebal") returned 0x0 [0081.531] lstrcmpW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.531] lstrcmpW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="taridd") returned 1 [0081.531] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.531] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.024.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.531] GetTickCount () returned 0x1154b1f [0081.531] GetTickCount () returned 0x1154b1f [0081.531] GetTickCount () returned 0x1154b1f [0081.531] GetTickCount () returned 0x1154b1f [0081.532] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.532] GetProcessHeap () returned 0x3a00000 [0081.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.532] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.550] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.550] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.550] GetProcessHeap () returned 0x3a00000 [0081.550] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.550] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.550] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.551] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.551] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.551] CloseHandle (hObject=0x434) returned 1 [0081.551] GetProcessHeap () returned 0x3a00000 [0081.551] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.551] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.551] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.024.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.024.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.552] GetProcessHeap () returned 0x3a00000 [0081.552] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.552] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcd491119, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x2e5f9ec7, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.025.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1 [0081.552] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="Windows") returned -1 [0081.552] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="$Recycle.bin") returned 1 [0081.552] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="System Volume Information") returned 1 [0081.552] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="Program Files") returned 1 [0081.552] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="Program Files (x86)") returned 1 [0081.552] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl") returned 68 [0081.552] StrStrIW (lpFirst="UpdateSessionOrchestration.025.etl", lpSrch=".ebal") returned 0x0 [0081.552] lstrcmpW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.552] lstrcmpW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="taridd") returned 1 [0081.552] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.552] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.025.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.553] GetTickCount () returned 0x1154b2e [0081.553] GetTickCount () returned 0x1154b2e [0081.553] GetTickCount () returned 0x1154b2e [0081.553] GetTickCount () returned 0x1154b2e [0081.553] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.553] GetProcessHeap () returned 0x3a00000 [0081.553] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.553] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.554] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.555] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.555] GetProcessHeap () returned 0x3a00000 [0081.555] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.555] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.555] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.555] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.555] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.555] CloseHandle (hObject=0x434) returned 1 [0081.555] GetProcessHeap () returned 0x3a00000 [0081.555] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.555] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.555] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.025.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.025.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.556] GetProcessHeap () returned 0x3a00000 [0081.556] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.556] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb30910b4, ftLastAccessTime.dwHighDateTime=0x1d3278b, ftLastWriteTime.dwLowDateTime=0xe1a1828d, ftLastWriteTime.dwHighDateTime=0x1d3278b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.026.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1 [0081.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="Windows") returned -1 [0081.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="$Recycle.bin") returned 1 [0081.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="System Volume Information") returned 1 [0081.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="Program Files") returned 1 [0081.556] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="Program Files (x86)") returned 1 [0081.556] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl") returned 68 [0081.556] StrStrIW (lpFirst="UpdateSessionOrchestration.026.etl", lpSrch=".ebal") returned 0x0 [0081.556] lstrcmpW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.556] lstrcmpW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="taridd") returned 1 [0081.556] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.556] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.026.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.557] GetTickCount () returned 0x1154b2e [0081.557] GetTickCount () returned 0x1154b2e [0081.557] GetTickCount () returned 0x1154b2e [0081.557] GetTickCount () returned 0x1154b2e [0081.557] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.557] GetProcessHeap () returned 0x3a00000 [0081.557] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.557] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.558] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.559] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.559] GetProcessHeap () returned 0x3a00000 [0081.559] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.559] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.559] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.559] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.559] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.559] CloseHandle (hObject=0x434) returned 1 [0081.559] GetProcessHeap () returned 0x3a00000 [0081.559] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.559] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.559] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.026.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.026.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.560] GetProcessHeap () returned 0x3a00000 [0081.560] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.560] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbda7099b, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xe19a12b7, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.027.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1 [0081.560] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="Windows") returned -1 [0081.560] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="$Recycle.bin") returned 1 [0081.560] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="System Volume Information") returned 1 [0081.560] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="Program Files") returned 1 [0081.560] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="Program Files (x86)") returned 1 [0081.560] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl") returned 68 [0081.560] StrStrIW (lpFirst="UpdateSessionOrchestration.027.etl", lpSrch=".ebal") returned 0x0 [0081.560] lstrcmpW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.560] lstrcmpW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="taridd") returned 1 [0081.560] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.560] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.027.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.561] GetTickCount () returned 0x1154b2e [0081.561] GetTickCount () returned 0x1154b2e [0081.561] GetTickCount () returned 0x1154b2e [0081.561] GetTickCount () returned 0x1154b2e [0081.561] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.561] GetProcessHeap () returned 0x3a00000 [0081.561] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.561] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.562] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.562] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.562] GetProcessHeap () returned 0x3a00000 [0081.563] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.563] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.563] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.563] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.563] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.563] CloseHandle (hObject=0x434) returned 1 [0081.563] GetProcessHeap () returned 0x3a00000 [0081.563] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.563] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.563] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.027.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.027.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.564] GetProcessHeap () returned 0x3a00000 [0081.564] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.564] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa972a1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x266bdfb9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.028.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1 [0081.564] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="Windows") returned -1 [0081.564] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="$Recycle.bin") returned 1 [0081.564] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="System Volume Information") returned 1 [0081.564] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="Program Files") returned 1 [0081.564] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="Program Files (x86)") returned 1 [0081.564] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl") returned 68 [0081.564] StrStrIW (lpFirst="UpdateSessionOrchestration.028.etl", lpSrch=".ebal") returned 0x0 [0081.564] lstrcmpW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.564] lstrcmpW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="taridd") returned 1 [0081.564] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.564] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.028.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.564] GetTickCount () returned 0x1154b3e [0081.564] GetTickCount () returned 0x1154b3e [0081.564] GetTickCount () returned 0x1154b3e [0081.564] GetTickCount () returned 0x1154b3e [0081.564] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.565] GetProcessHeap () returned 0x3a00000 [0081.565] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.565] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.566] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.566] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.566] GetProcessHeap () returned 0x3a00000 [0081.566] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.566] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.566] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.566] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.566] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.566] CloseHandle (hObject=0x434) returned 1 [0081.567] GetProcessHeap () returned 0x3a00000 [0081.567] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.567] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal") returned 87 [0081.567] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.028.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updatesessionorchestration.028.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.567] GetProcessHeap () returned 0x3a00000 [0081.567] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.567] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x8243765a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x889a9e61, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1 [0081.567] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="Windows") returned -1 [0081.567] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="$Recycle.bin") returned 1 [0081.567] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="System Volume Information") returned 1 [0081.567] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="Program Files") returned 1 [0081.567] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="Program Files (x86)") returned 1 [0081.567] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl") returned 50 [0081.567] StrStrIW (lpFirst="UpdateUx.001.etl", lpSrch=".ebal") returned 0x0 [0081.568] lstrcmpW (lpString1="UpdateUx.001.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.568] lstrcmpW (lpString1="UpdateUx.001.etl", lpString2="taridd") returned 1 [0081.568] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.568] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.568] GetTickCount () returned 0x1154b3e [0081.568] GetTickCount () returned 0x1154b3e [0081.568] GetTickCount () returned 0x1154b3e [0081.568] GetTickCount () returned 0x1154b3e [0081.568] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.568] GetProcessHeap () returned 0x3a00000 [0081.568] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.568] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.570] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.570] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2000, lpOverlapped=0x0) returned 1 [0081.570] GetProcessHeap () returned 0x3a00000 [0081.570] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.570] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.570] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.570] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.571] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.571] CloseHandle (hObject=0x434) returned 1 [0081.571] GetProcessHeap () returned 0x3a00000 [0081.571] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.571] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl_r00t_{8ew5f6}.ebal") returned 69 [0081.571] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.001.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.001.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.571] GetProcessHeap () returned 0x3a00000 [0081.571] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.571] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x7e0bea63, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateUx.002.etl", cAlternateFileName="UP1018~1.ETL")) returned 1 [0081.571] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="Windows") returned -1 [0081.572] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="$Recycle.bin") returned 1 [0081.572] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="System Volume Information") returned 1 [0081.572] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="Program Files") returned 1 [0081.572] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="Program Files (x86)") returned 1 [0081.572] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl") returned 50 [0081.572] StrStrIW (lpFirst="UpdateUx.002.etl", lpSrch=".ebal") returned 0x0 [0081.572] lstrcmpW (lpString1="UpdateUx.002.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.572] lstrcmpW (lpString1="UpdateUx.002.etl", lpString2="taridd") returned 1 [0081.572] StrCmpNW (lpStr1="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.572] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.575] GetTickCount () returned 0x1154b3e [0081.575] GetTickCount () returned 0x1154b3e [0081.575] GetTickCount () returned 0x1154b3e [0081.575] GetTickCount () returned 0x1154b3e [0081.575] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x2c, dwBufLen=0x80 | out: pbData=0x65af4a8*, pdwDataLen=0x65af558*=0x80) returned 1 [0081.575] GetProcessHeap () returned 0x3a00000 [0081.575] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.575] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.576] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.577] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af55c*=0x2800, lpOverlapped=0x0) returned 1 [0081.577] GetProcessHeap () returned 0x3a00000 [0081.577] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.577] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.577] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af55c*=0x300, lpOverlapped=0x0) returned 1 [0081.577] WriteFile (in: hFile=0x434, lpBuffer=0x65af4a8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x65af4a8*, lpNumberOfBytesWritten=0x65af55c*=0x80, lpOverlapped=0x0) returned 1 [0081.577] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af55c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af55c*=0x4, lpOverlapped=0x0) returned 1 [0081.577] CloseHandle (hObject=0x434) returned 1 [0081.577] GetProcessHeap () returned 0x3a00000 [0081.577] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.577] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl_r00t_{8ew5f6}.ebal") returned 69 [0081.577] MoveFileW (lpExistingFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl"), lpNewFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\UpdateUx.002.etl_r00t_{8ew5f6}.ebal" (normalized: "c:\\programdata\\usoshared\\logs\\updateux.002.etl_r00t_{8ew5f6}.ebal")) returned 1 [0081.578] GetProcessHeap () returned 0x3a00000 [0081.578] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.578] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x7e0bea63, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateUx.002.etl", cAlternateFileName="UP1018~1.ETL")) returned 0 [0081.578] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0081.578] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 65 [0081.578] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\usoshared\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.579] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.580] CloseHandle (hObject=0x430) returned 1 [0081.580] GetProcessHeap () returned 0x3a00000 [0081.580] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.580] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xeeb92e75, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xeeb92e75, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 0 [0081.580] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0081.580] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\USOShared\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0081.580] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\USOShared\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\usoshared\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.581] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.582] CloseHandle (hObject=0x42c) returned 1 [0081.582] GetProcessHeap () returned 0x3a00000 [0081.582] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.582] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0081.582] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="Windows") returned 1 [0081.582] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="$Recycle.bin") returned 1 [0081.582] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="System Volume Information") returned 1 [0081.582] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="Program Files") returned 1 [0081.582] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="Program Files (x86)") returned 1 [0081.582] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices") returned 44 [0081.582] lstrcmpW (lpString1="WindowsHolographicDevices", lpString2=".") returned 1 [0081.582] lstrcmpW (lpString1="WindowsHolographicDevices", lpString2="..") returned 1 [0081.582] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.582] GetProcessHeap () returned 0x3a00000 [0081.582] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.582] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\*") returned 46 [0081.582] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0081.582] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.582] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.582] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.582] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.583] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.583] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\.") returned 46 [0081.583] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.583] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.583] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.583] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.583] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.583] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.583] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.583] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\..") returned 47 [0081.583] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.583] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.583] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 1 [0081.583] lstrcmpiW (lpString1="SpatialStore", lpString2="Windows") returned -1 [0081.583] lstrcmpiW (lpString1="SpatialStore", lpString2="$Recycle.bin") returned 1 [0081.583] lstrcmpiW (lpString1="SpatialStore", lpString2="System Volume Information") returned -1 [0081.583] lstrcmpiW (lpString1="SpatialStore", lpString2="Program Files") returned 1 [0081.583] lstrcmpiW (lpString1="SpatialStore", lpString2="Program Files (x86)") returned 1 [0081.583] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore") returned 57 [0081.583] lstrcmpW (lpString1="SpatialStore", lpString2=".") returned 1 [0081.583] lstrcmpW (lpString1="SpatialStore", lpString2="..") returned 1 [0081.583] lstrcmpW (lpString1="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.583] GetProcessHeap () returned 0x3a00000 [0081.583] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.583] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\*") returned 59 [0081.583] FindFirstFileW (in: lpFileName="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0081.583] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.583] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.584] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.584] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.584] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.584] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\.") returned 59 [0081.584] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.584] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.584] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.584] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.584] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.584] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.584] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.584] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\..") returned 60 [0081.584] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.584] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.584] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0081.584] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0081.584] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0081.584] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\SpatialStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\windowsholographicdevices\\spatialstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.585] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.586] CloseHandle (hObject=0x430) returned 1 [0081.586] GetProcessHeap () returned 0x3a00000 [0081.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.586] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 0 [0081.586] FindClose (in: hFindFile=0x3a383b8 | out: hFindFile=0x3a383b8) returned 1 [0081.586] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0081.586] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\WindowsHolographicDevices\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\windowsholographicdevices\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.605] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.606] CloseHandle (hObject=0x42c) returned 1 [0081.606] GetProcessHeap () returned 0x3a00000 [0081.606] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.606] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0081.606] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0081.606] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\ProgramData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 50 [0081.606] CreateFileW (lpFileName="\\\\?\\C:\\ProgramData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\programdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0081.607] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0081.608] CloseHandle (hObject=0x428) returned 1 [0081.608] GetProcessHeap () returned 0x3a00000 [0081.608] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0081.608] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0081.608] lstrcmpiW (lpString1="Recovery", lpString2="Windows") returned -1 [0081.608] lstrcmpiW (lpString1="Recovery", lpString2="$Recycle.bin") returned 1 [0081.608] lstrcmpiW (lpString1="Recovery", lpString2="System Volume Information") returned -1 [0081.608] lstrcmpiW (lpString1="Recovery", lpString2="Program Files") returned 1 [0081.609] lstrcmpiW (lpString1="Recovery", lpString2="Program Files (x86)") returned 1 [0081.609] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery") returned 15 [0081.609] lstrcmpW (lpString1="Recovery", lpString2=".") returned 1 [0081.609] lstrcmpW (lpString1="Recovery", lpString2="..") returned 1 [0081.609] lstrcmpW (lpString1="\\\\?\\C:\\Recovery", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.609] GetProcessHeap () returned 0x3a00000 [0081.609] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0081.609] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Recovery\\*") returned 17 [0081.609] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0081.610] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.610] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.610] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.610] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.610] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.610] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\.") returned 17 [0081.610] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.610] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.610] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.610] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.610] StrCmpNW (lpStr1="\\\\?\\C:\\Recovery\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.610] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\." (normalized: "c:\\recovery\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.610] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.610] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.610] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.610] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.610] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.610] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.611] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\..") returned 18 [0081.611] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.611] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.611] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.611] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.611] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.611] StrCmpNW (lpStr1="\\\\?\\C:\\Recovery\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.611] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.611] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0081.611] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0081.611] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0081.611] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0081.611] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0081.611] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0081.611] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\Logs") returned 20 [0081.611] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0081.611] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0081.611] lstrcmpW (lpString1="\\\\?\\C:\\Recovery\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.611] GetProcessHeap () returned 0x3a00000 [0081.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.611] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Recovery\\Logs\\*") returned 22 [0081.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Recovery\\Logs\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0081.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.611] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\Logs\\.") returned 22 [0081.612] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.612] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.612] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.612] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.612] StrCmpNW (lpStr1="\\\\?\\C:\\Recovery\\Logs\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.612] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\Logs\\." (normalized: "c:\\recovery\\logs\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.612] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.612] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.612] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.612] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.612] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.612] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\Logs\\..") returned 23 [0081.612] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.612] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.612] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.612] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.612] StrCmpNW (lpStr1="\\\\?\\C:\\Recovery\\Logs\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.612] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\Logs\\.." (normalized: "c:\\recovery"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.612] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0081.612] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0081.612] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 52 [0081.612] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\recovery\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.613] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0081.614] CloseHandle (hObject=0x42c) returned 1 [0081.614] GetProcessHeap () returned 0x3a00000 [0081.614] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.614] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1044dfc5, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ReAgentOld.xml", cAlternateFileName="REAGEN~1.XML")) returned 1 [0081.614] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="Windows") returned -1 [0081.614] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="$Recycle.bin") returned 1 [0081.614] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="System Volume Information") returned -1 [0081.614] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="Program Files") returned 1 [0081.614] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="Program Files (x86)") returned 1 [0081.614] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\ReAgentOld.xml") returned 30 [0081.614] StrStrIW (lpFirst="ReAgentOld.xml", lpSrch=".ebal") returned 0x0 [0081.614] lstrcmpW (lpString1="ReAgentOld.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.614] lstrcmpW (lpString1="ReAgentOld.xml", lpString2="taridd") returned -1 [0081.614] StrCmpNW (lpStr1="\\\\?\\C:\\Recovery\\ReAgentOld.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.614] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\ReAgentOld.xml" (normalized: "c:\\recovery\\reagentold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0081.615] GetTickCount () returned 0x1154b6d [0081.615] GetTickCount () returned 0x1154b6d [0081.615] GetTickCount () returned 0x1154b6d [0081.615] GetTickCount () returned 0x1154b6d [0081.615] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0081.615] GetProcessHeap () returned 0x3a00000 [0081.615] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0081.615] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0x3ee, lpOverlapped=0x0) returned 1 [0081.616] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xfffffc12, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0081.617] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x3ee, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0x3ee, lpOverlapped=0x0) returned 1 [0081.617] GetProcessHeap () returned 0x3a00000 [0081.617] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0081.617] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.617] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0081.617] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0081.617] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0081.617] CloseHandle (hObject=0x42c) returned 1 [0081.617] GetProcessHeap () returned 0x3a00000 [0081.617] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.617] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Recovery\\ReAgentOld.xml_r00t_{8ew5f6}.ebal") returned 49 [0081.617] MoveFileW (lpExistingFileName="\\\\?\\C:\\Recovery\\ReAgentOld.xml" (normalized: "c:\\recovery\\reagentold.xml"), lpNewFileName="\\\\?\\C:\\Recovery\\ReAgentOld.xml_r00t_{8ew5f6}.ebal" (normalized: "c:\\recovery\\reagentold.xml_r00t_{8ew5f6}.ebal")) returned 1 [0081.618] GetProcessHeap () returned 0x3a00000 [0081.618] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0081.618] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1044dfc5, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ReAgentOld.xml", cAlternateFileName="REAGEN~1.XML")) returned 0 [0081.618] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0081.618] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Recovery\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 47 [0081.618] CreateFileW (lpFileName="\\\\?\\C:\\Recovery\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\recovery\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x428 [0081.619] WriteFile (in: hFile=0x428, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65afa74, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65afa74*=0x3a6, lpOverlapped=0x0) returned 1 [0081.619] CloseHandle (hObject=0x428) returned 1 [0081.620] GetProcessHeap () returned 0x3a00000 [0081.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a44b38 | out: hHeap=0x3a00000) returned 1 [0081.620] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0x47384f2, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0081.620] lstrcmpiW (lpString1="swapfile.sys", lpString2="Windows") returned -1 [0081.620] lstrcmpiW (lpString1="swapfile.sys", lpString2="$Recycle.bin") returned 1 [0081.620] lstrcmpiW (lpString1="swapfile.sys", lpString2="System Volume Information") returned -1 [0081.620] lstrcmpiW (lpString1="swapfile.sys", lpString2="Program Files") returned 1 [0081.620] lstrcmpiW (lpString1="swapfile.sys", lpString2="Program Files (x86)") returned 1 [0081.620] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\swapfile.sys") returned 19 [0081.620] StrStrIW (lpFirst="swapfile.sys", lpSrch=".ebal") returned 0x0 [0081.620] lstrcmpW (lpString1="swapfile.sys", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.620] lstrcmpW (lpString1="swapfile.sys", lpString2="taridd") returned -1 [0081.620] StrCmpNW (lpStr1="\\\\?\\C:\\swapfile.sys", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.620] CreateFileW (lpFileName="\\\\?\\C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.620] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0081.620] lstrcmpiW (lpString1="System Volume Information", lpString2="Windows") returned -1 [0081.620] lstrcmpiW (lpString1="System Volume Information", lpString2="$Recycle.bin") returned 1 [0081.620] lstrcmpiW (lpString1="System Volume Information", lpString2="System Volume Information") returned 0 [0081.620] FindNextFileW (in: hFindFile=0x3a37a78, lpFindFileData=0x65afd30 | out: lpFindFileData=0x65afd30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0081.620] lstrcmpiW (lpString1="Users", lpString2="Windows") returned -1 [0081.620] lstrcmpiW (lpString1="Users", lpString2="$Recycle.bin") returned 1 [0081.620] lstrcmpiW (lpString1="Users", lpString2="System Volume Information") returned 1 [0081.620] lstrcmpiW (lpString1="Users", lpString2="Program Files") returned 1 [0081.620] lstrcmpiW (lpString1="Users", lpString2="Program Files (x86)") returned 1 [0081.620] wnsprintfW (in: pszDest=0x3a35428, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users") returned 12 [0081.620] lstrcmpW (lpString1="Users", lpString2=".") returned 1 [0081.620] lstrcmpW (lpString1="Users", lpString2="..") returned 1 [0081.620] lstrcmpW (lpString1="\\\\?\\C:\\Users", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.620] GetProcessHeap () returned 0x3a00000 [0081.620] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a44b38 [0081.620] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\*") returned 14 [0081.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\*", lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383b8 [0081.621] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.621] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.621] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.621] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.621] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.621] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\.") returned 14 [0081.621] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.621] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.621] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.621] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.621] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\." (normalized: "c:\\users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.621] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.621] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.621] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.621] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.621] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.621] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.621] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\..") returned 15 [0081.621] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.621] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.621] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.621] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.621] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.621] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.621] CreateFileW (lpFileName="\\\\?\\C:\\Users\\.." (normalized: "c:"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.621] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x8000000, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0081.622] lstrcmpiW (lpString1="All Users", lpString2="Windows") returned -1 [0081.622] lstrcmpiW (lpString1="All Users", lpString2="$Recycle.bin") returned 1 [0081.622] lstrcmpiW (lpString1="All Users", lpString2="System Volume Information") returned -1 [0081.622] lstrcmpiW (lpString1="All Users", lpString2="Program Files") returned -1 [0081.622] lstrcmpiW (lpString1="All Users", lpString2="Program Files (x86)") returned -1 [0081.622] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users") returned 22 [0081.622] lstrcmpW (lpString1="All Users", lpString2=".") returned 1 [0081.622] lstrcmpW (lpString1="All Users", lpString2="..") returned 1 [0081.622] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.622] GetProcessHeap () returned 0x3a00000 [0081.622] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0081.622] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\*") returned 24 [0081.622] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0xfa65b44f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0081.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.622] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.622] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\.") returned 24 [0081.622] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.622] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.622] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.622] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.622] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.622] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\." (normalized: "c:\\users\\all users\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.623] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0xfa65b44f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.623] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.623] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.623] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.623] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.623] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.623] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\..") returned 25 [0081.623] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.623] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.623] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.623] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.623] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.623] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.623] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfa65b44f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa65b44f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa65b44f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.623] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.623] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.623] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.623] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.623] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.623] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 54 [0081.623] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.623] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.623] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0081.623] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0081.623] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0081.623] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0081.623] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0081.623] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0081.623] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe") returned 28 [0081.623] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0081.623] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0081.624] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Adobe", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.624] GetProcessHeap () returned 0x3a00000 [0081.624] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.624] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\*") returned 30 [0081.624] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0081.624] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.624] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.624] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.624] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.624] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.624] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\.") returned 30 [0081.624] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.624] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.624] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.624] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.624] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.624] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.624] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.624] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\..") returned 31 [0081.624] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.624] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.624] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.624] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.624] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.625] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.625] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.625] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.625] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0081.625] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.625] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.625] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ARM", cAlternateFileName="")) returned 1 [0081.625] lstrcmpiW (lpString1="ARM", lpString2="Windows") returned -1 [0081.625] lstrcmpiW (lpString1="ARM", lpString2="$Recycle.bin") returned 1 [0081.625] lstrcmpiW (lpString1="ARM", lpString2="System Volume Information") returned -1 [0081.625] lstrcmpiW (lpString1="ARM", lpString2="Program Files") returned -1 [0081.625] lstrcmpiW (lpString1="ARM", lpString2="Program Files (x86)") returned -1 [0081.625] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM") returned 32 [0081.625] lstrcmpW (lpString1="ARM", lpString2=".") returned 1 [0081.625] lstrcmpW (lpString1="ARM", lpString2="..") returned 1 [0081.625] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.625] GetProcessHeap () returned 0x3a00000 [0081.625] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.625] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*") returned 34 [0081.625] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0081.625] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.625] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.625] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.625] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.625] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.625] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\.") returned 34 [0081.625] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.625] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.625] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.625] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.626] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.626] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.626] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.626] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\..") returned 35 [0081.626] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.626] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.626] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.626] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.626] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.626] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.626] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.626] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.626] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0081.626] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.626] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.626] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Reader_15.007.20033", cAlternateFileName="READER~1.200")) returned 1 [0081.626] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Windows") returned -1 [0081.626] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="$Recycle.bin") returned 1 [0081.626] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="System Volume Information") returned -1 [0081.626] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Program Files") returned 1 [0081.626] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="Program Files (x86)") returned 1 [0081.626] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033") returned 52 [0081.626] lstrcmpW (lpString1="Reader_15.007.20033", lpString2=".") returned 1 [0081.626] lstrcmpW (lpString1="Reader_15.007.20033", lpString2="..") returned 1 [0081.626] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.626] GetProcessHeap () returned 0x3a00000 [0081.626] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.626] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\*") returned 54 [0081.626] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xf0ab016c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0081.627] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.627] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.627] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.627] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.627] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.627] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\.") returned 54 [0081.628] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.628] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xf0ab016c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.628] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.628] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.628] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.628] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.628] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\..") returned 55 [0081.628] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.628] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.628] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ab016c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ab016c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ab016c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.628] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.628] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.628] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.628] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.628] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.628] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.628] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.628] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ab016c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ab016c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ab016c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.628] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0081.628] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.628] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_15.007.20033\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.629] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.630] CloseHandle (hObject=0x438) returned 1 [0081.630] GetProcessHeap () returned 0x3a00000 [0081.630] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.630] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Reader_15.023.20070", cAlternateFileName="READER~2.200")) returned 1 [0081.630] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Windows") returned -1 [0081.630] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="$Recycle.bin") returned 1 [0081.630] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="System Volume Information") returned -1 [0081.630] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Program Files") returned 1 [0081.630] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="Program Files (x86)") returned 1 [0081.630] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070") returned 52 [0081.630] lstrcmpW (lpString1="Reader_15.023.20070", lpString2=".") returned 1 [0081.630] lstrcmpW (lpString1="Reader_15.023.20070", lpString2="..") returned 1 [0081.631] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.631] GetProcessHeap () returned 0x3a00000 [0081.631] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.631] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\*") returned 54 [0081.631] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0ab016c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0081.631] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.631] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.631] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.631] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.631] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.631] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\.") returned 54 [0081.631] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.631] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0ab016c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.631] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.631] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.631] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.631] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.631] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.631] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\..") returned 55 [0081.631] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.631] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.631] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ab016c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ab016c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.631] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.631] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.631] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.631] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.631] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.631] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.631] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.631] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.632] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ab016c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ab016c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.632] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0081.632] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\reader_15.023.20070\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.633] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.633] CloseHandle (hObject=0x438) returned 1 [0081.634] GetProcessHeap () returned 0x3a00000 [0081.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.634] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S", cAlternateFileName="")) returned 1 [0081.634] lstrcmpiW (lpString1="S", lpString2="Windows") returned -1 [0081.634] lstrcmpiW (lpString1="S", lpString2="$Recycle.bin") returned 1 [0081.634] lstrcmpiW (lpString1="S", lpString2="System Volume Information") returned -1 [0081.634] lstrcmpiW (lpString1="S", lpString2="Program Files") returned 1 [0081.634] lstrcmpiW (lpString1="S", lpString2="Program Files (x86)") returned 1 [0081.634] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S") returned 34 [0081.634] lstrcmpW (lpString1="S", lpString2=".") returned 1 [0081.634] lstrcmpW (lpString1="S", lpString2="..") returned 1 [0081.634] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.634] GetProcessHeap () returned 0x3a00000 [0081.634] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.634] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\*") returned 36 [0081.634] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0081.634] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.634] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.634] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.634] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.634] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.634] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\.") returned 36 [0081.634] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.634] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.634] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.634] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.634] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.634] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.634] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.634] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\..") returned 37 [0081.634] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.635] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.635] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0081.635] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.635] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.635] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.635] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0081.635] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0081.635] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\S\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\s\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.636] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.637] CloseHandle (hObject=0x438) returned 1 [0081.637] GetProcessHeap () returned 0x3a00000 [0081.637] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.637] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S", cAlternateFileName="")) returned 0 [0081.637] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0081.637] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0081.637] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\ARM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\adobe\\arm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.638] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.639] CloseHandle (hObject=0x434) returned 1 [0081.639] GetProcessHeap () returned 0x3a00000 [0081.639] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.639] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ARM", cAlternateFileName="")) returned 0 [0081.639] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0081.639] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0081.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\adobe\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.644] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.644] CloseHandle (hObject=0x430) returned 1 [0081.644] GetProcessHeap () returned 0x3a00000 [0081.645] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.645] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0081.645] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0081.645] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0081.645] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0081.645] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0081.645] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0081.645] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data") returned 39 [0081.645] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0081.645] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0081.645] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Application Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.645] GetProcessHeap () returned 0x3a00000 [0081.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.645] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Application Data\\*") returned 41 [0081.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Application Data\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AR?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0081.645] GetProcessHeap () returned 0x3a00000 [0081.645] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.645] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Comms", cAlternateFileName="")) returned 1 [0081.645] lstrcmpiW (lpString1="Comms", lpString2="Windows") returned -1 [0081.645] lstrcmpiW (lpString1="Comms", lpString2="$Recycle.bin") returned 1 [0081.645] lstrcmpiW (lpString1="Comms", lpString2="System Volume Information") returned -1 [0081.645] lstrcmpiW (lpString1="Comms", lpString2="Program Files") returned -1 [0081.645] lstrcmpiW (lpString1="Comms", lpString2="Program Files (x86)") returned -1 [0081.645] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms") returned 28 [0081.645] lstrcmpW (lpString1="Comms", lpString2=".") returned 1 [0081.645] lstrcmpW (lpString1="Comms", lpString2="..") returned 1 [0081.645] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Comms", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.645] GetProcessHeap () returned 0x3a00000 [0081.645] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.645] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms\\*") returned 30 [0081.645] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Comms\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0081.646] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.646] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.646] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.646] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.646] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.646] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms\\.") returned 30 [0081.646] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.646] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.646] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.646] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.646] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.646] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.646] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms\\..") returned 31 [0081.646] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.646] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.646] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.646] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.646] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.646] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.646] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.646] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0081.646] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.646] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.646] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0081.647] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0081.647] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\comms\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0081.651] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0081.651] CloseHandle (hObject=0x430) returned 1 [0081.652] GetProcessHeap () returned 0x3a00000 [0081.652] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.652] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Desktop", cAlternateFileName="")) returned 1 [0081.652] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0081.652] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0081.652] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0081.652] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0081.652] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0081.652] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop") returned 30 [0081.652] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0081.652] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0081.652] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Desktop", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.652] GetProcessHeap () returned 0x3a00000 [0081.652] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.652] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Desktop\\*") returned 32 [0081.652] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Desktop\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="--?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0081.652] GetProcessHeap () returned 0x3a00000 [0081.652] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.652] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0081.652] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0081.652] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0081.652] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0081.652] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0081.652] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0081.652] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents") returned 32 [0081.652] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0081.652] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0081.652] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Documents", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.653] GetProcessHeap () returned 0x3a00000 [0081.653] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.653] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Documents\\*") returned 34 [0081.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Documents\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0ad65d7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0ad65d7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0ad65d7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="--?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0081.653] GetProcessHeap () returned 0x3a00000 [0081.653] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0081.653] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0081.653] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0081.653] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0081.653] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0081.653] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0081.653] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0081.653] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft") returned 32 [0081.653] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0081.653] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0081.653] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.653] GetProcessHeap () returned 0x3a00000 [0081.653] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0081.653] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\*") returned 34 [0081.653] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0081.653] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.653] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.653] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.653] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.653] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.653] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\.") returned 34 [0081.653] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.653] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.653] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.653] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.653] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\." (normalized: "c:\\users\\all users\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.654] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.654] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.654] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.654] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.654] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.654] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.654] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\..") returned 35 [0081.654] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.654] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.654] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.654] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.654] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.654] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\.." (normalized: "c:\\users\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.654] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf98cc013, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf98cc013, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.654] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.654] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.654] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.654] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.654] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.654] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0081.654] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.654] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.654] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AppV", cAlternateFileName="")) returned 1 [0081.654] lstrcmpiW (lpString1="AppV", lpString2="Windows") returned -1 [0081.654] lstrcmpiW (lpString1="AppV", lpString2="$Recycle.bin") returned 1 [0081.654] lstrcmpiW (lpString1="AppV", lpString2="System Volume Information") returned -1 [0081.654] lstrcmpiW (lpString1="AppV", lpString2="Program Files") returned -1 [0081.654] lstrcmpiW (lpString1="AppV", lpString2="Program Files (x86)") returned -1 [0081.655] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV") returned 37 [0081.655] lstrcmpW (lpString1="AppV", lpString2=".") returned 1 [0081.655] lstrcmpW (lpString1="AppV", lpString2="..") returned 1 [0081.655] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.655] GetProcessHeap () returned 0x3a00000 [0081.655] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.655] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\*") returned 39 [0081.655] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0afc867, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0081.655] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.655] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.655] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.655] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.655] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.655] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\.") returned 39 [0081.655] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.655] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d3d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0afc867, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.655] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.655] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.655] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.655] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.655] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.655] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\..") returned 40 [0081.655] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.656] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.656] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0afc867, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0afc867, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0afc867, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.656] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.656] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.656] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.656] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.656] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.656] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0081.656] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.656] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.656] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup", cAlternateFileName="")) returned 1 [0081.656] lstrcmpiW (lpString1="Setup", lpString2="Windows") returned -1 [0081.656] lstrcmpiW (lpString1="Setup", lpString2="$Recycle.bin") returned 1 [0081.656] lstrcmpiW (lpString1="Setup", lpString2="System Volume Information") returned -1 [0081.656] lstrcmpiW (lpString1="Setup", lpString2="Program Files") returned 1 [0081.656] lstrcmpiW (lpString1="Setup", lpString2="Program Files (x86)") returned 1 [0081.656] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup") returned 43 [0081.656] lstrcmpW (lpString1="Setup", lpString2=".") returned 1 [0081.656] lstrcmpW (lpString1="Setup", lpString2="..") returned 1 [0081.656] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.656] GetProcessHeap () returned 0x3a00000 [0081.656] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.656] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\*") returned 45 [0081.656] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0afc867, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0081.656] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.656] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.656] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.656] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.656] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.656] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\.") returned 45 [0081.656] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.656] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.657] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.657] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.657] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\." (normalized: "c:\\users\\all users\\microsoft\\appv\\setup\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.657] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf0afc867, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.657] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.657] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.657] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.657] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.657] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.657] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\..") returned 46 [0081.657] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.657] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.657] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.657] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.657] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.657] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.657] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\.." (normalized: "c:\\users\\all users\\microsoft\\appv"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.657] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0afc867, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0afc867, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0afc867, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.657] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.657] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.657] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.657] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.657] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.657] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.657] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.657] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.657] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799dd27b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe2889e45, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe2889e45, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="OfficeIntegrator.ps1", cAlternateFileName="")) returned 1 [0081.657] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Windows") returned -1 [0081.658] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="$Recycle.bin") returned 1 [0081.658] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="System Volume Information") returned -1 [0081.658] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Program Files") returned -1 [0081.658] lstrcmpiW (lpString1="OfficeIntegrator.ps1", lpString2="Program Files (x86)") returned -1 [0081.658] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1") returned 64 [0081.658] StrStrIW (lpFirst="OfficeIntegrator.ps1", lpSrch=".ebal") returned 0x0 [0081.658] lstrcmpW (lpString1="OfficeIntegrator.ps1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.658] lstrcmpW (lpString1="OfficeIntegrator.ps1", lpString2="taridd") returned -1 [0081.658] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\OfficeIntegrator.ps1" (normalized: "c:\\users\\all users\\microsoft\\appv\\setup\\officeintegrator.ps1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.658] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x799dd27b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe2889e45, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe2889e45, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="OfficeIntegrator.ps1", cAlternateFileName="")) returned 0 [0081.658] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0081.658] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.658] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\Setup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\appv\\setup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.659] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.660] CloseHandle (hObject=0x438) returned 1 [0081.660] GetProcessHeap () returned 0x3a00000 [0081.660] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.660] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbcb1d9bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Setup", cAlternateFileName="")) returned 0 [0081.660] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0081.660] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0081.660] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\AppV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\appv\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.661] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.662] CloseHandle (hObject=0x434) returned 1 [0081.662] GetProcessHeap () returned 0x3a00000 [0081.662] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.662] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf0cec454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cec454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0081.662] lstrcmpiW (lpString1="ClickToRun", lpString2="Windows") returned -1 [0081.662] lstrcmpiW (lpString1="ClickToRun", lpString2="$Recycle.bin") returned 1 [0081.662] lstrcmpiW (lpString1="ClickToRun", lpString2="System Volume Information") returned -1 [0081.662] lstrcmpiW (lpString1="ClickToRun", lpString2="Program Files") returned -1 [0081.662] lstrcmpiW (lpString1="ClickToRun", lpString2="Program Files (x86)") returned -1 [0081.662] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun") returned 43 [0081.663] lstrcmpW (lpString1="ClickToRun", lpString2=".") returned 1 [0081.663] lstrcmpW (lpString1="ClickToRun", lpString2="..") returned 1 [0081.663] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.663] GetProcessHeap () returned 0x3a00000 [0081.663] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.663] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*") returned 45 [0081.663] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf0cec454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0081.663] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.663] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.663] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.663] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.663] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.663] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\.") returned 45 [0081.663] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.663] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c2b2f4, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf0cec454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.663] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.663] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.663] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.663] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.663] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.663] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\..") returned 46 [0081.663] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.663] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.663] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13a104c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13a104c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.663] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.663] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.664] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.664] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xe6a7c64d, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", cAlternateFileName="0D0D4E~1")) returned 1 [0081.664] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Windows") returned -1 [0081.664] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="$Recycle.bin") returned 1 [0081.664] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="System Volume Information") returned -1 [0081.664] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Program Files") returned -1 [0081.664] lstrcmpiW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="Program Files (x86)") returned -1 [0081.664] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4") returned 80 [0081.664] lstrcmpW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2=".") returned 1 [0081.664] lstrcmpW (lpString1="0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="..") returned 1 [0081.664] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.664] GetProcessHeap () returned 0x3a00000 [0081.664] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.664] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\*") returned 82 [0081.664] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0081.664] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.664] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.664] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.664] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.664] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.664] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\.") returned 82 [0081.664] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.664] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a7c64d, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.664] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.664] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.664] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.664] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.664] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.664] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\..") returned 83 [0081.664] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.664] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.665] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0bbb1bf, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0bbb1bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.665] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.665] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.665] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.665] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.665] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.665] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0081.665] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.665] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.665] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0b94f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0081.665] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0081.665] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0081.665] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0081.665] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0081.665] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0081.665] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16") returned 89 [0081.665] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0081.665] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0081.665] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.665] GetProcessHeap () returned 0x3a00000 [0081.665] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\*") returned 91 [0081.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0b94f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0081.665] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.665] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.665] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.665] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.665] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\.") returned 91 [0081.665] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.665] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0b94f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.665] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.665] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.666] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.666] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.666] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.666] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\..") returned 92 [0081.666] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.666] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.666] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0b94f57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0b94f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.666] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.666] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.666] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.666] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.666] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.666] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.666] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.666] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.666] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0b6efd3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x59d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.666] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.666] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.666] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.666] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.666] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.666] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0081.666] StrStrIW (lpFirst="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.666] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0b6efd3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S64103~1.EBA")) returned 1 [0081.666] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.666] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.666] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.666] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.666] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.666] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal") returned 121 [0081.666] StrStrIW (lpFirst="s641033.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.666] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd7b48, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.666] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.666] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.666] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.666] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.667] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.667] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 133 [0081.667] StrStrIW (lpFirst="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.667] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a5650a, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a5650a, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd7b48, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.667] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0081.667] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.668] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.669] CloseHandle (hObject=0x43c) returned 1 [0081.669] GetProcessHeap () returned 0x3a00000 [0081.669] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.669] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0bbb1bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0081.669] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0081.669] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0081.669] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0081.669] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0081.669] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0081.669] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16") returned 90 [0081.669] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0081.669] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0081.669] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.669] GetProcessHeap () returned 0x3a00000 [0081.669] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.669] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\*") returned 92 [0081.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0bbb1bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0081.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.670] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.670] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.670] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.670] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.670] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\.") returned 92 [0081.670] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.670] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0bbb1bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.670] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.670] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.670] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.670] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.670] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.670] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\..") returned 93 [0081.670] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.670] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.670] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0bbb1bf, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0bbb1bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.670] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.670] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.670] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.670] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.670] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.670] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 122 [0081.670] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.670] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.670] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a09ff9, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a09ff9, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0b94f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5595, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.670] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.670] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.670] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.670] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.670] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.670] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 137 [0081.670] StrStrIW (lpFirst="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.670] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S640HA~1.EBA")) returned 1 [0081.670] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.670] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.670] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.671] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.671] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.671] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal") returned 119 [0081.671] StrStrIW (lpFirst="s640.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.671] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384b8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.671] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.671] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.671] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.671] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.671] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.671] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 135 [0081.671] StrStrIW (lpFirst="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.671] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe6a302bd, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xe6a302bd, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384b8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.671] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0081.671] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 122 [0081.671] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.672] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.673] CloseHandle (hObject=0x43c) returned 1 [0081.673] GetProcessHeap () returned 0x3a00000 [0081.673] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.673] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe68ff039, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xf0bbb1bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0bbb1bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0081.673] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0081.673] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0081.674] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\0D0D4EEB-DC03-4B3F-88DF-959FE1EDE5F4\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\0d0d4eeb-dc03-4b3f-88df-959fe1ede5f4\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.674] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.675] CloseHandle (hObject=0x438) returned 1 [0081.675] GetProcessHeap () returned 0x3a00000 [0081.675] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.676] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0x96ee74e6, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", cAlternateFileName="19B111~1")) returned 1 [0081.676] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Windows") returned -1 [0081.676] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="$Recycle.bin") returned 1 [0081.676] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="System Volume Information") returned -1 [0081.676] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Program Files") returned -1 [0081.676] lstrcmpiW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="Program Files (x86)") returned -1 [0081.676] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0") returned 80 [0081.676] lstrcmpW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2=".") returned 1 [0081.676] lstrcmpW (lpString1="19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="..") returned 1 [0081.676] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.676] GetProcessHeap () returned 0x3a00000 [0081.676] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.676] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\*") returned 82 [0081.676] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0081.676] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.676] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.676] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.676] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.676] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.676] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\.") returned 82 [0081.676] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.676] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ee74e6, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.676] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.676] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.676] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.676] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.676] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.676] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\..") returned 83 [0081.676] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.676] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.677] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0c2d98a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0c2d98a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c53dd1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.677] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.677] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.677] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.677] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.677] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.677] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0081.677] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.677] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.677] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0be13c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0be13c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0081.677] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0081.677] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0081.677] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0081.677] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0081.677] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0081.677] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16") returned 89 [0081.677] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0081.677] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0081.677] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.677] GetProcessHeap () returned 0x3a00000 [0081.677] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.677] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\*") returned 91 [0081.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0be13c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c07689, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0081.677] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.677] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.677] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.677] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.677] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.677] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\.") returned 91 [0081.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.677] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0be13c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c07689, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.678] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.678] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.678] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.678] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.678] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\..") returned 92 [0081.678] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.678] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0c07689, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0c07689, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c07689, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.678] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.678] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.678] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.678] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.678] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.678] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.678] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.678] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0be13c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x59d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.678] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.678] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.678] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.678] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.678] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0081.678] StrStrIW (lpFirst="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.678] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0be13c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S64103~1.EBA")) returned 1 [0081.678] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.678] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.678] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.678] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.678] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal") returned 121 [0081.678] StrStrIW (lpFirst="s641033.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.678] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0be13c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd7b48, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.678] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.678] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.679] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.679] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.679] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 133 [0081.679] StrStrIW (lpFirst="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.679] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96ec13b1, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96ec13b1, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0be13c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd7b48, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.679] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0081.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.680] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.681] CloseHandle (hObject=0x43c) returned 1 [0081.681] GetProcessHeap () returned 0x3a00000 [0081.681] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.681] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0c2d98a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0081.681] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0081.681] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0081.681] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0081.681] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0081.681] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0081.681] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16") returned 90 [0081.681] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0081.681] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0081.681] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.681] GetProcessHeap () returned 0x3a00000 [0081.681] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.681] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\*") returned 92 [0081.681] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0c2d98a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0081.681] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.681] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.681] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.681] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.681] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.682] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\.") returned 92 [0081.682] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.682] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0c2d98a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.682] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.682] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.682] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.682] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.682] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.682] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\..") returned 93 [0081.682] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.682] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.682] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0c2d98a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0c2d98a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.682] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.682] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.682] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.682] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.682] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.682] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 122 [0081.682] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.682] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.682] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0c07689, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5595, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.682] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.682] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.682] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.682] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.682] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.682] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 137 [0081.682] StrStrIW (lpFirst="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.682] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S640HA~1.EBA")) returned 1 [0081.682] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.682] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.682] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.682] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.682] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.682] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal") returned 119 [0081.682] StrStrIW (lpFirst="s640.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.683] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384b8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.683] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.683] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.683] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.683] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.683] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.683] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 135 [0081.683] StrStrIW (lpFirst="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.683] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e74e13, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x96e74e13, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384b8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.683] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0081.683] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 122 [0081.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.684] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.685] CloseHandle (hObject=0x43c) returned 1 [0081.685] GetProcessHeap () returned 0x3a00000 [0081.685] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.685] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x96d43d48, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0xf0c2d98a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c2d98a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0081.685] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0081.685] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0081.685] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\19B11135-37BD-4FA1-A78E-C20CA2BDA1C0\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\19b11135-37bd-4fa1-a78e-c20ca2bda1c0\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.686] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.699] CloseHandle (hObject=0x438) returned 1 [0081.699] GetProcessHeap () returned 0x3a00000 [0081.699] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.699] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8300c739, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", cAlternateFileName="201EB7~1")) returned 1 [0081.699] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Windows") returned -1 [0081.699] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="$Recycle.bin") returned 1 [0081.700] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="System Volume Information") returned -1 [0081.700] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Program Files") returned -1 [0081.700] lstrcmpiW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="Program Files (x86)") returned -1 [0081.700] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6") returned 80 [0081.700] lstrcmpW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2=".") returned 1 [0081.700] lstrcmpW (lpString1="201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="..") returned 1 [0081.700] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.700] GetProcessHeap () returned 0x3a00000 [0081.700] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.700] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\*") returned 82 [0081.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0081.700] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.700] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.700] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.700] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.700] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.700] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\.") returned 82 [0081.700] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.700] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8300c739, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.700] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.700] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.700] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.700] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.700] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.700] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\..") returned 83 [0081.700] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.700] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0cc6243, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0cc6243, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.700] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.701] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.701] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.701] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.701] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.701] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0081.701] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.701] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.701] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0c79db9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c79db9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0081.701] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0081.701] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0081.701] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0081.701] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0081.701] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0081.701] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16") returned 89 [0081.701] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0081.701] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0081.701] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.701] GetProcessHeap () returned 0x3a00000 [0081.701] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.701] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\*") returned 91 [0081.701] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0c79db9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c79db9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0081.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.701] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\.") returned 91 [0081.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.701] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f016ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0c79db9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c79db9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.702] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\..") returned 92 [0081.702] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.702] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.702] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0c79db9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0c79db9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0c79db9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.702] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.702] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.702] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.702] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.702] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.702] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.702] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.702] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0c53dd1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x59d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.702] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.702] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.702] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.702] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.702] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 135 [0081.702] StrStrIW (lpFirst="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.702] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0c53dd1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s641033.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S64103~1.EBA")) returned 1 [0081.702] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.702] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.702] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.702] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.702] lstrcmpiW (lpString1="s641033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\s641033.hash_r00t_{8ew5f6}.ebal") returned 121 [0081.702] StrStrIW (lpFirst="s641033.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.702] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0c79db9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd7b48, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.702] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.702] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.702] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.702] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.702] lstrcmpiW (lpString1="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 133 [0081.702] StrStrIW (lpFirst="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.703] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82f73dd4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82f73dd4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0c79db9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd7b48, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.703] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0081.703] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.703] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.704] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.705] CloseHandle (hObject=0x43c) returned 1 [0081.705] GetProcessHeap () returned 0x3a00000 [0081.705] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.705] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0cc6243, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0081.705] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0081.705] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0081.705] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0081.705] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0081.705] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0081.705] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16") returned 90 [0081.705] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0081.705] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0081.705] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.705] GetProcessHeap () returned 0x3a00000 [0081.705] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.705] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\*") returned 92 [0081.705] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0cc6243, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0081.705] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.706] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.706] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.706] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.706] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.706] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\.") returned 92 [0081.706] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.706] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0cc6243, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.706] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.706] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.706] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.706] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.706] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.706] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\..") returned 93 [0081.706] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.706] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.706] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0cc6243, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0cc6243, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.706] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.706] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.706] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.706] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.706] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.706] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 122 [0081.706] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.706] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.706] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0ca01d2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5595, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.706] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.706] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.706] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.706] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.706] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.706] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 137 [0081.706] StrStrIW (lpFirst="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.706] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0ca01d2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s640.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S640HA~1.EBA")) returned 1 [0081.706] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.706] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.706] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.707] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.707] lstrcmpiW (lpString1="s640.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.707] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\s640.hash_r00t_{8ew5f6}.ebal") returned 119 [0081.707] StrStrIW (lpFirst="s640.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.707] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384b8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.707] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.707] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.707] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.707] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.707] lstrcmpiW (lpString1="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.707] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 135 [0081.707] StrStrIW (lpFirst="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.707] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82fc026f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x82fc026f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384b8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x64.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.707] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0081.707] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 122 [0081.707] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.708] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.709] CloseHandle (hObject=0x43c) returned 1 [0081.709] GetProcessHeap () returned 0x3a00000 [0081.709] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.709] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82f9a029, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0cc6243, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0081.709] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0081.709] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0081.709] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\201EB7DF-C721-4B8B-9C81-A09DE7F931E6\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\201eb7df-c721-4b8b-9c81-a09de7f931e6\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.710] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.711] CloseHandle (hObject=0x438) returned 1 [0081.711] GetProcessHeap () returned 0x3a00000 [0081.711] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.711] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc3dbb3c9, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8512127a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb3a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="DEPLOY~1.EBA")) returned 1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.711] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal") returned 85 [0081.711] StrStrIW (lpFirst="DeploymentConfig.0.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.711] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b22dc95, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa011b19, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0cc6243, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb38, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="DEPLOY~2.EBA")) returned 1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.711] lstrcmpiW (lpString1="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.712] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal") returned 85 [0081.712] StrStrIW (lpFirst="DeploymentConfig.1.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.712] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x534ee362, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x3c4413a9, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0xf0cec454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x8ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="DEPLOY~3.EBA")) returned 1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.712] lstrcmpiW (lpString1="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.712] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal") returned 85 [0081.712] StrStrIW (lpFirst="DeploymentConfig.2.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.712] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineData", cAlternateFileName="MACHIN~1")) returned 1 [0081.712] lstrcmpiW (lpString1="MachineData", lpString2="Windows") returned -1 [0081.712] lstrcmpiW (lpString1="MachineData", lpString2="$Recycle.bin") returned 1 [0081.712] lstrcmpiW (lpString1="MachineData", lpString2="System Volume Information") returned -1 [0081.712] lstrcmpiW (lpString1="MachineData", lpString2="Program Files") returned -1 [0081.712] lstrcmpiW (lpString1="MachineData", lpString2="Program Files (x86)") returned -1 [0081.712] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData") returned 55 [0081.712] lstrcmpW (lpString1="MachineData", lpString2=".") returned 1 [0081.712] lstrcmpW (lpString1="MachineData", lpString2="..") returned 1 [0081.712] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.712] GetProcessHeap () returned 0x3a00000 [0081.712] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.712] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*") returned 57 [0081.712] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0081.712] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.712] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.712] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.712] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.713] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\.") returned 57 [0081.713] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.713] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.713] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.713] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.713] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.713] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.713] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\..") returned 58 [0081.713] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.713] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.713] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d5edb8, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d5edb8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.713] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.713] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.713] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.713] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.713] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0081.713] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.713] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.713] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Catalog", cAlternateFileName="")) returned 1 [0081.713] lstrcmpiW (lpString1="Catalog", lpString2="Windows") returned -1 [0081.713] lstrcmpiW (lpString1="Catalog", lpString2="$Recycle.bin") returned 1 [0081.713] lstrcmpiW (lpString1="Catalog", lpString2="System Volume Information") returned -1 [0081.713] lstrcmpiW (lpString1="Catalog", lpString2="Program Files") returned -1 [0081.713] lstrcmpiW (lpString1="Catalog", lpString2="Program Files (x86)") returned -1 [0081.713] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog") returned 63 [0081.713] lstrcmpW (lpString1="Catalog", lpString2=".") returned 1 [0081.713] lstrcmpW (lpString1="Catalog", lpString2="..") returned 1 [0081.713] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.713] GetProcessHeap () returned 0x3a00000 [0081.713] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.713] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*") returned 65 [0081.713] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0081.714] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.714] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.714] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.714] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.714] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.714] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\.") returned 65 [0081.714] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.714] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.714] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.714] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.714] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.714] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.714] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.714] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\..") returned 66 [0081.714] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.714] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.714] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d38c66, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.714] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.714] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.714] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.714] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.714] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.714] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0081.714] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.714] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.714] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Packages", cAlternateFileName="")) returned 1 [0081.714] lstrcmpiW (lpString1="Packages", lpString2="Windows") returned -1 [0081.714] lstrcmpiW (lpString1="Packages", lpString2="$Recycle.bin") returned 1 [0081.714] lstrcmpiW (lpString1="Packages", lpString2="System Volume Information") returned -1 [0081.714] lstrcmpiW (lpString1="Packages", lpString2="Program Files") returned -1 [0081.714] lstrcmpiW (lpString1="Packages", lpString2="Program Files (x86)") returned -1 [0081.714] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages") returned 72 [0081.714] lstrcmpW (lpString1="Packages", lpString2=".") returned 1 [0081.714] lstrcmpW (lpString1="Packages", lpString2="..") returned 1 [0081.715] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.715] GetProcessHeap () returned 0x3a00000 [0081.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*") returned 74 [0081.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0081.715] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.715] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.715] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.715] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.715] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\.") returned 74 [0081.715] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.715] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.715] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.715] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.715] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.715] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.715] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\..") returned 75 [0081.715] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.715] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.715] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d38c66, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.715] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.715] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.715] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.715] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.715] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0081.715] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.715] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.715] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0081.715] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Windows") returned -1 [0081.716] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="$Recycle.bin") returned 1 [0081.716] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="System Volume Information") returned -1 [0081.716] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Program Files") returned -1 [0081.716] lstrcmpiW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="Program Files (x86)") returned -1 [0081.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}") returned 111 [0081.716] lstrcmpW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2=".") returned 1 [0081.716] lstrcmpW (lpString1="{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="..") returned 1 [0081.716] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.716] GetProcessHeap () returned 0x3a00000 [0081.716] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0081.716] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*") returned 113 [0081.716] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0081.716] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.716] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.716] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.716] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.716] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.716] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\.") returned 113 [0081.716] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.716] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.716] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.716] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.716] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.716] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.716] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.716] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\..") returned 114 [0081.716] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.716] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.716] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d38c66, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.716] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.716] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.717] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.717] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.717] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.717] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 143 [0081.717] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.717] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.717] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 1 [0081.717] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Windows") returned -1 [0081.717] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="$Recycle.bin") returned 1 [0081.717] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="System Volume Information") returned -1 [0081.717] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Program Files") returned -1 [0081.717] lstrcmpiW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="Program Files (x86)") returned -1 [0081.717] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}") returned 150 [0081.717] lstrcmpW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2=".") returned 1 [0081.717] lstrcmpW (lpString1="{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="..") returned 1 [0081.717] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.717] GetProcessHeap () returned 0x3a00000 [0081.717] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0081.717] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*") returned 152 [0081.717] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0081.717] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.717] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.717] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.717] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.717] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.717] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\.") returned 152 [0081.717] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.717] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.717] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.717] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.717] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.717] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.717] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.718] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\..") returned 153 [0081.718] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.718] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.718] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d38c66, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.718] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.718] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.718] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.718] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.718] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.718] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 182 [0081.718] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.718] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.718] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d12858, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="DEPLOY~1.EBA")) returned 1 [0081.718] lstrcmpiW (lpString1="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.718] lstrcmpiW (lpString1="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.718] lstrcmpiW (lpString1="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.718] lstrcmpiW (lpString1="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.718] lstrcmpiW (lpString1="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.718] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal") returned 197 [0081.718] StrStrIW (lpFirst="DeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.718] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84d6778e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf9dfb986, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0d12858, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5ab67b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Manifest.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0081.718] lstrcmpiW (lpString1="Manifest.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.718] lstrcmpiW (lpString1="Manifest.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.718] lstrcmpiW (lpString1="Manifest.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.718] lstrcmpiW (lpString1="Manifest.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.718] lstrcmpiW (lpString1="Manifest.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.718] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\Manifest.xml_r00t_{8ew5f6}.ebal") returned 182 [0081.718] StrStrIW (lpFirst="Manifest.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.718] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8639b81c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf39b2ab6, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0d12858, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="USERDE~1.EBA")) returned 1 [0081.718] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.718] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.718] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0081.718] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.718] lstrcmpiW (lpString1="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.719] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal") returned 201 [0081.719] StrStrIW (lpFirst="UserDeploymentConfiguration.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.719] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf36dde8c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x38ed2c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserManifest.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="USERMA~1.EBA")) returned 1 [0081.719] lstrcmpiW (lpString1="UserManifest.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.719] lstrcmpiW (lpString1="UserManifest.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.719] lstrcmpiW (lpString1="UserManifest.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0081.719] lstrcmpiW (lpString1="UserManifest.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.719] lstrcmpiW (lpString1="UserManifest.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.719] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\UserManifest.xml_r00t_{8ew5f6}.ebal") returned 186 [0081.719] StrStrIW (lpFirst="UserManifest.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.719] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf36dde8c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x38ed2c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserManifest.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="USERMA~1.EBA")) returned 0 [0081.719] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0081.719] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 182 [0081.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\{1A8308C7-90D1-4200-B16E-646F163A08E8}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\{1a8308c7-90d1-4200-b16e-646f163a08e8}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0081.720] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0081.721] CloseHandle (hObject=0x450) returned 1 [0081.721] GetProcessHeap () returned 0x3a00000 [0081.721] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0081.721] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0d38c66, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d38c66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1A8308C7-90D1-4200-B16E-646F163A08E8}", cAlternateFileName="{1A830~1")) returned 0 [0081.721] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0081.721] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 143 [0081.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\{9AC08E99-230B-47E8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0081.722] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.723] CloseHandle (hObject=0x44c) returned 1 [0081.723] GetProcessHeap () returned 0x3a00000 [0081.723] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0081.723] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47E8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0081.723] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0081.723] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0081.723] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\Packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.724] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.725] CloseHandle (hObject=0x440) returned 1 [0081.725] GetProcessHeap () returned 0x3a00000 [0081.725] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.726] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85953409, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85953409, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85953409, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Packages", cAlternateFileName="")) returned 0 [0081.726] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0081.726] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0081.726] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Catalog\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\catalog\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.727] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.728] CloseHandle (hObject=0x43c) returned 1 [0081.728] GetProcessHeap () returned 0x3a00000 [0081.728] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.728] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0081.728] lstrcmpiW (lpString1="Integration", lpString2="Windows") returned -1 [0081.728] lstrcmpiW (lpString1="Integration", lpString2="$Recycle.bin") returned 1 [0081.729] lstrcmpiW (lpString1="Integration", lpString2="System Volume Information") returned -1 [0081.729] lstrcmpiW (lpString1="Integration", lpString2="Program Files") returned -1 [0081.729] lstrcmpiW (lpString1="Integration", lpString2="Program Files (x86)") returned -1 [0081.729] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration") returned 67 [0081.729] lstrcmpW (lpString1="Integration", lpString2=".") returned 1 [0081.729] lstrcmpW (lpString1="Integration", lpString2="..") returned 1 [0081.729] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.729] GetProcessHeap () returned 0x3a00000 [0081.729] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.729] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*") returned 69 [0081.729] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0081.729] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.729] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.729] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.729] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.729] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.729] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\.") returned 69 [0081.729] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.729] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.729] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.729] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.729] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.729] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.729] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.729] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\..") returned 70 [0081.729] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.729] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.729] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d5edb8, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d5edb8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.729] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.729] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.729] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.729] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.729] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0081.730] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.730] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.730] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 1 [0081.730] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Windows") returned -1 [0081.730] lstrcmpiW (lpString1="ShortcutBackups", lpString2="$Recycle.bin") returned 1 [0081.730] lstrcmpiW (lpString1="ShortcutBackups", lpString2="System Volume Information") returned -1 [0081.730] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Program Files") returned 1 [0081.730] lstrcmpiW (lpString1="ShortcutBackups", lpString2="Program Files (x86)") returned 1 [0081.730] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups") returned 83 [0081.730] lstrcmpW (lpString1="ShortcutBackups", lpString2=".") returned 1 [0081.730] lstrcmpW (lpString1="ShortcutBackups", lpString2="..") returned 1 [0081.730] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.730] GetProcessHeap () returned 0x3a00000 [0081.730] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*") returned 85 [0081.730] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0081.730] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.730] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.730] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.730] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.730] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\.") returned 85 [0081.730] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.730] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.730] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.730] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.730] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.730] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.730] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\..") returned 86 [0081.730] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.730] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.731] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d5edb8, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d5edb8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.731] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.731] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.731] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.731] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.731] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0081.731] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.731] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.731] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0d5edb8, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0d5edb8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0d5edb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.731] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0081.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0081.731] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\ShortcutBackups\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\shortcutbackups\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.732] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.733] CloseHandle (hObject=0x440) returned 1 [0081.733] GetProcessHeap () returned 0x3a00000 [0081.733] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.733] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShortcutBackups", cAlternateFileName="SHORTC~1")) returned 0 [0081.733] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0081.733] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0081.733] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\Integration\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\integration\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.738] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.738] CloseHandle (hObject=0x43c) returned 1 [0081.739] GetProcessHeap () returned 0x3a00000 [0081.739] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.739] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x85eb08ee, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x85eb08ee, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x85eb08ee, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 0 [0081.739] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0081.739] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0081.739] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\MachineData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\machinedata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.740] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.741] CloseHandle (hObject=0x438) returned 1 [0081.741] GetProcessHeap () returned 0x3a00000 [0081.741] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.741] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x683c4eba, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ProductReleases", cAlternateFileName="PRODUC~1")) returned 1 [0081.741] lstrcmpiW (lpString1="ProductReleases", lpString2="Windows") returned -1 [0081.741] lstrcmpiW (lpString1="ProductReleases", lpString2="$Recycle.bin") returned 1 [0081.741] lstrcmpiW (lpString1="ProductReleases", lpString2="System Volume Information") returned -1 [0081.741] lstrcmpiW (lpString1="ProductReleases", lpString2="Program Files") returned -1 [0081.741] lstrcmpiW (lpString1="ProductReleases", lpString2="Program Files (x86)") returned -1 [0081.741] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases") returned 59 [0081.741] lstrcmpW (lpString1="ProductReleases", lpString2=".") returned 1 [0081.741] lstrcmpW (lpString1="ProductReleases", lpString2="..") returned 1 [0081.741] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.741] GetProcessHeap () returned 0x3a00000 [0081.741] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.741] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\*") returned 61 [0081.741] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0081.742] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.742] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.742] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.742] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.742] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.742] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\.") returned 61 [0081.742] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.742] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8826bb5f, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x683c4eba, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.742] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.742] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.742] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.742] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.742] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.742] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\..") returned 62 [0081.742] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.742] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.742] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e69cd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.742] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.742] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.742] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.742] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.742] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.742] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0081.742] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.742] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.742] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1a320d06, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", cAlternateFileName="5A65C4~1")) returned 1 [0081.742] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Windows") returned -1 [0081.742] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="$Recycle.bin") returned 1 [0081.742] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="System Volume Information") returned -1 [0081.742] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Program Files") returned -1 [0081.742] lstrcmpiW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="Program Files (x86)") returned -1 [0081.742] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F") returned 96 [0081.742] lstrcmpW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2=".") returned 1 [0081.742] lstrcmpW (lpString1="5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="..") returned 1 [0081.742] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.742] GetProcessHeap () returned 0x3a00000 [0081.743] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.743] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\*") returned 98 [0081.743] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0081.743] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.743] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.743] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.743] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.743] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.743] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\.") returned 98 [0081.743] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.743] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bad881, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a320d06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.743] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.743] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.743] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.743] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.743] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.743] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\..") returned 99 [0081.743] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.743] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.743] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e1d941, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e1d941, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.743] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.743] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.743] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.743] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.743] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.743] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0081.743] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.743] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.743] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dd14af, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0081.743] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0081.744] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0081.744] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0081.744] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0081.744] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0081.744] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16") returned 105 [0081.744] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0081.744] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0081.744] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.744] GetProcessHeap () returned 0x3a00000 [0081.744] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\*") returned 107 [0081.744] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dd14af, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0081.744] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.744] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.744] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.744] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.744] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\.") returned 107 [0081.744] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.744] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1a320d06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dd14af, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.744] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.744] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.744] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.744] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.744] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\..") returned 108 [0081.744] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.744] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.744] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0dd14af, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0dd14af, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.744] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.744] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.744] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.745] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.745] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 137 [0081.745] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.745] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.745] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a346f8d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a346f8d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d84e7a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5f70, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.745] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.745] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.745] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.745] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.745] lstrcmpiW (lpString1="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal") returned 151 [0081.745] StrStrIW (lpFirst="MasterDescriptor.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.745] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a36d2e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a36d2e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0d84e7a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s321033.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S32103~1.EBA")) returned 1 [0081.745] lstrcmpiW (lpString1="s321033.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.745] lstrcmpiW (lpString1="s321033.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.745] lstrcmpiW (lpString1="s321033.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.745] lstrcmpiW (lpString1="s321033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.745] lstrcmpiW (lpString1="s321033.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\s321033.hash_r00t_{8ew5f6}.ebal") returned 137 [0081.745] StrStrIW (lpFirst="s321033.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.745] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a36d2e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a36d2e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dab033, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1e02eb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.745] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.745] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.745] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.745] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.745] lstrcmpiW (lpString1="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal") returned 156 [0081.745] StrStrIW (lpFirst="stream.Platform.Culture.man.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.745] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dab033, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x404, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~2.EBA")) returned 1 [0081.745] lstrcmpiW (lpString1="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.745] lstrcmpiW (lpString1="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.745] lstrcmpiW (lpString1="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.745] lstrcmpiW (lpString1="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.745] lstrcmpiW (lpString1="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.hash_r00t_{8ew5f6}.ebal") returned 146 [0081.746] StrStrIW (lpFirst="stream.x86.en-us.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.746] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x108a17, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~3.EBA")) returned 1 [0081.746] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.746] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.746] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.746] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.746] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 149 [0081.746] StrStrIW (lpFirst="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.746] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a49e573, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1a49e573, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x108a17, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~3.EBA")) returned 0 [0081.746] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0081.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 137 [0081.746] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.747] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.748] CloseHandle (hObject=0x440) returned 1 [0081.748] GetProcessHeap () returned 0x3a00000 [0081.748] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.749] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0e1d941, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0081.749] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0081.749] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0081.749] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0081.749] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0081.749] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0081.749] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16") returned 106 [0081.749] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0081.749] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0081.749] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.749] GetProcessHeap () returned 0x3a00000 [0081.749] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.749] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\*") returned 108 [0081.749] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0e1d941, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0081.749] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.749] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.749] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.749] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.749] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.749] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\.") returned 108 [0081.749] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.749] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0e1d941, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.749] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.749] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.749] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.749] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.749] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.749] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\..") returned 109 [0081.750] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.750] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.750] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e1d941, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e1d941, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.750] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.750] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.750] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.750] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.750] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.750] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 138 [0081.750] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.750] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.750] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bd39c1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0dd14af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5eb5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0081.750] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.750] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.750] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.750] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.750] lstrcmpiW (lpString1="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.750] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal") returned 153 [0081.750] StrStrIW (lpFirst="MasterDescriptor.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.750] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bf9d35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bf9d35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df7503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ea, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="s320.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="S320HA~1.EBA")) returned 1 [0081.750] lstrcmpiW (lpString1="s320.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.750] lstrcmpiW (lpString1="s320.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.750] lstrcmpiW (lpString1="s320.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.750] lstrcmpiW (lpString1="s320.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.750] lstrcmpiW (lpString1="s320.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.750] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\s320.hash_r00t_{8ew5f6}.ebal") returned 135 [0081.750] StrStrIW (lpFirst="s320.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.750] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19bf9d35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19bf9d35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df7503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7e0de0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.750] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.750] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.750] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.750] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.750] lstrcmpiW (lpString1="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.750] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal") returned 156 [0081.750] StrStrIW (lpFirst="stream.Platform.x-none.man.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.750] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0df7503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x404, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~2.EBA")) returned 1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.751] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.hash_r00t_{8ew5f6}.ebal") returned 148 [0081.751] StrStrIW (lpFirst="stream.x86.x-none.hash_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.751] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x460ecb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~3.EBA")) returned 1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.751] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.751] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 151 [0081.751] StrStrIW (lpFirst="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.751] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19fffcc2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x19fffcc2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x460ecb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~3.EBA")) returned 0 [0081.751] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0081.751] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 138 [0081.751] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.752] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.753] CloseHandle (hObject=0x440) returned 1 [0081.753] GetProcessHeap () returned 0x3a00000 [0081.753] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.753] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x19bd39c1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0e1d941, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e1d941, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0081.753] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0081.753] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0081.753] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\5A65C4D7-3CDF-4BE4-8560-F036D300C13F\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\5a65c4d7-3cdf-4be4-8560-f036d300c13f\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.754] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.755] CloseHandle (hObject=0x43c) returned 1 [0081.755] GetProcessHeap () returned 0x3a00000 [0081.755] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.755] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A6A87302-92AE-41F2-AC52-73F5EE18259F", cAlternateFileName="A6A873~1")) returned 1 [0081.755] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Windows") returned -1 [0081.755] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="$Recycle.bin") returned 1 [0081.755] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="System Volume Information") returned -1 [0081.755] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Program Files") returned -1 [0081.755] lstrcmpiW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="Program Files (x86)") returned -1 [0081.755] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F") returned 96 [0081.755] lstrcmpW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2=".") returned 1 [0081.755] lstrcmpW (lpString1="A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="..") returned 1 [0081.755] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.756] GetProcessHeap () returned 0x3a00000 [0081.756] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.756] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\*") returned 98 [0081.756] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0081.756] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.756] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.756] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.756] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.756] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.756] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\.") returned 98 [0081.756] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.756] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.756] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.756] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.756] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.756] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.756] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.756] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\..") returned 99 [0081.756] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.756] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.756] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e69cd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.756] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.756] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.756] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.756] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.756] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.756] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0081.756] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.756] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.756] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e43a58, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e43a58, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-us.16", cAlternateFileName="")) returned 1 [0081.756] lstrcmpiW (lpString1="en-us.16", lpString2="Windows") returned -1 [0081.756] lstrcmpiW (lpString1="en-us.16", lpString2="$Recycle.bin") returned 1 [0081.756] lstrcmpiW (lpString1="en-us.16", lpString2="System Volume Information") returned -1 [0081.757] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files") returned -1 [0081.757] lstrcmpiW (lpString1="en-us.16", lpString2="Program Files (x86)") returned -1 [0081.757] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16") returned 105 [0081.757] lstrcmpW (lpString1="en-us.16", lpString2=".") returned 1 [0081.757] lstrcmpW (lpString1="en-us.16", lpString2="..") returned 1 [0081.757] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.757] GetProcessHeap () returned 0x3a00000 [0081.757] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.757] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\*") returned 107 [0081.757] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e43a58, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e43a58, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0081.757] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.757] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.757] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.757] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.757] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.757] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\.") returned 107 [0081.757] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.757] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x110186f1, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e43a58, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e43a58, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.757] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.757] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.757] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.757] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.757] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.757] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\..") returned 108 [0081.757] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.757] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.757] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e43a58, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e43a58, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e43a58, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.757] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.757] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.757] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.757] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.757] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.757] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 137 [0081.757] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.758] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.758] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x113f8423, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x113f8423, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0xf0e43a58, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x108a17, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.758] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.758] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.758] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.758] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.758] lstrcmpiW (lpString1="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.758] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal") returned 149 [0081.758] StrStrIW (lpFirst="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.758] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x113f8423, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x113f8423, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0xf0e43a58, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x108a17, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.en-us.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.758] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0081.758] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 137 [0081.758] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\en-us.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\en-us.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.759] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.760] CloseHandle (hObject=0x440) returned 1 [0081.760] GetProcessHeap () returned 0x3a00000 [0081.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.760] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 1 [0081.760] lstrcmpiW (lpString1="x-none.16", lpString2="Windows") returned 1 [0081.760] lstrcmpiW (lpString1="x-none.16", lpString2="$Recycle.bin") returned 1 [0081.760] lstrcmpiW (lpString1="x-none.16", lpString2="System Volume Information") returned 1 [0081.760] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files") returned 1 [0081.760] lstrcmpiW (lpString1="x-none.16", lpString2="Program Files (x86)") returned 1 [0081.760] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16") returned 106 [0081.760] lstrcmpW (lpString1="x-none.16", lpString2=".") returned 1 [0081.760] lstrcmpW (lpString1="x-none.16", lpString2="..") returned 1 [0081.760] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.760] GetProcessHeap () returned 0x3a00000 [0081.760] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.760] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\*") returned 108 [0081.760] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0081.760] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.760] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.760] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.760] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.760] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\.") returned 108 [0081.761] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.761] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.761] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.761] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.761] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.761] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.761] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\..") returned 109 [0081.761] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.761] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.761] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e69cd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.761] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.761] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.761] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.761] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.761] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 138 [0081.761] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.761] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.761] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10ff2492, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x10ff2492, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x460ecb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 1 [0081.761] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.761] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.761] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.761] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.761] lstrcmpiW (lpString1="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal") returned 151 [0081.761] StrStrIW (lpFirst="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.761] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x10ff2492, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x10ff2492, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x460ecb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="stream.x86.x-none.man.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STREAM~1.EBA")) returned 0 [0081.761] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0081.761] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 138 [0081.761] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\x-none.16\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\x-none.16\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.762] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.763] CloseHandle (hObject=0x440) returned 1 [0081.763] GetProcessHeap () returned 0x3a00000 [0081.763] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.763] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="x-none.16", cAlternateFileName="")) returned 0 [0081.763] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0081.764] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0081.764] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\A6A87302-92AE-41F2-AC52-73F5EE18259F\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\a6a87302-92ae-41f2-ac52-73f5ee18259f\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.764] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.766] CloseHandle (hObject=0x43c) returned 1 [0081.766] GetProcessHeap () returned 0x3a00000 [0081.766] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.766] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x106db4bf, ftCreationTime.dwHighDateTime=0x1d327ce, ftLastAccessTime.dwLowDateTime=0x1141e67e, ftLastAccessTime.dwHighDateTime=0x1d327ce, ftLastWriteTime.dwLowDateTime=0x1141e67e, ftLastWriteTime.dwHighDateTime=0x1d327ce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A6A87302-92AE-41F2-AC52-73F5EE18259F", cAlternateFileName="A6A873~1")) returned 0 [0081.766] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0081.766] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0081.766] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\ProductReleases\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\productreleases\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.767] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.768] CloseHandle (hObject=0x438) returned 1 [0081.768] GetProcessHeap () returned 0x3a00000 [0081.768] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.768] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x845f41a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserData", cAlternateFileName="")) returned 1 [0081.768] lstrcmpiW (lpString1="UserData", lpString2="Windows") returned -1 [0081.768] lstrcmpiW (lpString1="UserData", lpString2="$Recycle.bin") returned 1 [0081.768] lstrcmpiW (lpString1="UserData", lpString2="System Volume Information") returned 1 [0081.768] lstrcmpiW (lpString1="UserData", lpString2="Program Files") returned 1 [0081.768] lstrcmpiW (lpString1="UserData", lpString2="Program Files (x86)") returned 1 [0081.768] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData") returned 52 [0081.768] lstrcmpW (lpString1="UserData", lpString2=".") returned 1 [0081.768] lstrcmpW (lpString1="UserData", lpString2="..") returned 1 [0081.768] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.768] GetProcessHeap () returned 0x3a00000 [0081.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.768] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*") returned 54 [0081.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0081.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.769] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.769] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\.") returned 54 [0081.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.769] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845f41a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x845f41a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.769] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.769] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.769] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.769] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\..") returned 55 [0081.769] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.769] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.769] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e69cd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.769] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.769] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.769] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.769] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf0e69cd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf0e69cd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf0e69cd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.769] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0081.769] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.769] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\UserData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\userdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.770] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.771] CloseHandle (hObject=0x438) returned 1 [0081.771] GetProcessHeap () returned 0x3a00000 [0081.771] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.771] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0xf13a104c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 1 [0081.771] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Windows") returned -1 [0081.771] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="$Recycle.bin") returned 1 [0081.771] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="System Volume Information") returned -1 [0081.771] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Program Files") returned -1 [0081.772] lstrcmpiW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="Program Files (x86)") returned -1 [0081.772] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}") returned 82 [0081.772] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2=".") returned 1 [0081.772] lstrcmpW (lpString1="{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="..") returned 1 [0081.772] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.772] GetProcessHeap () returned 0x3a00000 [0081.772] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.772] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*") returned 84 [0081.772] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0xf13a104c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0081.772] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.772] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.772] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.772] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.772] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.772] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\.") returned 84 [0081.772] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.772] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0xf13a104c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.772] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.772] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.772] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.772] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.772] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.772] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\..") returned 85 [0081.773] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.773] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.773] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13a104c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13a104c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.773] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.773] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.773] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.773] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.773] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.773] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0081.773] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.773] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.773] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x437adb83, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x437adb83, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf0e8fe72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x451a7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", cAlternateFileName="AIRSPA~1.EBA")) returned 1 [0081.773] lstrcmpiW (lpString1="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.773] lstrcmpiW (lpString1="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.773] lstrcmpiW (lpString1="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.773] lstrcmpiW (lpString1="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.773] lstrcmpiW (lpString1="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.773] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\AirSpace.Etw.man_r00t_{8ew5f6}.ebal") returned 118 [0081.773] StrStrIW (lpFirst="AirSpace.Etw.man_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.773] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0eb616a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9574, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2RMAN~1.EBA")) returned 1 [0081.773] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.773] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.773] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.773] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.773] lstrcmpiW (lpString1="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.773] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 152 [0081.773] StrStrIW (lpFirst="C2RManifest.Access.Access.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.773] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0eb616a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xeaa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2RMAN~2.EBA")) returned 1 [0081.773] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.773] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.773] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.773] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.773] lstrcmpiW (lpString1="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.773] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 140 [0081.773] StrStrIW (lpFirst="C2RManifest.accessmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.773] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed71c4aa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed71c4aa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0eb616a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb7e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2RMAN~3.EBA")) returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.774] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 143 [0081.774] StrStrIW (lpFirst="C2RManifest.accessmuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.774] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62ed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed6f62ed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0edc2e2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4298, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2RMAN~4.EBA")) returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.774] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 146 [0081.774] StrStrIW (lpFirst="C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.774] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed6f62ed, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed6f62ed, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0edc2e2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x29de, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C29E66~1.EBA")) returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.774] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 137 [0081.774] StrStrIW (lpFirst="C2RManifest.dcfmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.774] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed611426, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed611426, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0edc2e2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a120, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C21E16~1.EBA")) returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.774] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 150 [0081.774] StrStrIW (lpFirst="C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.774] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5c4f9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5c4f9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0edc2e2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x92f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2DCC2~1.EBA")) returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.774] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.774] lstrcmpiW (lpString1="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0081.775] StrStrIW (lpFirst="C2RManifest.excelmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.775] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f0261c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9312, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2287D~1.EBA")) returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 152 [0081.775] StrStrIW (lpFirst="C2RManifest.Groove.Groove.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.775] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f0261c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1b92, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C22E2F~1.EBA")) returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 140 [0081.775] StrStrIW (lpFirst="C2RManifest.groovemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.775] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed59ed2c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed59ed2c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f2877c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x19b20, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C23D83~1.EBA")) returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 148 [0081.775] StrStrIW (lpFirst="C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.775] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed578aca, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed578aca, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f2877c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5f18, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C26F67~1.EBA")) returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.775] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.775] lstrcmpiW (lpString1="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 138 [0081.775] StrStrIW (lpFirst="C2RManifest.lyncmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.775] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed5063b1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed5063b1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f2877c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6ece, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C24A28~1.EBA")) returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.776] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 142 [0081.776] StrStrIW (lpFirst="C2RManifest.office32mui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.776] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed3d50b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed3d50b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f2877c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4f778, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C25039~1.EBA")) returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.776] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 142 [0081.776] StrStrIW (lpFirst="C2RManifest.office32ww.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.776] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed31650e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed31650e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f4e9d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x19bf4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C24684~1.EBA")) returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.776] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 140 [0081.776] StrStrIW (lpFirst="C2RManifest.officemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.776] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f4e9d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb7e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C27E66~1.EBA")) returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.776] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 143 [0081.776] StrStrIW (lpFirst="C2RManifest.officemuiset.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.776] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2f02a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2f02a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f74fd1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x17ec0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2BDC1~1.EBA")) returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.776] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.776] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 154 [0081.777] StrStrIW (lpFirst="C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.777] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2ca0b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2ca0b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f74fd1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4dce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C216AE~1.EBA")) returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 141 [0081.777] StrStrIW (lpFirst="C2RManifest.onenotemui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.777] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2a3e81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2a3e81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f9aebf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x97a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2C1A9~1.EBA")) returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 146 [0081.777] StrStrIW (lpFirst="C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.777] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed2a3e81, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed2a3e81, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f9aebf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2eac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C23FE9~1.EBA")) returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 137 [0081.777] StrStrIW (lpFirst="C2RManifest.osmmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.777] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f9aebf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc8a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2A0C2~1.EBA")) returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.777] lstrcmpiW (lpString1="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 150 [0081.778] StrStrIW (lpFirst="C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.778] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0f9aebf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2f0e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2D104~1.EBA")) returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0081.778] StrStrIW (lpFirst="C2RManifest.osmuxmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.778] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed25796c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed25796c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0fc3bd3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x17518, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C29482~1.EBA")) returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 154 [0081.778] StrStrIW (lpFirst="C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.778] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed20b499, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed20b499, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0fc3bd3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x17d08, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2CAB5~1.EBA")) returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 141 [0081.778] StrStrIW (lpFirst="C2RManifest.outlookmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.778] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed1e5243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed1e5243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0fe731c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb0160, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C280EB~1.EBA")) returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.778] lstrcmpiW (lpString1="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 160 [0081.778] StrStrIW (lpFirst="C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.778] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed12666a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed12666a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf100d656, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x19928, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C299F0~1.EBA")) returned 1 [0081.778] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.779] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 160 [0081.779] StrStrIW (lpFirst="C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.779] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed0da264, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed0da264, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf100d656, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6c22, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C26B91~1.EBA")) returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.779] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 144 [0081.779] StrStrIW (lpFirst="C2RManifest.powerpointmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.779] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0xf100d656, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x77ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C24681~1.EBA")) returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.779] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 154 [0081.779] StrStrIW (lpFirst="C2RManifest.Project.Project.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.779] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3b87bb60, ftCreationTime.dwHighDateTime=0x1d47c34, ftLastAccessTime.dwLowDateTime=0x3b87bb60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0xf1033b7d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x8422, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C27B06~1.EBA")) returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.779] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 141 [0081.779] StrStrIW (lpFirst="C2RManifest.projectmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.779] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1033b7d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6732, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C24FA3~1.EBA")) returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.779] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.780] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 144 [0081.780] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.780] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed08dd97, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed08dd97, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1033b7d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6372, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2CCAD~1.EBA")) returned 1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.780] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal") returned 144 [0081.780] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.es-es.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.780] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed067a9a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed067a9a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1059e95, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6372, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2E53B~1.EBA")) returned 1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.780] lstrcmpiW (lpString1="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.780] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal") returned 144 [0081.780] StrStrIW (lpFirst="C2RManifest.Proof.Culture.msi.16.fr-fr.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.780] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1059e95, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb7e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2C9E2~1.EBA")) returned 1 [0081.780] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.788] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.788] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0081.788] StrStrIW (lpFirst="C2RManifest.proofing.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.788] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1059e95, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x131ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2BB6F~1.EBA")) returned 1 [0081.788] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.788] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.788] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 158 [0081.788] StrStrIW (lpFirst="C2RManifest.Publisher.Publisher.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.788] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed041918, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed041918, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf107fd59, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3ab8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C27213~1.EBA")) returned 1 [0081.788] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.788] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.788] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 143 [0081.789] StrStrIW (lpFirst="C2RManifest.publishermui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.789] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xed01b5ef, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed01b5ef, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf107fd59, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xb2b72, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2CEC9~1.EBA")) returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 152 [0081.789] StrStrIW (lpFirst="C2RManifest.shared.Office.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.789] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a705a3, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a705a3, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xf107fd59, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2ae82, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2B586~1.EBA")) returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 150 [0081.789] StrStrIW (lpFirst="C2RManifest.Visio.Visio.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.789] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a4a3b4, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a4a3b4, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xf10a5f60, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xf1038, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C209E7~1.EBA")) returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 139 [0081.789] StrStrIW (lpFirst="C2RManifest.visiomui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.789] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf5ca1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecf5ca1c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf10a5f60, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x156f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C2FB96~1.EBA")) returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.789] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.790] lstrcmpiW (lpString1="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.790] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal") returned 148 [0081.790] StrStrIW (lpFirst="C2RManifest.Word.Word.x-none.msi.16.x-none.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xecf3682d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf10cc1c8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x13482, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="C29A43~1.EBA")) returned 1 [0081.790] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.790] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.790] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.790] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.790] lstrcmpiW (lpString1="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.790] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal") returned 138 [0081.790] StrStrIW (lpFirst="C2RManifest.wordmui.msi.16.en-us.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0x49bee514, ftLastAccessTime.dwHighDateTime=0x1d32745, ftLastWriteTime.dwLowDateTime=0xf10cc1c8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x12c7f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="integrator.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="INTEGR~1.EBA")) returned 1 [0081.790] lstrcmpiW (lpString1="integrator.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.790] lstrcmpiW (lpString1="integrator.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.790] lstrcmpiW (lpString1="integrator.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.790] lstrcmpiW (lpString1="integrator.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.790] lstrcmpiW (lpString1="integrator.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.790] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\integrator.exe_r00t_{8ew5f6}.ebal") returned 116 [0081.790] StrStrIW (lpFirst="integrator.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f3481a2, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x3f3481a2, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf137f13e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x106c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MICROS~1.EBA")) returned 1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.790] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal") returned 155 [0081.790] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3f0e5bdc, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x3f0e5bdc, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf137f13e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x102a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MICROS~2.EBA")) returned 1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.790] lstrcmpiW (lpString1="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.790] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal") returned 152 [0081.790] StrStrIW (lpFirst="Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x433f4072, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x433f4072, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1bbaa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", cAlternateFileName="MSOUTI~1.EBA")) returned 1 [0081.791] lstrcmpiW (lpString1="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.791] lstrcmpiW (lpString1="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.791] lstrcmpiW (lpString1="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.791] lstrcmpiW (lpString1="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.791] lstrcmpiW (lpString1="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.791] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\msoutilstat.etw.man_r00t_{8ew5f6}.ebal") returned 121 [0081.791] StrStrIW (lpFirst="msoutilstat.etw.man_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.791] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4f7c0, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x42b4f7c0, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9c161, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wordEtw.man_r00t_{8ew5f6}.ebal", cAlternateFileName="WORDET~1.EBA")) returned 1 [0081.791] lstrcmpiW (lpString1="wordEtw.man_r00t_{8ew5f6}.ebal", lpString2="Windows") returned 1 [0081.791] lstrcmpiW (lpString1="wordEtw.man_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.791] lstrcmpiW (lpString1="wordEtw.man_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0081.791] lstrcmpiW (lpString1="wordEtw.man_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.791] lstrcmpiW (lpString1="wordEtw.man_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.791] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\wordEtw.man_r00t_{8ew5f6}.ebal") returned 113 [0081.791] StrStrIW (lpFirst="wordEtw.man_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.791] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42b4f7c0, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x42b4f7c0, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9c161, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wordEtw.man_r00t_{8ew5f6}.ebal", cAlternateFileName="WORDET~1.EBA")) returned 0 [0081.791] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0081.791] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0081.791] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\{9AC08E99-230B-47e8-9721-4577B7F124EA}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\{9ac08e99-230b-47e8-9721-4577b7f124ea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.792] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.793] CloseHandle (hObject=0x438) returned 1 [0081.793] GetProcessHeap () returned 0x3a00000 [0081.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.793] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49bee514, ftCreationTime.dwHighDateTime=0x1d32745, ftLastAccessTime.dwLowDateTime=0xf13a104c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13a104c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9AC08E99-230B-47e8-9721-4577B7F124EA}", cAlternateFileName="{9AC08~1")) returned 0 [0081.793] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0081.793] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\ClickToRun\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\clicktorun\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.794] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.795] CloseHandle (hObject=0x434) returned 1 [0081.795] GetProcessHeap () returned 0x3a00000 [0081.795] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.795] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Crypto", cAlternateFileName="")) returned 1 [0081.795] lstrcmpiW (lpString1="Crypto", lpString2="Windows") returned -1 [0081.795] lstrcmpiW (lpString1="Crypto", lpString2="$Recycle.bin") returned 1 [0081.795] lstrcmpiW (lpString1="Crypto", lpString2="System Volume Information") returned -1 [0081.795] lstrcmpiW (lpString1="Crypto", lpString2="Program Files") returned -1 [0081.795] lstrcmpiW (lpString1="Crypto", lpString2="Program Files (x86)") returned -1 [0081.795] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto") returned 39 [0081.795] lstrcmpW (lpString1="Crypto", lpString2=".") returned 1 [0081.796] lstrcmpW (lpString1="Crypto", lpString2="..") returned 1 [0081.796] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.796] GetProcessHeap () returned 0x3a00000 [0081.796] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.796] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*") returned 41 [0081.796] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0xf1485eaa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0081.796] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.796] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.796] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.796] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.796] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.796] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\.") returned 41 [0081.796] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.796] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0xf1485eaa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.797] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.797] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.797] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.797] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.797] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.797] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\..") returned 42 [0081.797] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.797] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.797] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf145f9bd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf145f9bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1485eaa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.797] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.797] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.797] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.797] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.797] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.797] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0081.797] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.797] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.797] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x42e812c9, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DSS", cAlternateFileName="")) returned 1 [0081.797] lstrcmpiW (lpString1="DSS", lpString2="Windows") returned -1 [0081.797] lstrcmpiW (lpString1="DSS", lpString2="$Recycle.bin") returned 1 [0081.797] lstrcmpiW (lpString1="DSS", lpString2="System Volume Information") returned -1 [0081.797] lstrcmpiW (lpString1="DSS", lpString2="Program Files") returned -1 [0081.797] lstrcmpiW (lpString1="DSS", lpString2="Program Files (x86)") returned -1 [0081.797] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS") returned 43 [0081.797] lstrcmpW (lpString1="DSS", lpString2=".") returned 1 [0081.797] lstrcmpW (lpString1="DSS", lpString2="..") returned 1 [0081.797] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.797] GetProcessHeap () returned 0x3a00000 [0081.797] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.797] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*") returned 45 [0081.797] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0081.798] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.798] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.798] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.798] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.798] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.798] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\.") returned 45 [0081.798] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.798] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x42e812c9, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.798] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.798] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.798] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.798] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.798] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.798] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\..") returned 46 [0081.798] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.798] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.798] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13c734b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13c734b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.798] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.798] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.798] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.798] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.798] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.798] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.798] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.798] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.798] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0081.798] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0081.798] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0081.798] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0081.798] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0081.798] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0081.798] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys") returned 55 [0081.798] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0081.798] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0081.798] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.798] GetProcessHeap () returned 0x3a00000 [0081.798] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.799] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*") returned 57 [0081.799] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0081.799] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.799] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.799] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.799] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.799] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.799] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\.") returned 57 [0081.799] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.799] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.799] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.799] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.799] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.799] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.799] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.799] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\..") returned 58 [0081.799] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.799] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.799] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13c734b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13c734b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.799] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.799] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.799] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.799] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.799] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.799] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0081.799] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.799] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.799] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13c734b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13c734b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.799] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0081.799] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0081.800] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.800] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.801] CloseHandle (hObject=0x43c) returned 1 [0081.801] GetProcessHeap () returned 0x3a00000 [0081.801] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.801] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd330d8b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 0 [0081.802] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0081.802] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.802] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\DSS\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\dss\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.803] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.803] CloseHandle (hObject=0x438) returned 1 [0081.804] GetProcessHeap () returned 0x3a00000 [0081.804] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.804] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Keys", cAlternateFileName="")) returned 1 [0081.804] lstrcmpiW (lpString1="Keys", lpString2="Windows") returned -1 [0081.804] lstrcmpiW (lpString1="Keys", lpString2="$Recycle.bin") returned 1 [0081.804] lstrcmpiW (lpString1="Keys", lpString2="System Volume Information") returned -1 [0081.804] lstrcmpiW (lpString1="Keys", lpString2="Program Files") returned -1 [0081.804] lstrcmpiW (lpString1="Keys", lpString2="Program Files (x86)") returned -1 [0081.804] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys") returned 44 [0081.804] lstrcmpW (lpString1="Keys", lpString2=".") returned 1 [0081.804] lstrcmpW (lpString1="Keys", lpString2="..") returned 1 [0081.804] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.804] GetProcessHeap () returned 0x3a00000 [0081.804] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.804] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*") returned 46 [0081.804] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0081.804] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.804] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.804] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.804] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.804] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.804] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\.") returned 46 [0081.804] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.804] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.804] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.804] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.804] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.805] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd33178c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.805] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.805] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.805] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.805] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.805] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.805] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\..") returned 47 [0081.805] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.805] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.805] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.805] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.805] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.805] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.805] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13c734b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13c734b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.805] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.805] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.805] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.805] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.805] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.805] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0081.805] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.805] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.805] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf13c734b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf13c734b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf13c734b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.805] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0081.805] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0081.805] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\Keys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\keys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.806] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.807] CloseHandle (hObject=0x438) returned 1 [0081.807] GetProcessHeap () returned 0x3a00000 [0081.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.807] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x416372c8, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PCPKSP", cAlternateFileName="")) returned 1 [0081.807] lstrcmpiW (lpString1="PCPKSP", lpString2="Windows") returned -1 [0081.807] lstrcmpiW (lpString1="PCPKSP", lpString2="$Recycle.bin") returned 1 [0081.808] lstrcmpiW (lpString1="PCPKSP", lpString2="System Volume Information") returned -1 [0081.808] lstrcmpiW (lpString1="PCPKSP", lpString2="Program Files") returned -1 [0081.808] lstrcmpiW (lpString1="PCPKSP", lpString2="Program Files (x86)") returned -1 [0081.808] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP") returned 46 [0081.808] lstrcmpW (lpString1="PCPKSP", lpString2=".") returned 1 [0081.808] lstrcmpW (lpString1="PCPKSP", lpString2="..") returned 1 [0081.808] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.808] GetProcessHeap () returned 0x3a00000 [0081.808] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.808] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*") returned 48 [0081.808] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0081.808] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.808] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.808] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.808] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.808] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.808] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\.") returned 48 [0081.808] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.808] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x416372c8, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.808] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.808] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.808] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.808] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.808] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.808] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\..") returned 49 [0081.808] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.808] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.808] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf141376c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf141376c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.808] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.808] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.809] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.809] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.809] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.809] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0081.809] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.809] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.809] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 1 [0081.809] lstrcmpiW (lpString1="WindowsAIK", lpString2="Windows") returned 1 [0081.809] lstrcmpiW (lpString1="WindowsAIK", lpString2="$Recycle.bin") returned 1 [0081.809] lstrcmpiW (lpString1="WindowsAIK", lpString2="System Volume Information") returned 1 [0081.809] lstrcmpiW (lpString1="WindowsAIK", lpString2="Program Files") returned 1 [0081.809] lstrcmpiW (lpString1="WindowsAIK", lpString2="Program Files (x86)") returned 1 [0081.809] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK") returned 57 [0081.809] lstrcmpW (lpString1="WindowsAIK", lpString2=".") returned 1 [0081.809] lstrcmpW (lpString1="WindowsAIK", lpString2="..") returned 1 [0081.809] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.809] GetProcessHeap () returned 0x3a00000 [0081.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.809] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*") returned 59 [0081.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0081.809] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.809] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.809] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.809] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.809] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.809] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.") returned 59 [0081.809] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.809] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.809] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.809] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.809] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.810] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.810] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.810] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.810] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.810] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.810] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\..") returned 60 [0081.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.810] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.810] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.810] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.810] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.810] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf141376c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf141376c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.810] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0081.810] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.810] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.810] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf141376c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf141376c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf141376c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.810] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0081.810] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0081.810] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\WindowsAIK\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\windowsaik\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.811] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.812] CloseHandle (hObject=0x43c) returned 1 [0081.813] GetProcessHeap () returned 0x3a00000 [0081.813] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.813] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd332abc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcdfeea, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsAIK", cAlternateFileName="WINDOW~1")) returned 0 [0081.813] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0081.813] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0081.813] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\PCPKSP\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\pcpksp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.814] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.815] CloseHandle (hObject=0x438) returned 1 [0081.815] GetProcessHeap () returned 0x3a00000 [0081.815] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.815] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0x77356b64, ftLastWriteTime.dwHighDateTime=0x1d32793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RSA", cAlternateFileName="")) returned 1 [0081.815] lstrcmpiW (lpString1="RSA", lpString2="Windows") returned -1 [0081.815] lstrcmpiW (lpString1="RSA", lpString2="$Recycle.bin") returned 1 [0081.815] lstrcmpiW (lpString1="RSA", lpString2="System Volume Information") returned -1 [0081.815] lstrcmpiW (lpString1="RSA", lpString2="Program Files") returned 1 [0081.815] lstrcmpiW (lpString1="RSA", lpString2="Program Files (x86)") returned 1 [0081.815] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA") returned 43 [0081.815] lstrcmpW (lpString1="RSA", lpString2=".") returned 1 [0081.815] lstrcmpW (lpString1="RSA", lpString2="..") returned 1 [0081.815] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.815] GetProcessHeap () returned 0x3a00000 [0081.815] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.815] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*") returned 45 [0081.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0081.815] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.815] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.815] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.815] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.815] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.815] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\.") returned 45 [0081.815] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.815] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x77356b64, ftLastAccessTime.dwHighDateTime=0x1d32793, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.815] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.815] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.815] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.816] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\..") returned 46 [0081.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.816] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf143b5c4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.816] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.816] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.816] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.816] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.816] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.816] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.816] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.816] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.816] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x955a3652, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MachineKeys", cAlternateFileName="MACHIN~1")) returned 1 [0081.816] lstrcmpiW (lpString1="MachineKeys", lpString2="Windows") returned -1 [0081.816] lstrcmpiW (lpString1="MachineKeys", lpString2="$Recycle.bin") returned 1 [0081.816] lstrcmpiW (lpString1="MachineKeys", lpString2="System Volume Information") returned -1 [0081.816] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files") returned -1 [0081.816] lstrcmpiW (lpString1="MachineKeys", lpString2="Program Files (x86)") returned -1 [0081.816] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys") returned 55 [0081.816] lstrcmpW (lpString1="MachineKeys", lpString2=".") returned 1 [0081.816] lstrcmpW (lpString1="MachineKeys", lpString2="..") returned 1 [0081.816] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.816] GetProcessHeap () returned 0x3a00000 [0081.816] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.816] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*") returned 57 [0081.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0081.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.817] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\.") returned 57 [0081.817] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.817] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcdfeea, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd40a02b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.817] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.817] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.817] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.817] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.817] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.817] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\..") returned 58 [0081.817] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.817] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.817] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf143b5c4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.817] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.817] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.817] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.817] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.817] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.817] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0081.817] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.817] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.817] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcb806263, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb806263, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcbbe5f7c, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x8b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="F686AA~1")) returned 1 [0081.817] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Windows") returned -1 [0081.817] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="$Recycle.bin") returned 1 [0081.817] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="System Volume Information") returned -1 [0081.817] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files") returned -1 [0081.817] lstrcmpiW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="Program Files (x86)") returned -1 [0081.817] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267") returned 125 [0081.817] StrStrIW (lpFirst="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpSrch=".ebal") returned 0x0 [0081.817] lstrcmpW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.817] lstrcmpW (lpString1="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", lpString2="taridd") returned -1 [0081.817] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.818] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcb806263, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb806263, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xcbbe5f7c, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x8b1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="f686aace6942fb7f7ceb231212eef4a4_e8d761b7-8a68-4187-8c95-75a3788ac267", cAlternateFileName="F686AA~1")) returned 0 [0081.818] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0081.818] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0081.818] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\MachineKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\machinekeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.819] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.820] CloseHandle (hObject=0x43c) returned 1 [0081.820] GetProcessHeap () returned 0x3a00000 [0081.820] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.820] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0081.820] lstrcmpiW (lpString1="S-1-5-18", lpString2="Windows") returned -1 [0081.820] lstrcmpiW (lpString1="S-1-5-18", lpString2="$Recycle.bin") returned 1 [0081.820] lstrcmpiW (lpString1="S-1-5-18", lpString2="System Volume Information") returned -1 [0081.820] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files") returned 1 [0081.820] lstrcmpiW (lpString1="S-1-5-18", lpString2="Program Files (x86)") returned 1 [0081.820] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18") returned 52 [0081.820] lstrcmpW (lpString1="S-1-5-18", lpString2=".") returned 1 [0081.820] lstrcmpW (lpString1="S-1-5-18", lpString2="..") returned 1 [0081.820] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.820] GetProcessHeap () returned 0x3a00000 [0081.820] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.820] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*") returned 54 [0081.820] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0081.820] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.820] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.820] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.820] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.820] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.820] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.") returned 54 [0081.820] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.820] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.820] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.820] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.820] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.820] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.821] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.821] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.821] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.821] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.821] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.821] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.821] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..") returned 55 [0081.821] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.821] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.821] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.821] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.821] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.821] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.821] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf143b5c4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.821] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.821] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.821] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.821] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.821] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.821] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.821] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.821] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.821] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", cAlternateFileName="4ECCD1~1.EBA")) returned 1 [0081.821] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.821] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.821] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.821] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.821] lstrcmpiW (lpString1="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.821] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal") returned 141 [0081.821] StrStrIW (lpFirst="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.821] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x4c150294, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4eccd106f69e31c1b12304e5463bb71d_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", cAlternateFileName="4ECCD1~1.EBA")) returned 0 [0081.822] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0081.822] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\S-1-5-18\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\s-1-5-18\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.823] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.824] CloseHandle (hObject=0x43c) returned 1 [0081.824] GetProcessHeap () returned 0x3a00000 [0081.824] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.824] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x4c150294, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xf143b5c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf143b5c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="S-1-5-18", cAlternateFileName="")) returned 0 [0081.824] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0081.824] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\RSA\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\rsa\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.844] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.845] CloseHandle (hObject=0x438) returned 1 [0081.845] GetProcessHeap () returned 0x3a00000 [0081.845] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.845] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xf145f9bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 1 [0081.845] lstrcmpiW (lpString1="SystemKeys", lpString2="Windows") returned -1 [0081.845] lstrcmpiW (lpString1="SystemKeys", lpString2="$Recycle.bin") returned 1 [0081.845] lstrcmpiW (lpString1="SystemKeys", lpString2="System Volume Information") returned 1 [0081.845] lstrcmpiW (lpString1="SystemKeys", lpString2="Program Files") returned 1 [0081.845] lstrcmpiW (lpString1="SystemKeys", lpString2="Program Files (x86)") returned 1 [0081.845] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys") returned 50 [0081.845] lstrcmpW (lpString1="SystemKeys", lpString2=".") returned 1 [0081.845] lstrcmpW (lpString1="SystemKeys", lpString2="..") returned 1 [0081.845] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.845] GetProcessHeap () returned 0x3a00000 [0081.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.845] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*") returned 52 [0081.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xf145f9bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0081.845] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.845] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.845] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.845] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.845] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.845] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\.") returned 52 [0081.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.846] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.846] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.846] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.846] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\." (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.846] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xf145f9bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.846] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.846] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.846] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.846] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.846] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.846] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\..") returned 53 [0081.846] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.846] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.846] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.846] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.846] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.846] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\.." (normalized: "c:\\users\\all users\\microsoft\\crypto"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.846] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf145f9bd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf145f9bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.846] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0081.846] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.846] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.846] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc3cbc1c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", cAlternateFileName="709228~1.EBA")) returned 1 [0081.847] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.847] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.847] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.847] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.847] lstrcmpiW (lpString1="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.847] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal") returned 139 [0081.847] StrStrIW (lpFirst="7092289d2be9a3ebf1065d0f1c678ab6_e8d761b7-8a68-4187-8c95-75a3788ac267_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.847] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x1b8875cb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1b8875cb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", cAlternateFileName="D20D9E~1.EBA")) returned 1 [0081.847] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.847] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.847] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0081.847] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0081.847] lstrcmpiW (lpString1="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0081.847] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal") returned 139 [0081.847] StrStrIW (lpFirst="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.847] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x24, ftCreationTime.dwLowDateTime=0x1b8875cb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1b8875cb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9a1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="d20d9e7d1dcddc105a0d5e00d5e1ad30_33d770d0-06bc-47c5-8714-222cdac43a71_r00t_{8ew5f6}.ebal", cAlternateFileName="D20D9E~1.EBA")) returned 0 [0081.847] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0081.847] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0081.847] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\SystemKeys\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\systemkeys\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.848] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.849] CloseHandle (hObject=0x438) returned 1 [0081.849] GetProcessHeap () returned 0x3a00000 [0081.849] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.849] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcc3cbc1c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xf145f9bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf145f9bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SystemKeys", cAlternateFileName="SYSTEM~1")) returned 0 [0081.849] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0081.849] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0081.849] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Crypto\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\crypto\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.850] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.851] CloseHandle (hObject=0x434) returned 1 [0081.851] GetProcessHeap () returned 0x3a00000 [0081.851] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.851] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DataMart", cAlternateFileName="")) returned 1 [0081.851] lstrcmpiW (lpString1="DataMart", lpString2="Windows") returned -1 [0081.851] lstrcmpiW (lpString1="DataMart", lpString2="$Recycle.bin") returned 1 [0081.851] lstrcmpiW (lpString1="DataMart", lpString2="System Volume Information") returned -1 [0081.851] lstrcmpiW (lpString1="DataMart", lpString2="Program Files") returned -1 [0081.851] lstrcmpiW (lpString1="DataMart", lpString2="Program Files (x86)") returned -1 [0081.852] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart") returned 41 [0081.852] lstrcmpW (lpString1="DataMart", lpString2=".") returned 1 [0081.852] lstrcmpW (lpString1="DataMart", lpString2="..") returned 1 [0081.852] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.852] GetProcessHeap () returned 0x3a00000 [0081.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*") returned 43 [0081.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0081.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.852] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.852] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\.") returned 43 [0081.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.852] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4badec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.852] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.852] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.852] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.852] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\..") returned 44 [0081.852] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.852] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.852] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14ac0ef, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14ac0ef, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.852] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.852] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.852] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.852] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.852] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0081.853] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.853] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.853] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PaidWiFi", cAlternateFileName="")) returned 1 [0081.853] lstrcmpiW (lpString1="PaidWiFi", lpString2="Windows") returned -1 [0081.853] lstrcmpiW (lpString1="PaidWiFi", lpString2="$Recycle.bin") returned 1 [0081.853] lstrcmpiW (lpString1="PaidWiFi", lpString2="System Volume Information") returned -1 [0081.853] lstrcmpiW (lpString1="PaidWiFi", lpString2="Program Files") returned -1 [0081.853] lstrcmpiW (lpString1="PaidWiFi", lpString2="Program Files (x86)") returned -1 [0081.853] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi") returned 50 [0081.853] lstrcmpW (lpString1="PaidWiFi", lpString2=".") returned 1 [0081.853] lstrcmpW (lpString1="PaidWiFi", lpString2="..") returned 1 [0081.853] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.853] GetProcessHeap () returned 0x3a00000 [0081.853] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.853] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*") returned 52 [0081.853] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0081.853] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.853] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.853] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.853] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.853] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.853] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\.") returned 52 [0081.853] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.853] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.853] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.853] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.853] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.853] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\..") returned 53 [0081.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.854] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.854] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14ac0ef, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14ac0ef, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.854] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.854] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.854] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.854] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.854] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.854] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0081.854] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.854] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.854] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14ac0ef, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14ac0ef, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14ac0ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.854] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0081.854] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0081.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\PaidWiFi\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\datamart\\paidwifi\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.855] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.856] CloseHandle (hObject=0x438) returned 1 [0081.856] GetProcessHeap () returned 0x3a00000 [0081.856] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.856] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bb986, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="PaidWiFi", cAlternateFileName="")) returned 0 [0081.856] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0081.856] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0081.856] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DataMart\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\datamart\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.857] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.858] CloseHandle (hObject=0x434) returned 1 [0081.858] GetProcessHeap () returned 0x3a00000 [0081.858] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.858] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Device Stage", cAlternateFileName="DEVICE~1")) returned 1 [0081.858] lstrcmpiW (lpString1="Device Stage", lpString2="Windows") returned -1 [0081.859] lstrcmpiW (lpString1="Device Stage", lpString2="$Recycle.bin") returned 1 [0081.859] lstrcmpiW (lpString1="Device Stage", lpString2="System Volume Information") returned -1 [0081.859] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files") returned -1 [0081.859] lstrcmpiW (lpString1="Device Stage", lpString2="Program Files (x86)") returned -1 [0081.859] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage") returned 45 [0081.859] lstrcmpW (lpString1="Device Stage", lpString2=".") returned 1 [0081.859] lstrcmpW (lpString1="Device Stage", lpString2="..") returned 1 [0081.859] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.859] GetProcessHeap () returned 0x3a00000 [0081.859] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.859] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*") returned 47 [0081.859] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0081.859] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.859] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.859] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.859] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.859] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.859] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\.") returned 47 [0081.859] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.859] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bc8c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.859] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.860] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.860] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.860] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.860] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.860] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\..") returned 48 [0081.860] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.860] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.860] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf154487b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf154487b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.860] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.860] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.860] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.860] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.860] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.860] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0081.860] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.860] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.860] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Device", cAlternateFileName="")) returned 1 [0081.860] lstrcmpiW (lpString1="Device", lpString2="Windows") returned -1 [0081.860] lstrcmpiW (lpString1="Device", lpString2="$Recycle.bin") returned 1 [0081.860] lstrcmpiW (lpString1="Device", lpString2="System Volume Information") returned -1 [0081.860] lstrcmpiW (lpString1="Device", lpString2="Program Files") returned -1 [0081.860] lstrcmpiW (lpString1="Device", lpString2="Program Files (x86)") returned -1 [0081.860] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device") returned 52 [0081.860] lstrcmpW (lpString1="Device", lpString2=".") returned 1 [0081.860] lstrcmpW (lpString1="Device", lpString2="..") returned 1 [0081.860] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.860] GetProcessHeap () returned 0x3a00000 [0081.860] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.860] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*") returned 54 [0081.860] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0081.860] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.860] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.861] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.861] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.861] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.861] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\.") returned 54 [0081.861] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.861] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd4bd6f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.861] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.861] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.861] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.861] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.861] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.861] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\..") returned 55 [0081.861] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.861] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.861] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14d2180, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14d2180, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.861] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.861] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.861] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.861] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.861] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.861] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.861] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.861] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.861] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{113527a4-45d4-4b6f-b567-97838f1b04b0}", cAlternateFileName="{11352~1")) returned 1 [0081.861] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Windows") returned -1 [0081.861] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="$Recycle.bin") returned 1 [0081.861] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="System Volume Information") returned -1 [0081.861] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files") returned -1 [0081.861] lstrcmpiW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="Program Files (x86)") returned -1 [0081.861] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}") returned 91 [0081.861] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2=".") returned 1 [0081.861] lstrcmpW (lpString1="{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="..") returned 1 [0081.861] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.861] GetProcessHeap () returned 0x3a00000 [0081.861] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.861] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*") returned 93 [0081.862] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0081.862] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.862] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.862] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.862] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.862] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.862] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\.") returned 93 [0081.862] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.862] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd55373b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.862] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.862] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.862] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.862] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.862] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.862] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\..") returned 94 [0081.862] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.862] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.862] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14d2180, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14d2180, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.862] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.862] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.862] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.862] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.862] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.862] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0081.862] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.862] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.862] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="background.png", cAlternateFileName="")) returned 1 [0081.862] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0081.862] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0081.862] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0081.862] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0081.862] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0081.863] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png") returned 106 [0081.863] StrStrIW (lpFirst="background.png", lpSrch=".ebal") returned 0x0 [0081.863] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.863] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0081.863] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\backgro", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.863] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb61, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0081.863] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0081.864] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0081.864] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0081.864] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0081.864] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0081.864] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml") returned 104 [0081.864] StrStrIW (lpFirst="behavior.xml", lpSrch=".ebal") returned 0x0 [0081.864] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.864] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0081.864] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.864] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadc8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="device.png", cAlternateFileName="")) returned 1 [0081.864] lstrcmpiW (lpString1="device.png", lpString2="Windows") returned -1 [0081.864] lstrcmpiW (lpString1="device.png", lpString2="$Recycle.bin") returned 1 [0081.864] lstrcmpiW (lpString1="device.png", lpString2="System Volume Information") returned -1 [0081.864] lstrcmpiW (lpString1="device.png", lpString2="Program Files") returned -1 [0081.864] lstrcmpiW (lpString1="device.png", lpString2="Program Files (x86)") returned -1 [0081.864] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png") returned 102 [0081.864] StrStrIW (lpFirst="device.png", lpSrch=".ebal") returned 0x0 [0081.864] lstrcmpW (lpString1="device.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.864] lstrcmpW (lpString1="device.png", lpString2="taridd") returned -1 [0081.864] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\device.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.864] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="overlay.png", cAlternateFileName="")) returned 1 [0081.864] lstrcmpiW (lpString1="overlay.png", lpString2="Windows") returned -1 [0081.864] lstrcmpiW (lpString1="overlay.png", lpString2="$Recycle.bin") returned 1 [0081.864] lstrcmpiW (lpString1="overlay.png", lpString2="System Volume Information") returned -1 [0081.865] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files") returned -1 [0081.865] lstrcmpiW (lpString1="overlay.png", lpString2="Program Files (x86)") returned -1 [0081.865] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png") returned 103 [0081.865] StrStrIW (lpFirst="overlay.png", lpSrch=".ebal") returned 0x0 [0081.865] lstrcmpW (lpString1="overlay.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.865] lstrcmpW (lpString1="overlay.png", lpString2="taridd") returned -1 [0081.865] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\overlay.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.865] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="superbar.png", cAlternateFileName="")) returned 1 [0081.865] lstrcmpiW (lpString1="superbar.png", lpString2="Windows") returned -1 [0081.865] lstrcmpiW (lpString1="superbar.png", lpString2="$Recycle.bin") returned 1 [0081.865] lstrcmpiW (lpString1="superbar.png", lpString2="System Volume Information") returned -1 [0081.865] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files") returned 1 [0081.865] lstrcmpiW (lpString1="superbar.png", lpString2="Program Files (x86)") returned 1 [0081.865] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png") returned 104 [0081.865] StrStrIW (lpFirst="superbar.png", lpSrch=".ebal") returned 0x0 [0081.865] lstrcmpW (lpString1="superbar.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.865] lstrcmpW (lpString1="superbar.png", lpString2="taridd") returned -1 [0081.865] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superba", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\superbar.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.871] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="superbar.png", cAlternateFileName="")) returned 0 [0081.871] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0081.871] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0081.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.872] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.873] CloseHandle (hObject=0x43c) returned 1 [0081.873] GetProcessHeap () returned 0x3a00000 [0081.873] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.873] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 1 [0081.874] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Windows") returned -1 [0081.874] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="$Recycle.bin") returned 1 [0081.874] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="System Volume Information") returned -1 [0081.874] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files") returned -1 [0081.874] lstrcmpiW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="Program Files (x86)") returned -1 [0081.874] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}") returned 91 [0081.874] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2=".") returned 1 [0081.874] lstrcmpW (lpString1="{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="..") returned 1 [0081.874] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.874] GetProcessHeap () returned 0x3a00000 [0081.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.874] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*") returned 93 [0081.874] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0081.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.877] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\.") returned 93 [0081.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.877] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.877] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.877] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.877] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.877] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.877] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.877] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\..") returned 94 [0081.877] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.877] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.877] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14d2180, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14d2180, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14d2180, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.877] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.877] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.877] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.877] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.877] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.877] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0081.877] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.877] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.877] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1fad1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="background.png", cAlternateFileName="")) returned 1 [0081.877] lstrcmpiW (lpString1="background.png", lpString2="Windows") returned -1 [0081.877] lstrcmpiW (lpString1="background.png", lpString2="$Recycle.bin") returned 1 [0081.877] lstrcmpiW (lpString1="background.png", lpString2="System Volume Information") returned -1 [0081.877] lstrcmpiW (lpString1="background.png", lpString2="Program Files") returned -1 [0081.878] lstrcmpiW (lpString1="background.png", lpString2="Program Files (x86)") returned -1 [0081.878] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png") returned 106 [0081.878] StrStrIW (lpFirst="background.png", lpSrch=".ebal") returned 0x0 [0081.878] lstrcmpW (lpString1="background.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.878] lstrcmpW (lpString1="background.png", lpString2="taridd") returned -1 [0081.878] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\backgro", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.878] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\background.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.878] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x6cf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="behavior.xml", cAlternateFileName="")) returned 1 [0081.878] lstrcmpiW (lpString1="behavior.xml", lpString2="Windows") returned -1 [0081.878] lstrcmpiW (lpString1="behavior.xml", lpString2="$Recycle.bin") returned 1 [0081.879] lstrcmpiW (lpString1="behavior.xml", lpString2="System Volume Information") returned -1 [0081.879] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files") returned -1 [0081.879] lstrcmpiW (lpString1="behavior.xml", lpString2="Program Files (x86)") returned -1 [0081.879] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml") returned 104 [0081.879] StrStrIW (lpFirst="behavior.xml", lpSrch=".ebal") returned 0x0 [0081.879] lstrcmpW (lpString1="behavior.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.879] lstrcmpW (lpString1="behavior.xml", lpString2="taridd") returned -1 [0081.879] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavio", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\behavior.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.879] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.png", cAlternateFileName="")) returned 1 [0081.879] lstrcmpiW (lpString1="watermark.png", lpString2="Windows") returned -1 [0081.879] lstrcmpiW (lpString1="watermark.png", lpString2="$Recycle.bin") returned 1 [0081.879] lstrcmpiW (lpString1="watermark.png", lpString2="System Volume Information") returned 1 [0081.879] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files") returned 1 [0081.879] lstrcmpiW (lpString1="watermark.png", lpString2="Program Files (x86)") returned 1 [0081.879] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png") returned 105 [0081.879] StrStrIW (lpFirst="watermark.png", lpSrch=".ebal") returned 0x0 [0081.879] lstrcmpW (lpString1="watermark.png", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.879] lstrcmpW (lpString1="watermark.png", lpString2="taridd") returned 1 [0081.879] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\waterma", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\watermark.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.880] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70c1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="watermark.png", cAlternateFileName="")) returned 0 [0081.880] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0081.880] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 123 [0081.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.881] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.882] CloseHandle (hObject=0x43c) returned 1 [0081.882] GetProcessHeap () returned 0x3a00000 [0081.882] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.882] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd554496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a8653f0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8702d817-5aad-4674-9ef3-4d3decd87120}", cAlternateFileName="{8702D~1")) returned 0 [0081.882] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0081.882] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0081.882] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Device\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\device\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.883] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.884] CloseHandle (hObject=0x438) returned 1 [0081.884] GetProcessHeap () returned 0x3a00000 [0081.884] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.884] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Task", cAlternateFileName="")) returned 1 [0081.884] lstrcmpiW (lpString1="Task", lpString2="Windows") returned -1 [0081.884] lstrcmpiW (lpString1="Task", lpString2="$Recycle.bin") returned 1 [0081.884] lstrcmpiW (lpString1="Task", lpString2="System Volume Information") returned 1 [0081.884] lstrcmpiW (lpString1="Task", lpString2="Program Files") returned 1 [0081.884] lstrcmpiW (lpString1="Task", lpString2="Program Files (x86)") returned 1 [0081.884] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task") returned 50 [0081.884] lstrcmpW (lpString1="Task", lpString2=".") returned 1 [0081.884] lstrcmpW (lpString1="Task", lpString2="..") returned 1 [0081.884] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.885] GetProcessHeap () returned 0x3a00000 [0081.885] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.885] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*") returned 52 [0081.885] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0081.885] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.885] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.885] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.885] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.885] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.885] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\.") returned 52 [0081.885] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.885] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.885] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.885] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.885] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.885] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.885] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.885] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\..") returned 53 [0081.885] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.885] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.885] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf154487b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf154487b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.885] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.885] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.885] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.885] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.885] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.885] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0081.885] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.885] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.885] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", cAlternateFileName="{07DEB~1")) returned 1 [0081.885] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Windows") returned -1 [0081.886] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="$Recycle.bin") returned 1 [0081.886] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="System Volume Information") returned -1 [0081.886] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files") returned -1 [0081.886] lstrcmpiW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="Program Files (x86)") returned -1 [0081.886] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}") returned 89 [0081.886] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2=".") returned 1 [0081.886] lstrcmpW (lpString1="{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="..") returned 1 [0081.886] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.886] GetProcessHeap () returned 0x3a00000 [0081.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.886] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*") returned 91 [0081.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf151e73c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0081.886] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.886] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.886] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.886] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.886] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.886] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\.") returned 91 [0081.886] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.886] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd5f4a5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf151e73c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.886] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.886] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.886] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.886] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.886] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.886] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\..") returned 92 [0081.886] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.886] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.886] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf151e73c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf151e73c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf151e73c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.886] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.886] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.886] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.887] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.887] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.887] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.887] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0081.887] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0081.887] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0081.887] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0081.887] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0081.887] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0081.887] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US") returned 95 [0081.887] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0081.887] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0081.887] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.887] GetProcessHeap () returned 0x3a00000 [0081.887] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.887] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*") returned 97 [0081.887] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14f83bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0081.887] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.887] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.887] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.887] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.887] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.887] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\.") returned 97 [0081.887] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.887] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b27bb25, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd5f5c36, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf14f83bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.887] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.887] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.887] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.887] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.887] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.887] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\..") returned 98 [0081.887] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.888] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.888] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf14f83bd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf14f83bd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf14f83bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.888] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.888] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.888] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.888] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.888] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.888] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0081.888] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.888] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.888] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3de910b4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x11db3100, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0081.888] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0081.888] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0081.888] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0081.888] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0081.888] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0081.888] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml") returned 108 [0081.888] StrStrIW (lpFirst="resource.xml", lpSrch=".ebal") returned 0x0 [0081.888] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.888] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0081.888] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\res", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.888] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3de910b4, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x755f99d9, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x11db3100, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0081.888] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0081.888] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0081.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.889] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.914] CloseHandle (hObject=0x440) returned 1 [0081.914] GetProcessHeap () returned 0x3a00000 [0081.914] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.914] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49316445, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0081.914] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0081.914] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0081.914] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0081.914] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0081.914] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0081.914] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico") returned 100 [0081.914] StrStrIW (lpFirst="folder.ico", lpSrch=".ebal") returned 0x0 [0081.914] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.914] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0081.915] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ic", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.915] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x72ee, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="netfol.ico", cAlternateFileName="")) returned 1 [0081.915] lstrcmpiW (lpString1="netfol.ico", lpString2="Windows") returned -1 [0081.915] lstrcmpiW (lpString1="netfol.ico", lpString2="$Recycle.bin") returned 1 [0081.915] lstrcmpiW (lpString1="netfol.ico", lpString2="System Volume Information") returned -1 [0081.915] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files") returned -1 [0081.915] lstrcmpiW (lpString1="netfol.ico", lpString2="Program Files (x86)") returned -1 [0081.915] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico") returned 100 [0081.915] StrStrIW (lpFirst="netfol.ico", lpSrch=".ebal") returned 0x0 [0081.915] lstrcmpW (lpString1="netfol.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.915] lstrcmpW (lpString1="netfol.ico", lpString2="taridd") returned -1 [0081.915] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ic", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.915] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\netfol.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.915] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14668, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="pictures.ico", cAlternateFileName="")) returned 1 [0081.915] lstrcmpiW (lpString1="pictures.ico", lpString2="Windows") returned -1 [0081.915] lstrcmpiW (lpString1="pictures.ico", lpString2="$Recycle.bin") returned 1 [0081.915] lstrcmpiW (lpString1="pictures.ico", lpString2="System Volume Information") returned -1 [0081.915] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files") returned -1 [0081.915] lstrcmpiW (lpString1="pictures.ico", lpString2="Program Files (x86)") returned -1 [0081.915] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico") returned 102 [0081.915] StrStrIW (lpFirst="pictures.ico", lpSrch=".ebal") returned 0x0 [0081.915] lstrcmpW (lpString1="pictures.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.915] lstrcmpW (lpString1="pictures.ico", lpString2="taridd") returned -1 [0081.915] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.916] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49362917, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49362917, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49362917, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x536, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0081.916] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0081.916] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0081.916] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0081.916] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0081.916] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0081.916] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml") returned 102 [0081.916] StrStrIW (lpFirst="resource.xml", lpSrch=".ebal") returned 0x0 [0081.916] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.916] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0081.916] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.916] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xcaa9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ringtones.ico", cAlternateFileName="")) returned 1 [0081.916] lstrcmpiW (lpString1="ringtones.ico", lpString2="Windows") returned -1 [0081.916] lstrcmpiW (lpString1="ringtones.ico", lpString2="$Recycle.bin") returned 1 [0081.916] lstrcmpiW (lpString1="ringtones.ico", lpString2="System Volume Information") returned -1 [0081.916] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files") returned 1 [0081.916] lstrcmpiW (lpString1="ringtones.ico", lpString2="Program Files (x86)") returned 1 [0081.916] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico") returned 103 [0081.916] StrStrIW (lpFirst="ringtones.ico", lpSrch=".ebal") returned 0x0 [0081.916] lstrcmpW (lpString1="ringtones.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.916] lstrcmpW (lpString1="ringtones.ico", lpString2="taridd") returned -1 [0081.916] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.916] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\ringtones.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.918] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x10850, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.ico", cAlternateFileName="")) returned 1 [0081.918] lstrcmpiW (lpString1="settings.ico", lpString2="Windows") returned -1 [0081.918] lstrcmpiW (lpString1="settings.ico", lpString2="$Recycle.bin") returned 1 [0081.918] lstrcmpiW (lpString1="settings.ico", lpString2="System Volume Information") returned -1 [0081.918] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files") returned 1 [0081.918] lstrcmpiW (lpString1="settings.ico", lpString2="Program Files (x86)") returned 1 [0081.918] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico") returned 102 [0081.919] StrStrIW (lpFirst="settings.ico", lpSrch=".ebal") returned 0x0 [0081.919] lstrcmpW (lpString1="settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.919] lstrcmpW (lpString1="settings.ico", lpString2="taridd") returned -1 [0081.919] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.919] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc04b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="sync.ico", cAlternateFileName="")) returned 1 [0081.919] lstrcmpiW (lpString1="sync.ico", lpString2="Windows") returned -1 [0081.919] lstrcmpiW (lpString1="sync.ico", lpString2="$Recycle.bin") returned 1 [0081.919] lstrcmpiW (lpString1="sync.ico", lpString2="System Volume Information") returned -1 [0081.919] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files") returned 1 [0081.919] lstrcmpiW (lpString1="sync.ico", lpString2="Program Files (x86)") returned 1 [0081.919] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico") returned 98 [0081.919] StrStrIW (lpFirst="sync.ico", lpSrch=".ebal") returned 0x0 [0081.919] lstrcmpW (lpString1="sync.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.919] lstrcmpW (lpString1="sync.ico", lpString2="taridd") returned -1 [0081.919] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\sync.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.919] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49316445, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x49316445, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x49316445, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0081.919] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0081.919] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0081.919] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0081.919] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0081.919] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0081.919] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml") returned 99 [0081.919] StrStrIW (lpFirst="tasks.xml", lpSrch=".ebal") returned 0x0 [0081.919] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.919] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0081.919] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.919] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.924] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wmp.ico", cAlternateFileName="")) returned 1 [0081.924] lstrcmpiW (lpString1="wmp.ico", lpString2="Windows") returned 1 [0081.924] lstrcmpiW (lpString1="wmp.ico", lpString2="$Recycle.bin") returned 1 [0081.924] lstrcmpiW (lpString1="wmp.ico", lpString2="System Volume Information") returned 1 [0081.924] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files") returned 1 [0081.924] lstrcmpiW (lpString1="wmp.ico", lpString2="Program Files (x86)") returned 1 [0081.924] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico") returned 97 [0081.924] StrStrIW (lpFirst="wmp.ico", lpSrch=".ebal") returned 0x0 [0081.924] lstrcmpW (lpString1="wmp.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.924] lstrcmpW (lpString1="wmp.ico", lpString2="taridd") returned 1 [0081.924] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.924] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\wmp.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.924] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4933c6a8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x4933c6a8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x4933c6a8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1b9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wmp.ico", cAlternateFileName="")) returned 0 [0081.925] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0081.925] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.926] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.927] CloseHandle (hObject=0x43c) returned 1 [0081.927] GetProcessHeap () returned 0x3a00000 [0081.927] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.927] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 1 [0081.927] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Windows") returned -1 [0081.927] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="$Recycle.bin") returned 1 [0081.927] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="System Volume Information") returned -1 [0081.927] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files") returned -1 [0081.927] lstrcmpiW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="Program Files (x86)") returned -1 [0081.927] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}") returned 89 [0081.927] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2=".") returned 1 [0081.927] lstrcmpW (lpString1="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="..") returned 1 [0081.927] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.927] GetProcessHeap () returned 0x3a00000 [0081.927] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0081.927] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*") returned 91 [0081.927] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0081.928] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.928] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.928] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.928] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.928] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.928] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\.") returned 91 [0081.928] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.928] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.928] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.928] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.928] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.928] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.928] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.928] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\..") returned 92 [0081.928] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.928] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.928] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf154487b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf154487b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf154487b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.928] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.928] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.928] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.928] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.928] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.928] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.928] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.928] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.928] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0081.928] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0081.928] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0081.928] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0081.928] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0081.928] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0081.928] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US") returned 95 [0081.929] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0081.929] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0081.929] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.929] GetProcessHeap () returned 0x3a00000 [0081.929] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0081.929] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*") returned 97 [0081.929] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf151e73c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0081.929] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.929] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.929] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.929] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.929] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.929] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\.") returned 97 [0081.929] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.929] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbd64b86a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf151e73c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.929] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.929] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.929] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.929] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.929] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.929] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\..") returned 98 [0081.929] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.929] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.929] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf151e73c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf151e73c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf151e73c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.929] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.929] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.929] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.929] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.929] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.929] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0081.929] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.929] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.930] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf64479, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x781a2192, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x549d0900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 1 [0081.930] lstrcmpiW (lpString1="resource.xml", lpString2="Windows") returned -1 [0081.930] lstrcmpiW (lpString1="resource.xml", lpString2="$Recycle.bin") returned 1 [0081.930] lstrcmpiW (lpString1="resource.xml", lpString2="System Volume Information") returned -1 [0081.930] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files") returned 1 [0081.930] lstrcmpiW (lpString1="resource.xml", lpString2="Program Files (x86)") returned 1 [0081.930] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml") returned 108 [0081.930] StrStrIW (lpFirst="resource.xml", lpSrch=".ebal") returned 0x0 [0081.930] lstrcmpW (lpString1="resource.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.930] lstrcmpW (lpString1="resource.xml", lpString2="taridd") returned -1 [0081.930] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\res", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\resource.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\resource.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.930] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3bf64479, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x781a2192, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x549d0900, ftLastWriteTime.dwHighDateTime=0x1d29faa, nFileSizeHigh=0x0, nFileSizeLow=0x5e8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="resource.xml", cAlternateFileName="")) returned 0 [0081.930] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0081.930] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0081.930] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0081.931] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0081.932] CloseHandle (hObject=0x440) returned 1 [0081.932] GetProcessHeap () returned 0x3a00000 [0081.932] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0081.932] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0081.932] lstrcmpiW (lpString1="folder.ico", lpString2="Windows") returned -1 [0081.932] lstrcmpiW (lpString1="folder.ico", lpString2="$Recycle.bin") returned 1 [0081.932] lstrcmpiW (lpString1="folder.ico", lpString2="System Volume Information") returned -1 [0081.932] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files") returned -1 [0081.932] lstrcmpiW (lpString1="folder.ico", lpString2="Program Files (x86)") returned -1 [0081.932] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico") returned 100 [0081.932] StrStrIW (lpFirst="folder.ico", lpSrch=".ebal") returned 0x0 [0081.932] lstrcmpW (lpString1="folder.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.932] lstrcmpW (lpString1="folder.ico", lpString2="taridd") returned -1 [0081.932] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ic", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.932] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.933] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe3c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_pref.ico", cAlternateFileName="")) returned 1 [0081.933] lstrcmpiW (lpString1="print_pref.ico", lpString2="Windows") returned -1 [0081.933] lstrcmpiW (lpString1="print_pref.ico", lpString2="$Recycle.bin") returned 1 [0081.933] lstrcmpiW (lpString1="print_pref.ico", lpString2="System Volume Information") returned -1 [0081.933] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files") returned -1 [0081.933] lstrcmpiW (lpString1="print_pref.ico", lpString2="Program Files (x86)") returned -1 [0081.933] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico") returned 104 [0081.933] StrStrIW (lpFirst="print_pref.ico", lpSrch=".ebal") returned 0x0 [0081.933] lstrcmpW (lpString1="print_pref.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.933] lstrcmpW (lpString1="print_pref.ico", lpString2="taridd") returned -1 [0081.933] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pre", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pref.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.933] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xebb8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_property.ico", cAlternateFileName="")) returned 1 [0081.933] lstrcmpiW (lpString1="print_property.ico", lpString2="Windows") returned -1 [0081.933] lstrcmpiW (lpString1="print_property.ico", lpString2="$Recycle.bin") returned 1 [0081.933] lstrcmpiW (lpString1="print_property.ico", lpString2="System Volume Information") returned -1 [0081.933] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files") returned -1 [0081.933] lstrcmpiW (lpString1="print_property.ico", lpString2="Program Files (x86)") returned -1 [0081.933] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico") returned 108 [0081.933] StrStrIW (lpFirst="print_property.ico", lpSrch=".ebal") returned 0x0 [0081.933] lstrcmpW (lpString1="print_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.933] lstrcmpW (lpString1="print_property.ico", lpString2="taridd") returned -1 [0081.933] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_pro", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.934] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdff5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="print_queue.ico", cAlternateFileName="")) returned 1 [0081.934] lstrcmpiW (lpString1="print_queue.ico", lpString2="Windows") returned -1 [0081.934] lstrcmpiW (lpString1="print_queue.ico", lpString2="$Recycle.bin") returned 1 [0081.934] lstrcmpiW (lpString1="print_queue.ico", lpString2="System Volume Information") returned -1 [0081.934] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files") returned -1 [0081.934] lstrcmpiW (lpString1="print_queue.ico", lpString2="Program Files (x86)") returned -1 [0081.934] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico") returned 105 [0081.934] StrStrIW (lpFirst="print_queue.ico", lpSrch=".ebal") returned 0x0 [0081.934] lstrcmpW (lpString1="print_queue.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.934] lstrcmpW (lpString1="print_queue.ico", lpString2="taridd") returned -1 [0081.934] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_que", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\print_queue.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.934] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xec75, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_.ico", cAlternateFileName="")) returned 1 [0081.934] lstrcmpiW (lpString1="scan_.ico", lpString2="Windows") returned -1 [0081.934] lstrcmpiW (lpString1="scan_.ico", lpString2="$Recycle.bin") returned 1 [0081.934] lstrcmpiW (lpString1="scan_.ico", lpString2="System Volume Information") returned -1 [0081.935] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files") returned 1 [0081.935] lstrcmpiW (lpString1="scan_.ico", lpString2="Program Files (x86)") returned 1 [0081.935] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico") returned 99 [0081.935] StrStrIW (lpFirst="scan_.ico", lpSrch=".ebal") returned 0x0 [0081.935] lstrcmpW (lpString1="scan_.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.935] lstrcmpW (lpString1="scan_.ico", lpString2="taridd") returned -1 [0081.935] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.935] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62088d76, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62088d76, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62088d76, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x10654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_property.ico", cAlternateFileName="")) returned 1 [0081.935] lstrcmpiW (lpString1="scan_property.ico", lpString2="Windows") returned -1 [0081.935] lstrcmpiW (lpString1="scan_property.ico", lpString2="$Recycle.bin") returned 1 [0081.935] lstrcmpiW (lpString1="scan_property.ico", lpString2="System Volume Information") returned -1 [0081.935] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files") returned 1 [0081.935] lstrcmpiW (lpString1="scan_property.ico", lpString2="Program Files (x86)") returned 1 [0081.935] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico") returned 107 [0081.935] StrStrIW (lpFirst="scan_property.ico", lpSrch=".ebal") returned 0x0 [0081.935] lstrcmpW (lpString1="scan_property.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.935] lstrcmpW (lpString1="scan_property.ico", lpString2="taridd") returned -1 [0081.935] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_prop", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_property.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.935] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xf8c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="scan_settings.ico", cAlternateFileName="")) returned 1 [0081.935] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Windows") returned -1 [0081.935] lstrcmpiW (lpString1="scan_settings.ico", lpString2="$Recycle.bin") returned 1 [0081.935] lstrcmpiW (lpString1="scan_settings.ico", lpString2="System Volume Information") returned -1 [0081.935] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files") returned 1 [0081.935] lstrcmpiW (lpString1="scan_settings.ico", lpString2="Program Files (x86)") returned 1 [0081.935] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico") returned 107 [0081.935] StrStrIW (lpFirst="scan_settings.ico", lpSrch=".ebal") returned 0x0 [0081.935] lstrcmpW (lpString1="scan_settings.ico", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.936] lstrcmpW (lpString1="scan_settings.ico", lpString2="taridd") returned -1 [0081.936] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_sett", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\scan_settings.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.936] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 1 [0081.936] lstrcmpiW (lpString1="tasks.xml", lpString2="Windows") returned -1 [0081.936] lstrcmpiW (lpString1="tasks.xml", lpString2="$Recycle.bin") returned 1 [0081.936] lstrcmpiW (lpString1="tasks.xml", lpString2="System Volume Information") returned 1 [0081.936] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files") returned 1 [0081.936] lstrcmpiW (lpString1="tasks.xml", lpString2="Program Files (x86)") returned 1 [0081.936] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml") returned 99 [0081.936] StrStrIW (lpFirst="tasks.xml", lpSrch=".ebal") returned 0x0 [0081.936] lstrcmpW (lpString1="tasks.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.936] lstrcmpW (lpString1="tasks.xml", lpString2="taridd") returned 1 [0081.936] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\tasks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.937] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x62062b13, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x62062b13, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x62062b13, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2c64, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="tasks.xml", cAlternateFileName="")) returned 0 [0081.937] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0081.937] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0081.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0081.938] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.939] CloseHandle (hObject=0x43c) returned 1 [0081.939] GetProcessHeap () returned 0x3a00000 [0081.939] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0081.939] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64a757, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e35be42d-f742-4d96-a50a-1775fb1a7a42}", cAlternateFileName="{E35BE~1")) returned 0 [0081.939] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0081.939] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0081.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\Task\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\task\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.940] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.941] CloseHandle (hObject=0x438) returned 1 [0081.941] GetProcessHeap () returned 0x3a00000 [0081.941] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.941] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd555071, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Task", cAlternateFileName="")) returned 0 [0081.941] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0081.941] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0081.941] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Device Stage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\device stage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.942] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.943] CloseHandle (hObject=0x434) returned 1 [0081.943] GetProcessHeap () returned 0x3a00000 [0081.943] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.943] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DeviceSync", cAlternateFileName="DEVICE~2")) returned 1 [0081.943] lstrcmpiW (lpString1="DeviceSync", lpString2="Windows") returned -1 [0081.943] lstrcmpiW (lpString1="DeviceSync", lpString2="$Recycle.bin") returned 1 [0081.943] lstrcmpiW (lpString1="DeviceSync", lpString2="System Volume Information") returned -1 [0081.943] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files") returned -1 [0081.943] lstrcmpiW (lpString1="DeviceSync", lpString2="Program Files (x86)") returned -1 [0081.943] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync") returned 43 [0081.943] lstrcmpW (lpString1="DeviceSync", lpString2=".") returned 1 [0081.943] lstrcmpW (lpString1="DeviceSync", lpString2="..") returned 1 [0081.943] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.943] GetProcessHeap () returned 0x3a00000 [0081.943] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.943] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*") returned 45 [0081.943] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf156aa94, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0081.944] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.944] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.944] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.944] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.944] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.944] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\.") returned 45 [0081.944] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.944] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd64c64e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf156aa94, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.944] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.944] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.944] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.944] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.944] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.944] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\..") returned 46 [0081.944] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.944] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.944] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf156aa94, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf156aa94, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.944] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.945] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.945] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.946] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.946] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.946] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.946] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.947] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.947] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf156aa94, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf156aa94, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.947] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0081.947] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0081.947] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DeviceSync\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\devicesync\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0081.948] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0081.949] CloseHandle (hObject=0x434) returned 1 [0081.949] GetProcessHeap () returned 0x3a00000 [0081.949] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0081.949] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Diagnosis", cAlternateFileName="DIAGNO~1")) returned 1 [0081.949] lstrcmpiW (lpString1="Diagnosis", lpString2="Windows") returned -1 [0081.949] lstrcmpiW (lpString1="Diagnosis", lpString2="$Recycle.bin") returned 1 [0081.949] lstrcmpiW (lpString1="Diagnosis", lpString2="System Volume Information") returned -1 [0081.949] lstrcmpiW (lpString1="Diagnosis", lpString2="Program Files") returned -1 [0081.949] lstrcmpiW (lpString1="Diagnosis", lpString2="Program Files (x86)") returned -1 [0081.949] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis") returned 42 [0081.949] lstrcmpW (lpString1="Diagnosis", lpString2=".") returned 1 [0081.949] lstrcmpW (lpString1="Diagnosis", lpString2="..") returned 1 [0081.949] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.949] GetProcessHeap () returned 0x3a00000 [0081.949] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0081.949] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*") returned 44 [0081.949] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0081.949] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.949] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.949] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.949] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.949] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.949] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\.") returned 44 [0081.949] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.949] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.949] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.949] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.950] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.950] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.950] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.950] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.950] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.950] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.950] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.950] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\..") returned 45 [0081.950] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.950] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.950] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.950] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.950] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.950] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.950] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\.." (normalized: "c:\\users\\all users\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.950] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16e8209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16e8209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.950] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.950] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.950] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.950] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.950] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.950] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0081.950] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.950] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.950] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AsimovUploader", cAlternateFileName="ASIMOV~1")) returned 1 [0081.950] lstrcmpiW (lpString1="AsimovUploader", lpString2="Windows") returned -1 [0081.950] lstrcmpiW (lpString1="AsimovUploader", lpString2="$Recycle.bin") returned 1 [0081.950] lstrcmpiW (lpString1="AsimovUploader", lpString2="System Volume Information") returned -1 [0081.950] lstrcmpiW (lpString1="AsimovUploader", lpString2="Program Files") returned -1 [0081.950] lstrcmpiW (lpString1="AsimovUploader", lpString2="Program Files (x86)") returned -1 [0081.951] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader") returned 57 [0081.951] lstrcmpW (lpString1="AsimovUploader", lpString2=".") returned 1 [0081.951] lstrcmpW (lpString1="AsimovUploader", lpString2="..") returned 1 [0081.951] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.951] GetProcessHeap () returned 0x3a00000 [0081.951] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.951] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*") returned 59 [0081.951] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0081.951] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.951] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.951] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.951] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.951] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.951] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\.") returned 59 [0081.951] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.951] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.951] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.951] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.951] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.951] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69d545, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.951] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.951] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.951] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.951] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.951] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.951] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\..") returned 60 [0081.951] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.951] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.952] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.952] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.952] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.952] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.952] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1590cd9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1590cd9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.952] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.952] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.952] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.952] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.952] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.952] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0081.952] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.952] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.952] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1590cd9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1590cd9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0081.956] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0081.956] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0081.956] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\AsimovUploader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\asimovuploader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.957] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.958] CloseHandle (hObject=0x438) returned 1 [0081.958] GetProcessHeap () returned 0x3a00000 [0081.958] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.958] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1590cd9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DownloadedScenarios", cAlternateFileName="DOWNLO~1")) returned 1 [0081.958] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Windows") returned -1 [0081.958] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="$Recycle.bin") returned 1 [0081.958] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="System Volume Information") returned -1 [0081.958] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Program Files") returned -1 [0081.958] lstrcmpiW (lpString1="DownloadedScenarios", lpString2="Program Files (x86)") returned -1 [0081.958] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios") returned 62 [0081.958] lstrcmpW (lpString1="DownloadedScenarios", lpString2=".") returned 1 [0081.958] lstrcmpW (lpString1="DownloadedScenarios", lpString2="..") returned 1 [0081.958] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.958] GetProcessHeap () returned 0x3a00000 [0081.958] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.958] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*") returned 64 [0081.958] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1590cd9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15b6ed8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0081.959] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.959] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.959] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.959] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.959] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.959] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\.") returned 64 [0081.959] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.959] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.959] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.959] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.959] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.959] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1590cd9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15b6ed8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.959] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.959] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.959] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.959] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.959] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.959] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\..") returned 65 [0081.959] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.959] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.959] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.959] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.959] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.959] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.959] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.960] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1590cd9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1590cd9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15b6ed8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.960] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.960] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.960] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.960] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.960] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.960] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0081.960] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.960] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.960] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a88b65e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd54, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", cAlternateFileName="WINDOW~1.EBA")) returned 1 [0081.960] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", lpString2="Windows") returned 1 [0081.960] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.960] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0081.960] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.960] lstrcmpiW (lpString1="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.960] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal") returned 112 [0081.960] StrStrIW (lpFirst="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.960] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a88b65e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf1590cd9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd54, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="windows.uif_ondemand.xml.inbox_r00t_{8ew5f6}.ebal", cAlternateFileName="WINDOW~1.EBA")) returned 0 [0081.960] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0081.960] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0081.960] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedScenarios\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedscenarios\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0081.961] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0081.962] CloseHandle (hObject=0x438) returned 1 [0081.962] GetProcessHeap () returned 0x3a00000 [0081.962] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0081.962] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf15dd200, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DownloadedSettings", cAlternateFileName="DOWNLO~2")) returned 1 [0081.962] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Windows") returned -1 [0081.962] lstrcmpiW (lpString1="DownloadedSettings", lpString2="$Recycle.bin") returned 1 [0081.962] lstrcmpiW (lpString1="DownloadedSettings", lpString2="System Volume Information") returned -1 [0081.962] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Program Files") returned -1 [0081.962] lstrcmpiW (lpString1="DownloadedSettings", lpString2="Program Files (x86)") returned -1 [0081.962] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings") returned 61 [0081.962] lstrcmpW (lpString1="DownloadedSettings", lpString2=".") returned 1 [0081.963] lstrcmpW (lpString1="DownloadedSettings", lpString2="..") returned 1 [0081.963] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0081.963] GetProcessHeap () returned 0x3a00000 [0081.963] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0081.963] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*") returned 63 [0081.963] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf15dd200, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0081.963] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0081.963] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0081.963] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0081.963] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0081.963] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0081.963] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\.") returned 63 [0081.963] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0081.963] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0081.963] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.963] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0081.963] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.963] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf15dd200, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0081.963] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0081.963] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0081.963] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0081.963] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0081.963] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0081.963] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\..") returned 64 [0081.963] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0081.963] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0081.964] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0081.964] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0081.964] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0081.964] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.964] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf15dd200, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf15dd200, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0081.964] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0081.964] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0081.964] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0081.964] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0081.964] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0081.964] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0081.964] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0081.964] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0081.964] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x69d9f6fd, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x69d9f6fd, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x69e5dfd5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x623b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.ASM-WindowsDefault.json", cAlternateFileName="TELEME~1.JSO")) returned 1 [0081.964] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Windows") returned -1 [0081.964] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="$Recycle.bin") returned 1 [0081.964] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="System Volume Information") returned 1 [0081.964] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Program Files") returned 1 [0081.964] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="Program Files (x86)") returned 1 [0081.964] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json") returned 95 [0081.964] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json", lpSrch=".ebal") returned 0x0 [0081.964] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.964] lstrcmpW (lpString1="telemetry.ASM-WindowsDefault.json", lpString2="taridd") returned 1 [0081.964] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowsdefault.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.964] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf15b6ed8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", cAlternateFileName="TELEME~1.EBA")) returned 1 [0081.964] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.965] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.965] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0081.965] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0081.965] lstrcmpiW (lpString1="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0081.965] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal") returned 117 [0081.965] StrStrIW (lpFirst="telemetry.ASM-WindowsDefault.json.bk_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0081.965] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0xb0c71bce, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0xb0c71bce, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0xb0fb9083, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TELEMETRY.ASM-WINDOWSSQ.json", cAlternateFileName="TELEME~4.JSO")) returned 1 [0081.965] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Windows") returned -1 [0081.965] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="$Recycle.bin") returned 1 [0081.965] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="System Volume Information") returned 1 [0081.965] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Program Files") returned 1 [0081.965] lstrcmpiW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="Program Files (x86)") returned 1 [0081.965] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json") returned 90 [0081.965] StrStrIW (lpFirst="TELEMETRY.ASM-WINDOWSSQ.json", lpSrch=".ebal") returned 0x0 [0081.965] lstrcmpW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.965] lstrcmpW (lpString1="TELEMETRY.ASM-WINDOWSSQ.json", lpString2="taridd") returned 1 [0081.965] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.965] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\TELEMETRY.ASM-WINDOWSSQ.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.asm-windowssq.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.966] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x2d95e660, ftCreationTime.dwHighDateTime=0x1d336e0, ftLastAccessTime.dwLowDateTime=0x2d95e660, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x2e6edc8f, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", cAlternateFileName="TEA386~1.JSO")) returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Windows") returned -1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="$Recycle.bin") returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="System Volume Information") returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Program Files") returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="Program Files (x86)") returned 1 [0081.966] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json") returned 158 [0081.966] StrStrIW (lpFirst="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpSrch=".ebal") returned 0x0 [0081.966] lstrcmpW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.966] lstrcmpW (lpString1="telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json", lpString2="taridd") returned 1 [0081.966] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.966] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7ea85252, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7ea85252, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7f139471, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", cAlternateFileName="TELEME~2.JSO")) returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Windows") returned -1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="$Recycle.bin") returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="System Volume Information") returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Program Files") returned 1 [0081.966] lstrcmpiW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="Program Files (x86)") returned 1 [0081.966] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json") returned 158 [0081.966] StrStrIW (lpFirst="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpSrch=".ebal") returned 0x0 [0081.966] lstrcmpW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.966] lstrcmpW (lpString1="telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json", lpString2="taridd") returned 1 [0081.966] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d49967", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-31f8f00f75ee43d4996762625b6917f2-ce77d96f-eec8-4063-a05a-09720f5bbf1b-7138.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.967] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7f139471, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7f139471, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7f4f45ae, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x90, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", cAlternateFileName="TELEME~3.JSO")) returned 1 [0081.967] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Windows") returned -1 [0081.967] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="$Recycle.bin") returned 1 [0081.967] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="System Volume Information") returned 1 [0081.967] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Program Files") returned 1 [0081.967] lstrcmpiW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="Program Files (x86)") returned 1 [0081.967] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json") returned 158 [0081.967] StrStrIW (lpFirst="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpSrch=".ebal") returned 0x0 [0081.967] lstrcmpW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.967] lstrcmpW (lpString1="telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json", lpString2="taridd") returned 1 [0081.967] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\telemetry.p-aria-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.967] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x698688ac, ftCreationTime.dwHighDateTime=0x1d336d8, ftLastAccessTime.dwLowDateTime=0x698688ac, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x69d06e63, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0xba4e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.app.json", cAlternateFileName="UTCAPP~1.JSO")) returned 1 [0081.967] lstrcmpiW (lpString1="utc.app.json", lpString2="Windows") returned -1 [0081.967] lstrcmpiW (lpString1="utc.app.json", lpString2="$Recycle.bin") returned 1 [0081.967] lstrcmpiW (lpString1="utc.app.json", lpString2="System Volume Information") returned 1 [0081.967] lstrcmpiW (lpString1="utc.app.json", lpString2="Program Files") returned 1 [0081.967] lstrcmpiW (lpString1="utc.app.json", lpString2="Program Files (x86)") returned 1 [0081.967] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json") returned 74 [0081.967] StrStrIW (lpFirst="utc.app.json", lpSrch=".ebal") returned 0x0 [0081.967] lstrcmpW (lpString1="utc.app.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0081.967] lstrcmpW (lpString1="utc.app.json", lpString2="taridd") returned 1 [0081.967] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0081.967] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.app.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0081.967] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa03, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.app.json.bk_r00t_{8ew5f6}.ebal", cAlternateFileName="UTCAPP~1.EBA")) returned 1 [0081.968] lstrcmpiW (lpString1="utc.app.json.bk_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0081.968] lstrcmpiW (lpString1="utc.app.json.bk_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0081.968] lstrcmpiW (lpString1="utc.app.json.bk_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.054] lstrcmpiW (lpString1="utc.app.json.bk_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.054] lstrcmpiW (lpString1="utc.app.json.bk_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.054] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.app.json.bk_r00t_{8ew5f6}.ebal") returned 96 [0082.054] StrStrIW (lpFirst="utc.app.json.bk_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.054] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7e8bf97d, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7e8bf97d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7ea85252, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.cert.json", cAlternateFileName="UTCCER~1.JSO")) returned 1 [0082.054] lstrcmpiW (lpString1="utc.cert.json", lpString2="Windows") returned -1 [0082.054] lstrcmpiW (lpString1="utc.cert.json", lpString2="$Recycle.bin") returned 1 [0082.054] lstrcmpiW (lpString1="utc.cert.json", lpString2="System Volume Information") returned 1 [0082.054] lstrcmpiW (lpString1="utc.cert.json", lpString2="Program Files") returned 1 [0082.054] lstrcmpiW (lpString1="utc.cert.json", lpString2="Program Files (x86)") returned 1 [0082.054] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json") returned 75 [0082.054] StrStrIW (lpFirst="utc.cert.json", lpSrch=".ebal") returned 0x0 [0082.054] lstrcmpW (lpString1="utc.cert.json", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.054] lstrcmpW (lpString1="utc.cert.json", lpString2="taridd") returned 1 [0082.054] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.054] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\utc.cert.json" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\utc.cert.json"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.054] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x120, ftCreationTime.dwLowDateTime=0x7e8bf97d, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x7e8bf97d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7ea85252, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x8e9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="utc.cert.json", cAlternateFileName="UTCCER~1.JSO")) returned 0 [0082.054] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.054] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\DownloadedSettings\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\downloadedsettings\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.056] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.057] CloseHandle (hObject=0x438) returned 1 [0082.057] GetProcessHeap () returned 0x3a00000 [0082.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.057] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x8e23c06e, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ETLLogs", cAlternateFileName="")) returned 1 [0082.057] lstrcmpiW (lpString1="ETLLogs", lpString2="Windows") returned -1 [0082.057] lstrcmpiW (lpString1="ETLLogs", lpString2="$Recycle.bin") returned 1 [0082.057] lstrcmpiW (lpString1="ETLLogs", lpString2="System Volume Information") returned -1 [0082.057] lstrcmpiW (lpString1="ETLLogs", lpString2="Program Files") returned -1 [0082.057] lstrcmpiW (lpString1="ETLLogs", lpString2="Program Files (x86)") returned -1 [0082.057] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs") returned 50 [0082.057] lstrcmpW (lpString1="ETLLogs", lpString2=".") returned 1 [0082.057] lstrcmpW (lpString1="ETLLogs", lpString2="..") returned 1 [0082.057] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.057] GetProcessHeap () returned 0x3a00000 [0082.057] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.057] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*") returned 52 [0082.057] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.058] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.058] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.058] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\.") returned 52 [0082.058] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.058] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.058] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.058] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.058] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.058] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x8e23c06e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.058] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.058] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.058] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.058] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\..") returned 53 [0082.058] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.058] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.058] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.058] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.058] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.058] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.058] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.059] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16033e5, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.059] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.059] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.059] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.059] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.059] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.059] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0082.059] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.059] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.059] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger", cAlternateFileName="AUTOLO~1")) returned 1 [0082.059] lstrcmpiW (lpString1="AutoLogger", lpString2="Windows") returned -1 [0082.059] lstrcmpiW (lpString1="AutoLogger", lpString2="$Recycle.bin") returned 1 [0082.059] lstrcmpiW (lpString1="AutoLogger", lpString2="System Volume Information") returned -1 [0082.059] lstrcmpiW (lpString1="AutoLogger", lpString2="Program Files") returned -1 [0082.059] lstrcmpiW (lpString1="AutoLogger", lpString2="Program Files (x86)") returned -1 [0082.059] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger") returned 61 [0082.059] lstrcmpW (lpString1="AutoLogger", lpString2=".") returned 1 [0082.059] lstrcmpW (lpString1="AutoLogger", lpString2="..") returned 1 [0082.059] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.059] GetProcessHeap () returned 0x3a00000 [0082.059] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.059] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*") returned 63 [0082.059] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0082.059] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.059] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.059] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.059] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.059] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.059] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.") returned 63 [0082.059] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.059] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.060] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.060] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.060] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.060] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.060] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.060] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.060] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.060] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.060] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.060] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\..") returned 64 [0082.060] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.060] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.060] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.060] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.060] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.060] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.060] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.060] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16033e5, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.060] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.060] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.060] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.060] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.060] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.060] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.060] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.060] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.060] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd8d859b, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xcd8d859b, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x30384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="AUTOLO~1.EBA")) returned 1 [0082.060] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.061] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.061] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.061] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.061] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.061] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal") returned 114 [0082.061] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.061] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcd8d859b, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xcd8d859b, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xf15dd200, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x30384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="AUTOLO~1.EBA")) returned 0 [0082.061] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0082.061] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.061] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\AutoLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\autologger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.106] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.144] CloseHandle (hObject=0x43c) returned 1 [0082.144] GetProcessHeap () returned 0x3a00000 [0082.144] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.144] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ScenarioShutdownLogger", cAlternateFileName="SCENAR~1")) returned 1 [0082.144] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Windows") returned -1 [0082.144] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="$Recycle.bin") returned 1 [0082.144] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="System Volume Information") returned -1 [0082.144] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Program Files") returned 1 [0082.144] lstrcmpiW (lpString1="ScenarioShutdownLogger", lpString2="Program Files (x86)") returned 1 [0082.144] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger") returned 73 [0082.144] lstrcmpW (lpString1="ScenarioShutdownLogger", lpString2=".") returned 1 [0082.144] lstrcmpW (lpString1="ScenarioShutdownLogger", lpString2="..") returned 1 [0082.144] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.144] GetProcessHeap () returned 0x3a00000 [0082.144] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.144] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\*") returned 75 [0082.145] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0082.145] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.145] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.145] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.145] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.145] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.145] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.") returned 75 [0082.145] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.145] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.145] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.145] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.145] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.145] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\scenarioshutdownlogger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.145] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd69f80c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.145] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.145] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.145] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.145] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.145] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.145] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\..") returned 76 [0082.145] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.145] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.145] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.145] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.145] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.146] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.146] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.146] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16033e5, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.146] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.146] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.146] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.146] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.146] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.146] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 105 [0082.146] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.146] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.146] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16033e5, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.146] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0082.146] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 105 [0082.147] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ScenarioShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\scenarioshutdownlogger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.151] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.152] CloseHandle (hObject=0x43c) returned 1 [0082.152] GetProcessHeap () returned 0x3a00000 [0082.152] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.152] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb855a1cd, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 1 [0082.152] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Windows") returned -1 [0082.152] lstrcmpiW (lpString1="ShutdownLogger", lpString2="$Recycle.bin") returned 1 [0082.152] lstrcmpiW (lpString1="ShutdownLogger", lpString2="System Volume Information") returned -1 [0082.153] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Program Files") returned 1 [0082.153] lstrcmpiW (lpString1="ShutdownLogger", lpString2="Program Files (x86)") returned 1 [0082.153] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger") returned 65 [0082.153] lstrcmpW (lpString1="ShutdownLogger", lpString2=".") returned 1 [0082.153] lstrcmpW (lpString1="ShutdownLogger", lpString2="..") returned 1 [0082.153] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.153] GetProcessHeap () returned 0x3a00000 [0082.153] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.153] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*") returned 67 [0082.153] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0082.153] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.153] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.153] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.153] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.153] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.153] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.") returned 67 [0082.153] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.153] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.153] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.153] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.153] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.153] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.153] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.153] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.154] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.154] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.154] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.154] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\..") returned 68 [0082.154] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.154] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.154] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.154] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.154] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.154] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.154] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16033e5, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16033e5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16033e5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.154] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.154] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.154] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.154] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.154] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.154] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0082.154] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.154] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.154] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb855a1cd, ftCreationTime.dwHighDateTime=0x1d33839, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbc623573, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 1 [0082.154] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Windows") returned -1 [0082.154] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="$Recycle.bin") returned 1 [0082.154] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="System Volume Information") returned -1 [0082.154] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files") returned -1 [0082.154] lstrcmpiW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="Program Files (x86)") returned -1 [0082.154] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl") returned 99 [0082.154] StrStrIW (lpFirst="AutoLogger-Diagtrack-Listener.etl", lpSrch=".ebal") returned 0x0 [0082.154] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.154] lstrcmpW (lpString1="AutoLogger-Diagtrack-Listener.etl", lpString2="taridd") returned -1 [0082.154] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.154] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\AutoLogger-Diagtrack-Listener.etl" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\autologger-diagtrack-listener.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.155] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb855a1cd, ftCreationTime.dwHighDateTime=0x1d33839, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbc623573, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x20000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AutoLogger-Diagtrack-Listener.etl", cAlternateFileName="AUTOLO~1.ETL")) returned 0 [0082.155] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0082.155] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0082.155] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\ShutdownLogger\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\shutdownlogger\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.236] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.237] CloseHandle (hObject=0x43c) returned 1 [0082.237] GetProcessHeap () returned 0x3a00000 [0082.237] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.237] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb855a1cd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb855a1cd, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ShutdownLogger", cAlternateFileName="SHUTDO~1")) returned 0 [0082.237] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.237] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0082.237] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\ETLLogs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\etllogs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.238] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.239] CloseHandle (hObject=0x438) returned 1 [0082.239] GetProcessHeap () returned 0x3a00000 [0082.239] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.239] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x666666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_CostDeferred.rbs", cAlternateFileName="EVENTS~3.RBS")) returned 1 [0082.239] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Windows") returned -1 [0082.239] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="$Recycle.bin") returned 1 [0082.239] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="System Volume Information") returned -1 [0082.239] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Program Files") returned -1 [0082.239] lstrcmpiW (lpString1="Events_CostDeferred.rbs", lpString2="Program Files (x86)") returned -1 [0082.239] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs") returned 66 [0082.239] StrStrIW (lpFirst="Events_CostDeferred.rbs", lpSrch=".ebal") returned 0x0 [0082.239] lstrcmpW (lpString1="Events_CostDeferred.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.239] lstrcmpW (lpString1="Events_CostDeferred.rbs", lpString2="taridd") returned -1 [0082.239] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.239] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_CostDeferred.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events_costdeferred.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.240] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b5e567a, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b5e567a, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x1000000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_Normal.rbs", cAlternateFileName="EVENTS~1.RBS")) returned 1 [0082.240] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Windows") returned -1 [0082.240] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="$Recycle.bin") returned 1 [0082.240] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="System Volume Information") returned -1 [0082.240] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Program Files") returned -1 [0082.240] lstrcmpiW (lpString1="Events_Normal.rbs", lpString2="Program Files (x86)") returned -1 [0082.240] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_Normal.rbs") returned 60 [0082.240] StrStrIW (lpFirst="Events_Normal.rbs", lpSrch=".ebal") returned 0x0 [0082.240] lstrcmpW (lpString1="Events_Normal.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.240] lstrcmpW (lpString1="Events_Normal.rbs", lpString2="taridd") returned -1 [0082.240] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_Normal.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_Normal.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events_normal.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.240] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x666666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_NormalCritical.rbs", cAlternateFileName="EVENTS~2.RBS")) returned 1 [0082.240] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Windows") returned -1 [0082.240] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="$Recycle.bin") returned 1 [0082.240] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="System Volume Information") returned -1 [0082.240] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Program Files") returned -1 [0082.240] lstrcmpiW (lpString1="Events_NormalCritical.rbs", lpString2="Program Files (x86)") returned -1 [0082.240] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs") returned 68 [0082.240] StrStrIW (lpFirst="Events_NormalCritical.rbs", lpSrch=".ebal") returned 0x0 [0082.240] lstrcmpW (lpString1="Events_NormalCritical.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.240] lstrcmpW (lpString1="Events_NormalCritical.rbs", lpString2="taridd") returned -1 [0082.240] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.240] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_NormalCritical.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events_normalcritical.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.241] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b60b8d0, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b60b8d0, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x29662597, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x333333, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Events_Realtime.rbs", cAlternateFileName="EVENTS~4.RBS")) returned 1 [0082.241] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Windows") returned -1 [0082.241] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="$Recycle.bin") returned 1 [0082.241] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="System Volume Information") returned -1 [0082.241] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Program Files") returned -1 [0082.241] lstrcmpiW (lpString1="Events_Realtime.rbs", lpString2="Program Files (x86)") returned -1 [0082.241] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_Realtime.rbs") returned 62 [0082.241] StrStrIW (lpFirst="Events_Realtime.rbs", lpSrch=".ebal") returned 0x0 [0082.241] lstrcmpW (lpString1="Events_Realtime.rbs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.241] lstrcmpW (lpString1="Events_Realtime.rbs", lpString2="taridd") returned -1 [0082.241] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_Realtime.rbs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.241] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Events_Realtime.rbs" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\events_realtime.rbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.241] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalTraceStore", cAlternateFileName="LOCALT~1")) returned 1 [0082.241] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Windows") returned -1 [0082.241] lstrcmpiW (lpString1="LocalTraceStore", lpString2="$Recycle.bin") returned 1 [0082.241] lstrcmpiW (lpString1="LocalTraceStore", lpString2="System Volume Information") returned -1 [0082.241] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Program Files") returned -1 [0082.241] lstrcmpiW (lpString1="LocalTraceStore", lpString2="Program Files (x86)") returned -1 [0082.241] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore") returned 58 [0082.241] lstrcmpW (lpString1="LocalTraceStore", lpString2=".") returned 1 [0082.241] lstrcmpW (lpString1="LocalTraceStore", lpString2="..") returned 1 [0082.241] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.241] GetProcessHeap () returned 0x3a00000 [0082.241] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.241] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*") returned 60 [0082.241] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0082.241] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.241] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.241] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.242] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.242] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.242] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\.") returned 60 [0082.242] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.242] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.242] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.242] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.242] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.242] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a029c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.242] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.242] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.242] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.242] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.242] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.242] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\..") returned 61 [0082.242] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.242] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.242] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.242] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.242] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.242] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.242] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.242] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16296c6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16296c6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.242] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.242] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.242] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.242] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.242] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.242] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0082.242] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.243] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.243] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16296c6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16296c6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.243] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0082.243] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0082.243] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\LocalTraceStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\localtracestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.244] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.244] CloseHandle (hObject=0x438) returned 1 [0082.245] GetProcessHeap () returned 0x3a00000 [0082.245] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.245] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8a3dd985, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8a3dd985, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x28facbb4, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0xa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="osver.txt", cAlternateFileName="")) returned 1 [0082.245] lstrcmpiW (lpString1="osver.txt", lpString2="Windows") returned -1 [0082.245] lstrcmpiW (lpString1="osver.txt", lpString2="$Recycle.bin") returned 1 [0082.245] lstrcmpiW (lpString1="osver.txt", lpString2="System Volume Information") returned -1 [0082.245] lstrcmpiW (lpString1="osver.txt", lpString2="Program Files") returned -1 [0082.245] lstrcmpiW (lpString1="osver.txt", lpString2="Program Files (x86)") returned -1 [0082.245] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\osver.txt") returned 52 [0082.245] StrStrIW (lpFirst="osver.txt", lpSrch=".ebal") returned 0x0 [0082.245] lstrcmpW (lpString1="osver.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.245] lstrcmpW (lpString1="osver.txt", lpString2="taridd") returned -1 [0082.245] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\osver.txt", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\osver.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\osver.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.245] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8bfbb1de, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8bfbb1de, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8bfbb1de, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="parse.dat", cAlternateFileName="")) returned 1 [0082.245] lstrcmpiW (lpString1="parse.dat", lpString2="Windows") returned -1 [0082.245] lstrcmpiW (lpString1="parse.dat", lpString2="$Recycle.bin") returned 1 [0082.245] lstrcmpiW (lpString1="parse.dat", lpString2="System Volume Information") returned -1 [0082.245] lstrcmpiW (lpString1="parse.dat", lpString2="Program Files") returned -1 [0082.245] lstrcmpiW (lpString1="parse.dat", lpString2="Program Files (x86)") returned -1 [0082.245] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat") returned 52 [0082.245] StrStrIW (lpFirst="parse.dat", lpSrch=".ebal") returned 0x0 [0082.245] lstrcmpW (lpString1="parse.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.245] lstrcmpW (lpString1="parse.dat", lpString2="taridd") returned -1 [0082.245] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.245] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\parse.dat" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\parse.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.246] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Sideload", cAlternateFileName="")) returned 1 [0082.246] lstrcmpiW (lpString1="Sideload", lpString2="Windows") returned -1 [0082.246] lstrcmpiW (lpString1="Sideload", lpString2="$Recycle.bin") returned 1 [0082.246] lstrcmpiW (lpString1="Sideload", lpString2="System Volume Information") returned -1 [0082.246] lstrcmpiW (lpString1="Sideload", lpString2="Program Files") returned 1 [0082.246] lstrcmpiW (lpString1="Sideload", lpString2="Program Files (x86)") returned 1 [0082.246] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload") returned 51 [0082.246] lstrcmpW (lpString1="Sideload", lpString2=".") returned 1 [0082.246] lstrcmpW (lpString1="Sideload", lpString2="..") returned 1 [0082.246] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.246] GetProcessHeap () returned 0x3a00000 [0082.246] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.246] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*") returned 53 [0082.246] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0082.246] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.246] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.246] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.246] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.246] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.246] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\.") returned 53 [0082.246] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.246] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.246] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.246] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.246] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.246] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.246] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a06c3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.246] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.247] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.247] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.247] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.247] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.247] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\..") returned 54 [0082.247] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.247] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.247] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.247] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.247] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.247] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.247] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16296c6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16296c6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.247] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.247] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.247] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.247] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.247] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.247] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.247] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.247] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.247] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16296c6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16296c6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.247] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0082.247] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.247] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Sideload\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\sideload\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.248] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.249] CloseHandle (hObject=0x438) returned 1 [0082.249] GetProcessHeap () returned 0x3a00000 [0082.249] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.249] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Siufloc", cAlternateFileName="")) returned 1 [0082.249] lstrcmpiW (lpString1="Siufloc", lpString2="Windows") returned -1 [0082.249] lstrcmpiW (lpString1="Siufloc", lpString2="$Recycle.bin") returned 1 [0082.249] lstrcmpiW (lpString1="Siufloc", lpString2="System Volume Information") returned -1 [0082.249] lstrcmpiW (lpString1="Siufloc", lpString2="Program Files") returned 1 [0082.250] lstrcmpiW (lpString1="Siufloc", lpString2="Program Files (x86)") returned 1 [0082.250] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc") returned 50 [0082.250] lstrcmpW (lpString1="Siufloc", lpString2=".") returned 1 [0082.250] lstrcmpW (lpString1="Siufloc", lpString2="..") returned 1 [0082.250] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.250] GetProcessHeap () returned 0x3a00000 [0082.250] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.250] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*") returned 52 [0082.250] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0082.250] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.250] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.250] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.250] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.250] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.250] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\.") returned 52 [0082.250] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.250] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.250] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.250] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.250] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.250] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.250] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd6a0bca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.250] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.250] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.250] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.250] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.250] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.250] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\..") returned 53 [0082.250] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.251] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.251] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.251] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.251] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.251] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16296c6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16296c6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.251] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0082.251] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.251] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.251] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16296c6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16296c6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16296c6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.251] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0082.251] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0082.251] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\Siufloc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\siufloc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.252] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.253] CloseHandle (hObject=0x438) returned 1 [0082.253] GetProcessHeap () returned 0x3a00000 [0082.253] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.253] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SoftLanding", cAlternateFileName="SOFTLA~1")) returned 1 [0082.253] lstrcmpiW (lpString1="SoftLanding", lpString2="Windows") returned -1 [0082.253] lstrcmpiW (lpString1="SoftLanding", lpString2="$Recycle.bin") returned 1 [0082.253] lstrcmpiW (lpString1="SoftLanding", lpString2="System Volume Information") returned -1 [0082.253] lstrcmpiW (lpString1="SoftLanding", lpString2="Program Files") returned 1 [0082.253] lstrcmpiW (lpString1="SoftLanding", lpString2="Program Files (x86)") returned 1 [0082.253] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding") returned 54 [0082.253] lstrcmpW (lpString1="SoftLanding", lpString2=".") returned 1 [0082.253] lstrcmpW (lpString1="SoftLanding", lpString2="..") returned 1 [0082.253] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.253] GetProcessHeap () returned 0x3a00000 [0082.253] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.253] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*") returned 56 [0082.253] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf169bcbe, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0082.254] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.254] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.254] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.254] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.254] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.254] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\.") returned 56 [0082.254] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.254] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.254] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.254] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.254] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.254] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4ddac897, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf169bcbe, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.254] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.254] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.254] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.254] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.254] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.254] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\..") returned 57 [0082.254] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.254] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.254] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.254] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.254] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.254] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.255] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf169bcbe, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf169bcbe, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf169bcbe, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.255] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.255] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.255] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.255] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.255] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.255] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0082.255] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.255] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.255] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8bfa790, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4de62c84, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", cAlternateFileName="03D1E1~1.XML")) returned 1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Windows") returned -1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="$Recycle.bin") returned 1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="System Volume Information") returned -1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Program Files") returned -1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="Program Files (x86)") returned -1 [0082.255] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml") returned 100 [0082.255] StrStrIW (lpFirst="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpSrch=".ebal") returned 0x0 [0082.255] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.255] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml", lpString2="taridd") returned -1 [0082.255] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.255] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.255] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c20a14, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4defb5dd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x840fae4f, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x441b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", cAlternateFileName="03D1E1~2.XML")) returned 1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Windows") returned -1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Program Files") returned -1 [0082.255] lstrcmpiW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.255] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml") returned 104 [0082.255] StrStrIW (lpFirst="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.256] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.256] lstrcmpW (lpString1="03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml", lpString2="taridd") returned -1 [0082.256] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\03d1e1da-f580-45d7-afdd-3598ed7cdba4_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.256] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7750111, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4df6de00, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8128f6c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4180, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", cAlternateFileName="394B7B~1.XML")) returned 1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Windows") returned -1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="$Recycle.bin") returned 1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="System Volume Information") returned -1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Program Files") returned -1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="Program Files (x86)") returned -1 [0082.256] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml") returned 100 [0082.256] StrStrIW (lpFirst="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpSrch=".ebal") returned 0x0 [0082.256] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.256] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml", lpString2="taridd") returned -1 [0082.256] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.256] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7750111, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e006640, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb5c02e23, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", cAlternateFileName="394B7B~2.XML")) returned 1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Windows") returned -1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Program Files") returned -1 [0082.256] lstrcmpiW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.256] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml") returned 104 [0082.256] StrStrIW (lpFirst="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.256] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.256] lstrcmpW (lpString1="394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml", lpString2="taridd") returned -1 [0082.256] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.256] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\394b7b36-41b9-4032-9875-c0240ca5a7f5_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.257] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c46c2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e09efaa, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x8625bd94, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4360, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", cAlternateFileName="75EF5B~1.XML")) returned 1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Windows") returned -1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="$Recycle.bin") returned 1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="System Volume Information") returned -1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Program Files") returned -1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="Program Files (x86)") returned -1 [0082.257] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml") returned 100 [0082.257] StrStrIW (lpFirst="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpSrch=".ebal") returned 0x0 [0082.257] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.257] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml", lpString2="taridd") returned -1 [0082.257] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.257] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c46c2e, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e0c51fa, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x86556ca1, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x4473, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", cAlternateFileName="75EF5B~2.XML")) returned 1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Windows") returned -1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Program Files") returned -1 [0082.257] lstrcmpiW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.257] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml") returned 104 [0082.257] StrStrIW (lpFirst="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.257] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.257] lstrcmpW (lpString1="75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml", lpString2="taridd") returned -1 [0082.257] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.257] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\75ef5b41-571d-4a4b-92bb-8b9f7fdc831f_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.257] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7776347, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e15dbbf, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbbc2bb3b, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", cAlternateFileName="9984EC~1.XML")) returned 1 [0082.257] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Windows") returned -1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="$Recycle.bin") returned 1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="System Volume Information") returned -1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Program Files") returned -1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="Program Files (x86)") returned -1 [0082.258] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml") returned 100 [0082.258] StrStrIW (lpFirst="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpSrch=".ebal") returned 0x0 [0082.258] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.258] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml", lpString2="taridd") returned -1 [0082.258] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.258] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc7776347, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e1f64ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbbb6d045, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", cAlternateFileName="9984EC~2.XML")) returned 1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Windows") returned -1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Program Files") returned -1 [0082.258] lstrcmpiW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.258] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml") returned 104 [0082.258] StrStrIW (lpFirst="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.258] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.258] lstrcmpW (lpString1="9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml", lpString2="taridd") returned -1 [0082.258] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.258] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\9984ecc0-931c-4feb-8996-203a6ffaa852_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.258] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e24298b, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb9eacc8c, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x433c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", cAlternateFileName="ACAE42~1.XML")) returned 1 [0082.258] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Windows") returned -1 [0082.258] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="$Recycle.bin") returned 1 [0082.258] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="System Volume Information") returned -1 [0082.258] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Program Files") returned -1 [0082.258] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="Program Files (x86)") returned -1 [0082.258] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml") returned 100 [0082.258] StrStrIW (lpFirst="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpSrch=".ebal") returned 0x0 [0082.259] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.259] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml", lpString2="taridd") returned -1 [0082.259] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.259] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e28ee3c, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xba09c6cc, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x443f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", cAlternateFileName="ACAE42~2.XML")) returned 1 [0082.259] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Windows") returned -1 [0082.259] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.259] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.259] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Program Files") returned -1 [0082.259] lstrcmpiW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.259] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml") returned 104 [0082.259] StrStrIW (lpFirst="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.259] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.259] lstrcmpW (lpString1="acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml", lpString2="taridd") returned -1 [0082.259] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\acae4208-0ac4-4ef7-ac45-bb688b09e559_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.259] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc779c570, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e2b5071, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8d3a091, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x442d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", cAlternateFileName="C08025~1.XML")) returned 1 [0082.259] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Windows") returned -1 [0082.259] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="$Recycle.bin") returned 1 [0082.259] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="System Volume Information") returned -1 [0082.259] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Program Files") returned -1 [0082.259] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="Program Files (x86)") returned -1 [0082.259] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml") returned 100 [0082.259] StrStrIW (lpFirst="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpSrch=".ebal") returned 0x0 [0082.259] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.259] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_show.xml", lpString2="taridd") returned -1 [0082.259] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\c0802597-6174-487a-b7de-20e8b1aa384e_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.260] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77c27a6, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e2db2dd, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb8c553ea, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4187, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", cAlternateFileName="C08025~2.XML")) returned 1 [0082.260] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Windows") returned -1 [0082.260] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.260] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.260] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Program Files") returned -1 [0082.260] lstrcmpiW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.260] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml") returned 104 [0082.260] StrStrIW (lpFirst="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.260] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.260] lstrcmpW (lpString1="c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml", lpString2="taridd") returned -1 [0082.260] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\c0802597-6174-487a-b7de-20e8b1aa384e_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.260] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77c27a6, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e301522, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbb0b32d3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x418b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", cAlternateFileName="E80C85~1.XML")) returned 1 [0082.260] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Windows") returned -1 [0082.260] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="$Recycle.bin") returned 1 [0082.260] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="System Volume Information") returned -1 [0082.260] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Program Files") returned -1 [0082.260] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="Program Files (x86)") returned -1 [0082.260] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml") returned 100 [0082.260] StrStrIW (lpFirst="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpSrch=".ebal") returned 0x0 [0082.260] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.260] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml", lpString2="taridd") returned -1 [0082.260] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.260] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.260] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc77e89d5, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e34d9d0, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xbaf35d10, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4172, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", cAlternateFileName="E80C85~2.XML")) returned 1 [0082.260] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Windows") returned -1 [0082.261] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.261] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.261] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Program Files") returned -1 [0082.261] lstrcmpiW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.261] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml") returned 104 [0082.261] StrStrIW (lpFirst="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.261] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.261] lstrcmpW (lpString1="e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml", lpString2="taridd") returned -1 [0082.261] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\e80c855c-d75c-47b1-9ae4-f07f8c6c613d_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.261] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c930e8, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e399e7e, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x8507a310, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x5c3a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", cAlternateFileName="E9D217~1.XML")) returned 1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Windows") returned -1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="$Recycle.bin") returned 1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="System Volume Information") returned -1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Program Files") returned -1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="Program Files (x86)") returned -1 [0082.261] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml") returned 100 [0082.261] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpSrch=".ebal") returned 0x0 [0082.261] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.261] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_show.xml", lpString2="taridd") returned -1 [0082.261] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\e9d21752-8fc9-4793-b42e-33105b078a51_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.261] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c930e8, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x4e458a8d, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x85007c03, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x424c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", cAlternateFileName="E9D217~2.XML")) returned 1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Windows") returned -1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Program Files") returned -1 [0082.261] lstrcmpiW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.261] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml") returned 104 [0082.262] StrStrIW (lpFirst="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.262] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.262] lstrcmpW (lpString1="e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml", lpString2="taridd") returned -1 [0082.262] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\e9d21752-8fc9-4793-b42e-33105b078a51_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.262] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4a4f18, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb806a476, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x43ad, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", cAlternateFileName="FFFD8B~1.XML")) returned 1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Windows") returned -1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="$Recycle.bin") returned 1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="System Volume Information") returned -1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Program Files") returned -1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="Program Files (x86)") returned -1 [0082.262] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml") returned 100 [0082.262] StrStrIW (lpFirst="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpSrch=".ebal") returned 0x0 [0082.262] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.262] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_show.xml", lpString2="taridd") returned -1 [0082.262] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.262] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\fffd8b5d-0172-4719-a792-b7c76986459d_show.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.262] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Windows") returned -1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="$Recycle.bin") returned 1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="System Volume Information") returned -1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Program Files") returned -1 [0082.262] lstrcmpiW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="Program Files (x86)") returned -1 [0082.262] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml") returned 104 [0082.262] StrStrIW (lpFirst="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpSrch=".ebal") returned 0x0 [0082.263] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.263] lstrcmpW (lpString1="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", lpString2="taridd") returned -1 [0082.263] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdra", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.263] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc780ec0e, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb819b5fa, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x4443, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fffd8b5d-0172-4719-a792-b7c76986459d_withdraw.xml", cAlternateFileName="FFFD8B~2.XML")) returned 0 [0082.263] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0082.263] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0082.263] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLanding\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlanding\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.264] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.266] CloseHandle (hObject=0x438) returned 1 [0082.266] GetProcessHeap () returned 0x3a00000 [0082.266] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.266] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0x4e4cb173, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SoftLandingStage", cAlternateFileName="SOFTLA~2")) returned 1 [0082.266] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Windows") returned -1 [0082.266] lstrcmpiW (lpString1="SoftLandingStage", lpString2="$Recycle.bin") returned 1 [0082.266] lstrcmpiW (lpString1="SoftLandingStage", lpString2="System Volume Information") returned -1 [0082.266] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Program Files") returned 1 [0082.266] lstrcmpiW (lpString1="SoftLandingStage", lpString2="Program Files (x86)") returned 1 [0082.266] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage") returned 59 [0082.266] lstrcmpW (lpString1="SoftLandingStage", lpString2=".") returned 1 [0082.266] lstrcmpW (lpString1="SoftLandingStage", lpString2="..") returned 1 [0082.266] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.266] GetProcessHeap () returned 0x3a00000 [0082.266] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.266] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*") returned 61 [0082.266] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf16c2073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0082.266] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.266] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.266] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.266] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.266] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.267] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\.") returned 61 [0082.267] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.267] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.267] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.267] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.267] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.267] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4e4cb173, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf16c2073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.267] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.267] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.267] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.267] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.267] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.267] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\..") returned 62 [0082.267] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.267] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.267] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.267] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.267] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.267] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.267] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.267] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf169bcbe, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf169bcbe, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16c2073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.267] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.267] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.267] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.267] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.267] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.267] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0082.267] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.267] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.268] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf169bcbe, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf169bcbe, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16c2073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.268] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0082.268] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0082.268] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\SoftLandingStage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\softlandingstage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.269] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.270] CloseHandle (hObject=0x438) returned 1 [0082.270] GetProcessHeap () returned 0x3a00000 [0082.270] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.270] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b11c43, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TenantStorage", cAlternateFileName="TENANT~1")) returned 1 [0082.270] lstrcmpiW (lpString1="TenantStorage", lpString2="Windows") returned -1 [0082.270] lstrcmpiW (lpString1="TenantStorage", lpString2="$Recycle.bin") returned 1 [0082.270] lstrcmpiW (lpString1="TenantStorage", lpString2="System Volume Information") returned 1 [0082.270] lstrcmpiW (lpString1="TenantStorage", lpString2="Program Files") returned 1 [0082.270] lstrcmpiW (lpString1="TenantStorage", lpString2="Program Files (x86)") returned 1 [0082.270] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage") returned 56 [0082.270] lstrcmpW (lpString1="TenantStorage", lpString2=".") returned 1 [0082.270] lstrcmpW (lpString1="TenantStorage", lpString2="..") returned 1 [0082.270] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.270] GetProcessHeap () returned 0x3a00000 [0082.270] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.270] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\*") returned 58 [0082.270] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf16c2073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0082.270] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.270] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.270] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.271] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.271] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.271] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\.") returned 58 [0082.271] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.271] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.271] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.271] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.271] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\." (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\tenantstorage\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.271] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf16c2073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.271] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.271] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.271] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.271] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.271] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.271] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\..") returned 59 [0082.271] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.271] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.271] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.271] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.271] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.271] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.271] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\.." (normalized: "c:\\users\\all users\\microsoft\\diagnosis"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.271] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16c2073, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16c2073, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.271] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.271] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.271] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.271] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.271] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.271] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0082.272] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.272] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.272] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6b11c43, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b37da3, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="P-ARIA", cAlternateFileName="")) returned 1 [0082.272] lstrcmpiW (lpString1="P-ARIA", lpString2="Windows") returned -1 [0082.272] lstrcmpiW (lpString1="P-ARIA", lpString2="$Recycle.bin") returned 1 [0082.272] lstrcmpiW (lpString1="P-ARIA", lpString2="System Volume Information") returned -1 [0082.272] lstrcmpiW (lpString1="P-ARIA", lpString2="Program Files") returned -1 [0082.272] lstrcmpiW (lpString1="P-ARIA", lpString2="Program Files (x86)") returned -1 [0082.272] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA") returned 63 [0082.272] lstrcmpW (lpString1="P-ARIA", lpString2=".") returned 1 [0082.272] lstrcmpW (lpString1="P-ARIA", lpString2="..") returned 1 [0082.272] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.272] GetProcessHeap () returned 0x3a00000 [0082.272] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.272] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\*") returned 65 [0082.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\P-ARIA\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x65aee40, ftLastAccessTime.dwLowDateTime=0x3a29908, ftLastAccessTime.dwHighDateTime=0x2020e, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x65aeed8, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="\x05", cAlternateFileName="?΢￿￿扨@￿￿?΢\x05")) returned 0xffffffff [0082.272] GetProcessHeap () returned 0x3a00000 [0082.272] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.272] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6b11c43, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xd6b11c43, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xd6b37da3, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="P-ARIA", cAlternateFileName="")) returned 0 [0082.272] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0082.272] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0082.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\TenantStorage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\tenantstorage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.273] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.274] CloseHandle (hObject=0x438) returned 1 [0082.274] GetProcessHeap () returned 0x3a00000 [0082.274] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.274] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x774ff760, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VortexSchemaRequests.dat", cAlternateFileName="VORTEX~1.DAT")) returned 1 [0082.274] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Windows") returned -1 [0082.275] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="$Recycle.bin") returned 1 [0082.275] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="System Volume Information") returned 1 [0082.275] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Program Files") returned 1 [0082.275] lstrcmpiW (lpString1="VortexSchemaRequests.dat", lpString2="Program Files (x86)") returned 1 [0082.275] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat") returned 67 [0082.275] StrStrIW (lpFirst="VortexSchemaRequests.dat", lpSrch=".ebal") returned 0x0 [0082.275] lstrcmpW (lpString1="VortexSchemaRequests.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.275] lstrcmpW (lpString1="VortexSchemaRequests.dat", lpString2="taridd") returned 1 [0082.275] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\VortexSchemaRequests.dat" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\vortexschemarequests.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.275] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x774ff760, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb85cc8d2, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb85cc8d2, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VortexSchemaRequests.dat", cAlternateFileName="VORTEX~1.DAT")) returned 0 [0082.275] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0082.275] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0082.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Diagnosis\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\diagnosis\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.276] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.277] CloseHandle (hObject=0x434) returned 1 [0082.277] GetProcessHeap () returned 0x3a00000 [0082.277] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.277] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DRM", cAlternateFileName="")) returned 1 [0082.277] lstrcmpiW (lpString1="DRM", lpString2="Windows") returned -1 [0082.277] lstrcmpiW (lpString1="DRM", lpString2="$Recycle.bin") returned 1 [0082.277] lstrcmpiW (lpString1="DRM", lpString2="System Volume Information") returned -1 [0082.277] lstrcmpiW (lpString1="DRM", lpString2="Program Files") returned -1 [0082.277] lstrcmpiW (lpString1="DRM", lpString2="Program Files (x86)") returned -1 [0082.278] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM") returned 36 [0082.278] lstrcmpW (lpString1="DRM", lpString2=".") returned 1 [0082.278] lstrcmpW (lpString1="DRM", lpString2="..") returned 1 [0082.278] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.278] GetProcessHeap () returned 0x3a00000 [0082.278] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.278] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*") returned 38 [0082.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.278] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\.") returned 38 [0082.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.278] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71bd25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.278] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\..") returned 39 [0082.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.278] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16e8209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16e8209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.278] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.278] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.278] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.278] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.278] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.278] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0082.279] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.279] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.279] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 1 [0082.279] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0082.279] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0082.279] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0082.279] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0082.279] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0082.279] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server") returned 43 [0082.279] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0082.279] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0082.279] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.279] GetProcessHeap () returned 0x3a00000 [0082.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.279] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*") returned 45 [0082.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0082.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.279] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\.") returned 45 [0082.280] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.280] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0082.280] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.280] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0082.280] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.280] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\." (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.280] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.280] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.280] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.280] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.280] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.280] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.280] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\..") returned 46 [0082.280] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.280] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0082.287] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0082.287] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0082.287] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.287] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\.." (normalized: "c:\\users\\all users\\microsoft\\drm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.287] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16e8209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16e8209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.287] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0082.287] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.287] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.287] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16e8209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16e8209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.288] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0082.288] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0082.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\server\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.289] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.290] CloseHandle (hObject=0x438) returned 1 [0082.290] GetProcessHeap () returned 0x3a00000 [0082.290] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.290] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd71c393, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 0 [0082.290] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.290] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0082.290] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\DRM\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\drm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.291] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.292] CloseHandle (hObject=0x434) returned 1 [0082.292] GetProcessHeap () returned 0x3a00000 [0082.292] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.292] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xfbfe5ab1, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xfbfe5ab1, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Event Viewer", cAlternateFileName="EVENTV~1")) returned 1 [0082.292] lstrcmpiW (lpString1="Event Viewer", lpString2="Windows") returned -1 [0082.292] lstrcmpiW (lpString1="Event Viewer", lpString2="$Recycle.bin") returned 1 [0082.292] lstrcmpiW (lpString1="Event Viewer", lpString2="System Volume Information") returned -1 [0082.292] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files") returned -1 [0082.292] lstrcmpiW (lpString1="Event Viewer", lpString2="Program Files (x86)") returned -1 [0082.292] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer") returned 45 [0082.292] lstrcmpW (lpString1="Event Viewer", lpString2=".") returned 1 [0082.293] lstrcmpW (lpString1="Event Viewer", lpString2="..") returned 1 [0082.293] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.293] GetProcessHeap () returned 0x3a00000 [0082.293] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.293] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*") returned 47 [0082.293] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xfbfe5ab1, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0082.293] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.293] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.293] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.293] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.293] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.293] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\.") returned 47 [0082.293] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.293] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xfbfe5ab1, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.293] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.293] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.293] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.293] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.293] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.293] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\..") returned 48 [0082.293] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.293] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.293] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf170e6fc, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf170e6fc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.293] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.293] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.293] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.293] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.293] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.293] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0082.294] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.294] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.294] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Views", cAlternateFileName="")) returned 1 [0082.294] lstrcmpiW (lpString1="Views", lpString2="Windows") returned -1 [0082.294] lstrcmpiW (lpString1="Views", lpString2="$Recycle.bin") returned 1 [0082.294] lstrcmpiW (lpString1="Views", lpString2="System Volume Information") returned 1 [0082.294] lstrcmpiW (lpString1="Views", lpString2="Program Files") returned 1 [0082.294] lstrcmpiW (lpString1="Views", lpString2="Program Files (x86)") returned 1 [0082.294] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views") returned 51 [0082.294] lstrcmpW (lpString1="Views", lpString2=".") returned 1 [0082.294] lstrcmpW (lpString1="Views", lpString2="..") returned 1 [0082.294] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.294] GetProcessHeap () returned 0x3a00000 [0082.294] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.294] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*") returned 53 [0082.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0082.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.294] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.294] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.294] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.294] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\.") returned 53 [0082.294] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.294] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.294] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.294] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.294] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.294] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.294] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.294] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\..") returned 54 [0082.294] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.294] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.294] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf170e6fc, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf170e6fc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.294] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.295] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.295] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.295] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.295] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.295] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.295] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.295] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.295] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 1 [0082.295] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Windows") returned -1 [0082.295] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="$Recycle.bin") returned 1 [0082.295] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="System Volume Information") returned -1 [0082.295] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files") returned -1 [0082.295] lstrcmpiW (lpString1="ApplicationViewsRootNode", lpString2="Program Files (x86)") returned -1 [0082.295] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode") returned 76 [0082.295] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2=".") returned 1 [0082.295] lstrcmpW (lpString1="ApplicationViewsRootNode", lpString2="..") returned 1 [0082.295] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.295] GetProcessHeap () returned 0x3a00000 [0082.295] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.295] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*") returned 78 [0082.295] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.295] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.295] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.295] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.295] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.295] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.295] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\.") returned 78 [0082.295] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.295] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.295] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.295] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.295] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.296] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.296] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.296] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\..") returned 79 [0082.296] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.296] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.296] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16e8209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16e8209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.296] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.296] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.303] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.303] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.303] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.303] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0082.303] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.303] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.303] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf16e8209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf16e8209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf16e8209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.304] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.304] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0082.304] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\ApplicationViewsRootNode\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\applicationviewsrootnode\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.305] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.306] CloseHandle (hObject=0x43c) returned 1 [0082.306] GetProcessHeap () returned 0x3a00000 [0082.306] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.306] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ApplicationViewsRootNode", cAlternateFileName="APPLIC~1")) returned 0 [0082.306] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0082.306] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.306] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\Views\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\views\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.307] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.308] CloseHandle (hObject=0x438) returned 1 [0082.308] GetProcessHeap () returned 0x3a00000 [0082.309] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.309] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc93dc4da, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Views", cAlternateFileName="")) returned 0 [0082.309] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0082.309] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0082.309] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Event Viewer\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\event viewer\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.310] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.311] CloseHandle (hObject=0x434) returned 1 [0082.311] GetProcessHeap () returned 0x3a00000 [0082.311] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.311] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="IdentityCRL", cAlternateFileName="IDENTI~1")) returned 1 [0082.311] lstrcmpiW (lpString1="IdentityCRL", lpString2="Windows") returned -1 [0082.311] lstrcmpiW (lpString1="IdentityCRL", lpString2="$Recycle.bin") returned 1 [0082.311] lstrcmpiW (lpString1="IdentityCRL", lpString2="System Volume Information") returned -1 [0082.311] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files") returned -1 [0082.311] lstrcmpiW (lpString1="IdentityCRL", lpString2="Program Files (x86)") returned -1 [0082.311] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL") returned 44 [0082.311] lstrcmpW (lpString1="IdentityCRL", lpString2=".") returned 1 [0082.311] lstrcmpW (lpString1="IdentityCRL", lpString2="..") returned 1 [0082.311] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.311] GetProcessHeap () returned 0x3a00000 [0082.311] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.311] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*") returned 46 [0082.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0082.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.311] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.311] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.311] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\.") returned 46 [0082.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.311] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd7af95c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.312] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.312] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.312] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.312] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.312] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.312] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\..") returned 47 [0082.312] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.312] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.312] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf175ab57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf175ab57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.312] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.312] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.312] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.312] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.312] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.312] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0082.312] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.312] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.312] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf170e6fc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="INT", cAlternateFileName="")) returned 1 [0082.312] lstrcmpiW (lpString1="INT", lpString2="Windows") returned -1 [0082.312] lstrcmpiW (lpString1="INT", lpString2="$Recycle.bin") returned 1 [0082.312] lstrcmpiW (lpString1="INT", lpString2="System Volume Information") returned -1 [0082.312] lstrcmpiW (lpString1="INT", lpString2="Program Files") returned -1 [0082.312] lstrcmpiW (lpString1="INT", lpString2="Program Files (x86)") returned -1 [0082.312] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT") returned 48 [0082.312] lstrcmpW (lpString1="INT", lpString2=".") returned 1 [0082.312] lstrcmpW (lpString1="INT", lpString2="..") returned 1 [0082.312] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.312] GetProcessHeap () returned 0x3a00000 [0082.312] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.312] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*") returned 50 [0082.312] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf170e6fc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0082.312] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.313] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.313] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.313] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.313] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.313] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\.") returned 50 [0082.313] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.313] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf170e6fc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.313] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.313] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.313] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.313] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.313] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.313] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\..") returned 51 [0082.313] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.313] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.313] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf170e6fc, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf170e6fc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.313] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.313] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.313] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.313] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.313] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.313] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0082.313] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.313] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.313] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6664, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", cAlternateFileName="PPCRLC~1.EBA")) returned 1 [0082.313] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.313] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.313] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.313] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.313] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.313] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal") returned 86 [0082.313] StrStrIW (lpFirst="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.313] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf170e6fc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6664, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", cAlternateFileName="PPCRLC~1.EBA")) returned 0 [0082.313] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0082.314] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0082.314] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\INT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\int\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.315] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.315] CloseHandle (hObject=0x438) returned 1 [0082.316] GetProcessHeap () returned 0x3a00000 [0082.316] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.316] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="production", cAlternateFileName="PRODUC~1")) returned 1 [0082.316] lstrcmpiW (lpString1="production", lpString2="Windows") returned -1 [0082.316] lstrcmpiW (lpString1="production", lpString2="$Recycle.bin") returned 1 [0082.316] lstrcmpiW (lpString1="production", lpString2="System Volume Information") returned -1 [0082.316] lstrcmpiW (lpString1="production", lpString2="Program Files") returned -1 [0082.316] lstrcmpiW (lpString1="production", lpString2="Program Files (x86)") returned -1 [0082.316] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production") returned 55 [0082.316] lstrcmpW (lpString1="production", lpString2=".") returned 1 [0082.316] lstrcmpW (lpString1="production", lpString2="..") returned 1 [0082.316] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.316] GetProcessHeap () returned 0x3a00000 [0082.316] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.316] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*") returned 57 [0082.316] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0082.316] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.316] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.316] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.316] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.316] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.316] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\.") returned 57 [0082.316] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.316] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.316] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.316] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.316] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.317] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.317] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.317] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\..") returned 58 [0082.317] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.317] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.317] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1737f57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.317] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.317] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.317] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.317] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.317] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.317] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0082.317] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.317] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.317] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6464, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", cAlternateFileName="PPCRLC~1.EBA")) returned 1 [0082.317] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.317] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.317] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.317] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.317] lstrcmpiW (lpString1="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.317] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\ppcrlconfig600.dll_r00t_{8ew5f6}.ebal") returned 93 [0082.317] StrStrIW (lpFirst="ppcrlconfig600.dll_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.317] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="temp", cAlternateFileName="")) returned 1 [0082.317] lstrcmpiW (lpString1="temp", lpString2="Windows") returned -1 [0082.317] lstrcmpiW (lpString1="temp", lpString2="$Recycle.bin") returned 1 [0082.317] lstrcmpiW (lpString1="temp", lpString2="System Volume Information") returned 1 [0082.317] lstrcmpiW (lpString1="temp", lpString2="Program Files") returned 1 [0082.317] lstrcmpiW (lpString1="temp", lpString2="Program Files (x86)") returned 1 [0082.317] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp") returned 60 [0082.317] lstrcmpW (lpString1="temp", lpString2=".") returned 1 [0082.317] lstrcmpW (lpString1="temp", lpString2="..") returned 1 [0082.317] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.317] GetProcessHeap () returned 0x3a00000 [0082.317] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.317] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*") returned 62 [0082.317] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.318] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.318] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.318] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.318] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.318] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.318] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\.") returned 62 [0082.318] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.318] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.318] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.318] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.318] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.318] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.318] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.318] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\..") returned 63 [0082.318] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.318] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.318] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1737f57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.318] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.318] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.318] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.318] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.318] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.318] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0082.318] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.318] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.318] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1737f57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.318] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.318] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0082.319] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.319] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.320] CloseHandle (hObject=0x43c) returned 1 [0082.320] GetProcessHeap () returned 0x3a00000 [0082.320] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.320] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xbd80b503, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb66288f, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="temp", cAlternateFileName="")) returned 0 [0082.321] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0082.321] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0082.321] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\production\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\production\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.322] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.322] CloseHandle (hObject=0x438) returned 1 [0082.323] GetProcessHeap () returned 0x3a00000 [0082.323] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.323] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1737f57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1737f57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="production", cAlternateFileName="PRODUC~1")) returned 0 [0082.323] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0082.323] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0082.323] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\IdentityCRL\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\identitycrl\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.324] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.325] CloseHandle (hObject=0x434) returned 1 [0082.325] GetProcessHeap () returned 0x3a00000 [0082.325] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.325] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd06144, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MapData", cAlternateFileName="")) returned 1 [0082.325] lstrcmpiW (lpString1="MapData", lpString2="Windows") returned -1 [0082.325] lstrcmpiW (lpString1="MapData", lpString2="$Recycle.bin") returned 1 [0082.325] lstrcmpiW (lpString1="MapData", lpString2="System Volume Information") returned -1 [0082.325] lstrcmpiW (lpString1="MapData", lpString2="Program Files") returned -1 [0082.325] lstrcmpiW (lpString1="MapData", lpString2="Program Files (x86)") returned -1 [0082.325] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData") returned 40 [0082.325] lstrcmpW (lpString1="MapData", lpString2=".") returned 1 [0082.325] lstrcmpW (lpString1="MapData", lpString2="..") returned 1 [0082.325] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.325] GetProcessHeap () returned 0x3a00000 [0082.325] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.325] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*") returned 42 [0082.325] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0082.325] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.325] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.325] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.325] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.325] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.325] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\.") returned 42 [0082.325] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.325] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd06144, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbd80cc32, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.326] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.326] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.326] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.326] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.326] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.326] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\..") returned 43 [0082.326] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.326] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.326] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf175ab57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf175ab57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.326] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.326] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.326] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.326] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.326] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.326] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0082.326] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.326] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.326] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf175ab57, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf175ab57, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.326] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0082.326] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0082.326] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MapData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\mapdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.399] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.402] CloseHandle (hObject=0x434) returned 1 [0082.402] GetProcessHeap () returned 0x3a00000 [0082.402] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.402] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MF", cAlternateFileName="")) returned 1 [0082.402] lstrcmpiW (lpString1="MF", lpString2="Windows") returned -1 [0082.402] lstrcmpiW (lpString1="MF", lpString2="$Recycle.bin") returned 1 [0082.402] lstrcmpiW (lpString1="MF", lpString2="System Volume Information") returned -1 [0082.402] lstrcmpiW (lpString1="MF", lpString2="Program Files") returned -1 [0082.402] lstrcmpiW (lpString1="MF", lpString2="Program Files (x86)") returned -1 [0082.402] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF") returned 35 [0082.402] lstrcmpW (lpString1="MF", lpString2=".") returned 1 [0082.402] lstrcmpW (lpString1="MF", lpString2="..") returned 1 [0082.402] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.402] GetProcessHeap () returned 0x3a00000 [0082.402] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.402] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*") returned 37 [0082.402] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.402] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.402] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.403] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.403] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.403] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.403] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\.") returned 37 [0082.403] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.403] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.403] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.403] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.403] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.403] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.403] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.403] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\..") returned 38 [0082.403] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.403] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.403] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.403] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.403] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.403] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.403] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.403] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.403] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0082.403] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.403] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.403] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3e00, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Active.GRL_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.403] lstrcmpiW (lpString1="Active.GRL_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.403] lstrcmpiW (lpString1="Active.GRL_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.403] lstrcmpiW (lpString1="Active.GRL_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.403] lstrcmpiW (lpString1="Active.GRL_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.403] lstrcmpiW (lpString1="Active.GRL_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.403] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Active.GRL_r00t_{8ew5f6}.ebal") returned 65 [0082.403] StrStrIW (lpFirst="Active.GRL_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.403] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3e00, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Pending.GRL_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.403] lstrcmpiW (lpString1="Pending.GRL_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.403] lstrcmpiW (lpString1="Pending.GRL_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.403] lstrcmpiW (lpString1="Pending.GRL_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.404] lstrcmpiW (lpString1="Pending.GRL_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.404] lstrcmpiW (lpString1="Pending.GRL_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.404] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\Pending.GRL_r00t_{8ew5f6}.ebal") returned 66 [0082.404] StrStrIW (lpFirst="Pending.GRL_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.404] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8b18c4, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf175ab57, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3e00, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Pending.GRL_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.404] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.404] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 67 [0082.404] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\MF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\mf\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.405] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.406] CloseHandle (hObject=0x434) returned 1 [0082.406] GetProcessHeap () returned 0x3a00000 [0082.406] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.406] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NetFramework", cAlternateFileName="NETFRA~1")) returned 1 [0082.406] lstrcmpiW (lpString1="NetFramework", lpString2="Windows") returned -1 [0082.406] lstrcmpiW (lpString1="NetFramework", lpString2="$Recycle.bin") returned 1 [0082.406] lstrcmpiW (lpString1="NetFramework", lpString2="System Volume Information") returned -1 [0082.406] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files") returned -1 [0082.406] lstrcmpiW (lpString1="NetFramework", lpString2="Program Files (x86)") returned -1 [0082.406] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework") returned 45 [0082.406] lstrcmpW (lpString1="NetFramework", lpString2=".") returned 1 [0082.406] lstrcmpW (lpString1="NetFramework", lpString2="..") returned 1 [0082.406] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.406] GetProcessHeap () returned 0x3a00000 [0082.406] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.406] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*") returned 47 [0082.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0082.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\.") returned 47 [0082.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.407] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80e29d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.407] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.407] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\..") returned 48 [0082.407] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.407] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.407] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.407] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.407] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.407] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.407] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0082.407] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.407] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.407] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 1 [0082.407] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Windows") returned -1 [0082.407] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="$Recycle.bin") returned 1 [0082.407] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="System Volume Information") returned -1 [0082.407] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files") returned -1 [0082.407] lstrcmpiW (lpString1="BreadcrumbStore", lpString2="Program Files (x86)") returned -1 [0082.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore") returned 61 [0082.407] lstrcmpW (lpString1="BreadcrumbStore", lpString2=".") returned 1 [0082.407] lstrcmpW (lpString1="BreadcrumbStore", lpString2="..") returned 1 [0082.408] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.408] GetProcessHeap () returned 0x3a00000 [0082.408] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.408] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*") returned 63 [0082.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0082.408] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.408] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.408] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.408] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.408] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.408] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\.") returned 63 [0082.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.408] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.408] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.408] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.408] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.408] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.408] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.408] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\..") returned 64 [0082.408] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.408] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.408] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.408] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.408] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.408] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.408] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.408] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0082.409] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\BreadcrumbStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\breadcrumbstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.409] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.410] CloseHandle (hObject=0x438) returned 1 [0082.410] GetProcessHeap () returned 0x3a00000 [0082.410] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.410] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c95299, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80f277, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c95299, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="BreadcrumbStore", cAlternateFileName="BREADC~1")) returned 0 [0082.411] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0082.411] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0082.411] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\NetFramework\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\netframework\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.412] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.413] CloseHandle (hObject=0x434) returned 1 [0082.413] GetProcessHeap () returned 0x3a00000 [0082.413] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.413] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Network", cAlternateFileName="")) returned 1 [0082.413] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0082.413] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0082.413] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0082.413] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0082.413] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0082.413] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network") returned 40 [0082.413] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0082.413] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0082.413] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.413] GetProcessHeap () returned 0x3a00000 [0082.413] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.413] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*") returned 42 [0082.413] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.413] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.413] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.413] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.413] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.413] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.413] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\.") returned 42 [0082.413] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.413] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbd80ffe4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.413] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.413] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.413] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.413] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.414] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.414] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\..") returned 43 [0082.414] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.414] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.414] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf188bc72, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf188bc72, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.414] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.414] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.414] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.414] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.414] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.414] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0082.414] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.414] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.414] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0082.414] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0082.414] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0082.414] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0082.414] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0082.414] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0082.414] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections") returned 52 [0082.414] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0082.414] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0082.414] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.414] GetProcessHeap () returned 0x3a00000 [0082.414] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.414] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*") returned 54 [0082.414] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf17a6dc0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0082.414] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.414] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.414] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.414] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.414] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.414] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\.") returned 54 [0082.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.415] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf17a6dc0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.415] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.415] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.415] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.415] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.415] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.415] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\..") returned 55 [0082.415] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.415] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.415] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf17a6dc0, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf17a6dc0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf17a6dc0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.415] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.415] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.415] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.415] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.415] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.415] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0082.415] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.415] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.415] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xcf245536, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cm", cAlternateFileName="")) returned 1 [0082.415] lstrcmpiW (lpString1="Cm", lpString2="Windows") returned -1 [0082.415] lstrcmpiW (lpString1="Cm", lpString2="$Recycle.bin") returned 1 [0082.415] lstrcmpiW (lpString1="Cm", lpString2="System Volume Information") returned -1 [0082.415] lstrcmpiW (lpString1="Cm", lpString2="Program Files") returned -1 [0082.415] lstrcmpiW (lpString1="Cm", lpString2="Program Files (x86)") returned -1 [0082.415] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm") returned 55 [0082.415] lstrcmpW (lpString1="Cm", lpString2=".") returned 1 [0082.415] lstrcmpW (lpString1="Cm", lpString2="..") returned 1 [0082.415] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.415] GetProcessHeap () returned 0x3a00000 [0082.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.415] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\*") returned 57 [0082.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0082.416] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.416] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.416] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.416] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.416] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.416] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\.") returned 57 [0082.416] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.416] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf245536, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xcf245536, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.416] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.416] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.416] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.416] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.416] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.416] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\..") returned 58 [0082.416] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.416] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.416] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.416] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0082.416] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.416] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.416] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.416] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0082.416] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0082.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\cm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.417] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.418] CloseHandle (hObject=0x43c) returned 1 [0082.418] GetProcessHeap () returned 0x3a00000 [0082.418] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.418] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CM_old", cAlternateFileName="")) returned 1 [0082.418] lstrcmpiW (lpString1="CM_old", lpString2="Windows") returned -1 [0082.418] lstrcmpiW (lpString1="CM_old", lpString2="$Recycle.bin") returned 1 [0082.418] lstrcmpiW (lpString1="CM_old", lpString2="System Volume Information") returned -1 [0082.418] lstrcmpiW (lpString1="CM_old", lpString2="Program Files") returned -1 [0082.418] lstrcmpiW (lpString1="CM_old", lpString2="Program Files (x86)") returned -1 [0082.418] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old") returned 59 [0082.419] lstrcmpW (lpString1="CM_old", lpString2=".") returned 1 [0082.419] lstrcmpW (lpString1="CM_old", lpString2="..") returned 1 [0082.419] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.419] GetProcessHeap () returned 0x3a00000 [0082.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.419] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\*") returned 61 [0082.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0082.419] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.419] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.419] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.419] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\.") returned 61 [0082.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.419] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf1780c2c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.419] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.419] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.419] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\..") returned 62 [0082.419] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.419] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.419] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf17a6dc0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.419] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.419] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.419] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.419] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.419] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.419] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0082.419] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.420] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.420] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1780c2c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1780c2c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf17a6dc0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.420] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0082.420] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0082.420] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\CM_old\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\cm_old\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.421] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.422] CloseHandle (hObject=0x43c) returned 1 [0082.422] GetProcessHeap () returned 0x3a00000 [0082.422] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.422] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe0745f2f, ftCreationTime.dwHighDateTime=0x1d32720, ftLastAccessTime.dwLowDateTime=0xbd895aed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe0745f2f, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CM_old", cAlternateFileName="")) returned 0 [0082.422] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0082.422] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0082.422] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\connections\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.423] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.424] CloseHandle (hObject=0x438) returned 1 [0082.424] GetProcessHeap () returned 0x3a00000 [0082.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.424] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1865c6e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1865c6e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 1 [0082.424] lstrcmpiW (lpString1="Downloader", lpString2="Windows") returned -1 [0082.424] lstrcmpiW (lpString1="Downloader", lpString2="$Recycle.bin") returned 1 [0082.424] lstrcmpiW (lpString1="Downloader", lpString2="System Volume Information") returned -1 [0082.424] lstrcmpiW (lpString1="Downloader", lpString2="Program Files") returned -1 [0082.424] lstrcmpiW (lpString1="Downloader", lpString2="Program Files (x86)") returned -1 [0082.424] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader") returned 51 [0082.424] lstrcmpW (lpString1="Downloader", lpString2=".") returned 1 [0082.424] lstrcmpW (lpString1="Downloader", lpString2="..") returned 1 [0082.424] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.424] GetProcessHeap () returned 0x3a00000 [0082.424] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.424] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*") returned 53 [0082.424] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1865c6e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0082.424] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.424] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.424] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.424] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.424] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.424] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\.") returned 53 [0082.424] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.425] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1865c6e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.425] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.425] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.425] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.425] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.425] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.425] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\..") returned 54 [0082.425] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.425] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.425] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf188bc72, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf188bc72, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.425] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.425] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.425] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.425] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.425] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.425] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.425] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.425] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.425] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf17cd2ef, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.chk_r00t_{8ew5f6}.ebal", cAlternateFileName="EDBCHK~1.EBA")) returned 1 [0082.425] lstrcmpiW (lpString1="edb.chk_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.425] lstrcmpiW (lpString1="edb.chk_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.425] lstrcmpiW (lpString1="edb.chk_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.425] lstrcmpiW (lpString1="edb.chk_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.425] lstrcmpiW (lpString1="edb.chk_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.425] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edb.chk_r00t_{8ew5f6}.ebal") returned 78 [0082.425] StrStrIW (lpFirst="edb.chk_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.425] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e26fff, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e26fff, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576f6993, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0082.425] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0082.425] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0082.425] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0082.425] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0082.425] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0082.425] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edb.log") returned 59 [0082.425] StrStrIW (lpFirst="edb.log", lpSrch=".ebal") returned 0x0 [0082.425] lstrcmpW (lpString1="edb.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.425] lstrcmpW (lpString1="edb.log", lpString2="taridd") returned -1 [0082.426] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edb.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.426] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edb.log" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.426] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e4d293, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e4d293, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1819775, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x140384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00001.jrs_r00t_{8ew5f6}.ebal", cAlternateFileName="EDBRES~1.EBA")) returned 1 [0082.426] lstrcmpiW (lpString1="edbres00001.jrs_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.426] lstrcmpiW (lpString1="edbres00001.jrs_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.426] lstrcmpiW (lpString1="edbres00001.jrs_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.426] lstrcmpiW (lpString1="edbres00001.jrs_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.426] lstrcmpiW (lpString1="edbres00001.jrs_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.426] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edbres00001.jrs_r00t_{8ew5f6}.ebal") returned 86 [0082.426] StrStrIW (lpFirst="edbres00001.jrs_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.426] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1865c6e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x140384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00002.jrs_r00t_{8ew5f6}.ebal", cAlternateFileName="EDBRES~2.EBA")) returned 1 [0082.426] lstrcmpiW (lpString1="edbres00002.jrs_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.426] lstrcmpiW (lpString1="edbres00002.jrs_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.426] lstrcmpiW (lpString1="edbres00002.jrs_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.426] lstrcmpiW (lpString1="edbres00002.jrs_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.426] lstrcmpiW (lpString1="edbres00002.jrs_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.426] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edbres00002.jrs_r00t_{8ew5f6}.ebal") returned 86 [0082.426] StrStrIW (lpFirst="edbres00002.jrs_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.426] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e26fff, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e4d293, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf1865c6e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x140384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbtmp.log_r00t_{8ew5f6}.ebal", cAlternateFileName="EDBTMP~1.EBA")) returned 1 [0082.426] lstrcmpiW (lpString1="edbtmp.log_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.426] lstrcmpiW (lpString1="edbtmp.log_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.426] lstrcmpiW (lpString1="edbtmp.log_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.426] lstrcmpiW (lpString1="edbtmp.log_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.426] lstrcmpiW (lpString1="edbtmp.log_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.426] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\edbtmp.log_r00t_{8ew5f6}.ebal") returned 81 [0082.426] StrStrIW (lpFirst="edbtmp.log_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.426] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc5e99732, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e99732, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xe49b4985, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x140000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.db", cAlternateFileName="")) returned 1 [0082.426] lstrcmpiW (lpString1="qmgr.db", lpString2="Windows") returned -1 [0082.426] lstrcmpiW (lpString1="qmgr.db", lpString2="$Recycle.bin") returned 1 [0082.426] lstrcmpiW (lpString1="qmgr.db", lpString2="System Volume Information") returned -1 [0082.427] lstrcmpiW (lpString1="qmgr.db", lpString2="Program Files") returned 1 [0082.427] lstrcmpiW (lpString1="qmgr.db", lpString2="Program Files (x86)") returned 1 [0082.427] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr.db") returned 59 [0082.427] StrStrIW (lpFirst="qmgr.db", lpSrch=".ebal") returned 0x0 [0082.427] lstrcmpW (lpString1="qmgr.db", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.427] lstrcmpW (lpString1="qmgr.db", lpString2="taridd") returned -1 [0082.427] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr.db", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.427] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576d0867, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.jfm", cAlternateFileName="")) returned 1 [0082.427] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Windows") returned -1 [0082.427] lstrcmpiW (lpString1="qmgr.jfm", lpString2="$Recycle.bin") returned 1 [0082.427] lstrcmpiW (lpString1="qmgr.jfm", lpString2="System Volume Information") returned -1 [0082.427] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Program Files") returned 1 [0082.427] lstrcmpiW (lpString1="qmgr.jfm", lpString2="Program Files (x86)") returned 1 [0082.427] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr.jfm") returned 60 [0082.427] StrStrIW (lpFirst="qmgr.jfm", lpSrch=".ebal") returned 0x0 [0082.427] lstrcmpW (lpString1="qmgr.jfm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.427] lstrcmpW (lpString1="qmgr.jfm", lpString2="taridd") returned -1 [0082.427] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr.jfm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\qmgr.jfm" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\qmgr.jfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.427] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc5e734dc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc5e734dc, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x576d0867, ftLastWriteTime.dwHighDateTime=0x1d4d5d3, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="qmgr.jfm", cAlternateFileName="")) returned 0 [0082.427] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0082.427] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.427] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\Downloader\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\downloader\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.428] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.429] CloseHandle (hObject=0x438) returned 1 [0082.429] GetProcessHeap () returned 0x3a00000 [0082.429] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.429] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf1865c6e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1865c6e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Downloader", cAlternateFileName="DOWNLO~1")) returned 0 [0082.429] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.430] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0082.430] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\network\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.431] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.432] CloseHandle (hObject=0x434) returned 1 [0082.432] GetProcessHeap () returned 0x3a00000 [0082.432] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.432] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Office", cAlternateFileName="")) returned 1 [0082.432] lstrcmpiW (lpString1="Office", lpString2="Windows") returned -1 [0082.432] lstrcmpiW (lpString1="Office", lpString2="$Recycle.bin") returned 1 [0082.432] lstrcmpiW (lpString1="Office", lpString2="System Volume Information") returned -1 [0082.432] lstrcmpiW (lpString1="Office", lpString2="Program Files") returned -1 [0082.432] lstrcmpiW (lpString1="Office", lpString2="Program Files (x86)") returned -1 [0082.432] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office") returned 39 [0082.432] lstrcmpW (lpString1="Office", lpString2=".") returned 1 [0082.432] lstrcmpW (lpString1="Office", lpString2="..") returned 1 [0082.432] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.432] GetProcessHeap () returned 0x3a00000 [0082.432] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.432] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*") returned 41 [0082.433] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0082.433] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.433] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.433] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.433] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.433] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.433] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\.") returned 41 [0082.433] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.433] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.433] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.433] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.433] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.433] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.433] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.433] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\..") returned 42 [0082.433] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.433] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.433] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf188bc72, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf188bc72, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf188bc72, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.433] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.433] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.433] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.433] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.433] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.433] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0082.433] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.433] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.433] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 1 [0082.433] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Windows") returned -1 [0082.433] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="$Recycle.bin") returned 1 [0082.433] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="System Volume Information") returned -1 [0082.433] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Program Files") returned -1 [0082.433] lstrcmpiW (lpString1="ClickToRunPackageLocker", lpString2="Program Files (x86)") returned -1 [0082.434] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker") returned 63 [0082.434] StrStrIW (lpFirst="ClickToRunPackageLocker", lpSrch=".ebal") returned 0x0 [0082.434] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.434] lstrcmpW (lpString1="ClickToRunPackageLocker", lpString2="taridd") returned -1 [0082.434] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\ClickToRunPackageLocker" (normalized: "c:\\users\\all users\\microsoft\\office\\clicktorunpackagelocker"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.434] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1c05089, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xc1c05089, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc1c05089, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ClickToRunPackageLocker", cAlternateFileName="CLICKT~1")) returned 0 [0082.434] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0082.434] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0082.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Office\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\office\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.435] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.436] CloseHandle (hObject=0x434) returned 1 [0082.436] GetProcessHeap () returned 0x3a00000 [0082.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.436] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfee8021d, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Provisioning", cAlternateFileName="PROVIS~1")) returned 1 [0082.436] lstrcmpiW (lpString1="Provisioning", lpString2="Windows") returned -1 [0082.436] lstrcmpiW (lpString1="Provisioning", lpString2="$Recycle.bin") returned 1 [0082.436] lstrcmpiW (lpString1="Provisioning", lpString2="System Volume Information") returned -1 [0082.436] lstrcmpiW (lpString1="Provisioning", lpString2="Program Files") returned 1 [0082.436] lstrcmpiW (lpString1="Provisioning", lpString2="Program Files (x86)") returned 1 [0082.436] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning") returned 45 [0082.436] lstrcmpW (lpString1="Provisioning", lpString2=".") returned 1 [0082.436] lstrcmpW (lpString1="Provisioning", lpString2="..") returned 1 [0082.436] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.436] GetProcessHeap () returned 0x3a00000 [0082.436] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.436] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*") returned 47 [0082.447] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0082.448] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.448] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.448] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.448] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.448] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.448] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\.") returned 47 [0082.448] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.448] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfee8021d, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.448] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.448] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.448] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.448] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.448] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.448] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\..") returned 48 [0082.448] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.448] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.448] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c07454, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c2ac21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.448] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.448] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.448] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.448] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.448] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.448] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0082.448] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.448] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.448] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x60aed0fe, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x60aed0fe, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x60aed0fe, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x70bb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="countrytable.xml", cAlternateFileName="")) returned 1 [0082.448] lstrcmpiW (lpString1="countrytable.xml", lpString2="Windows") returned -1 [0082.448] lstrcmpiW (lpString1="countrytable.xml", lpString2="$Recycle.bin") returned 1 [0082.448] lstrcmpiW (lpString1="countrytable.xml", lpString2="System Volume Information") returned -1 [0082.448] lstrcmpiW (lpString1="countrytable.xml", lpString2="Program Files") returned -1 [0082.448] lstrcmpiW (lpString1="countrytable.xml", lpString2="Program Files (x86)") returned -1 [0082.448] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml") returned 62 [0082.448] StrStrIW (lpFirst="countrytable.xml", lpSrch=".ebal") returned 0x0 [0082.448] lstrcmpW (lpString1="countrytable.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.449] lstrcmpW (lpString1="countrytable.xml", lpString2="taridd") returned -1 [0082.449] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.449] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\countrytable.xml" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\countrytable.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.449] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", cAlternateFileName="{18DCF~1")) returned 1 [0082.449] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Windows") returned -1 [0082.449] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="$Recycle.bin") returned 1 [0082.449] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="System Volume Information") returned -1 [0082.449] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Program Files") returned -1 [0082.449] lstrcmpiW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="Program Files (x86)") returned -1 [0082.450] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}") returned 84 [0082.450] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2=".") returned 1 [0082.450] lstrcmpW (lpString1="{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="..") returned 1 [0082.450] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.450] GetProcessHeap () returned 0x3a00000 [0082.450] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.450] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*") returned 86 [0082.450] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.450] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.450] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.450] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.450] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.450] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.450] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\.") returned 86 [0082.450] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.450] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.450] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.450] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.450] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.450] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.450] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.450] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\..") returned 87 [0082.450] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.450] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.450] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf18d8071, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf18d8071, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.450] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.450] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.450] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.450] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.450] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.451] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.451] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.451] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.451] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ea7c91, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ea7c91, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xd10, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.451] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.451] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.451] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.451] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.451] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.451] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.451] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.451] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.451] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.451] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.451] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.451] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.451] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.451] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.451] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.451] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18d8071, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.451] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.451] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.451] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.451] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.451] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.451] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov") returned 89 [0082.451] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.451] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.451] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.451] GetProcessHeap () returned 0x3a00000 [0082.451] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.451] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*") returned 91 [0082.451] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18d8071, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0082.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.452] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\.") returned 91 [0082.452] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.452] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18d8071, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.452] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.452] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.452] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.452] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.452] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.452] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\..") returned 92 [0082.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.453] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf18d8071, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf18d8071, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.453] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.453] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.453] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.453] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.453] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.453] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.453] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.453] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.453] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.453] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime") returned 97 [0082.453] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.453] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.453] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.453] GetProcessHeap () returned 0x3a00000 [0082.453] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.453] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*") returned 99 [0082.453] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0082.453] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.453] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.453] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.454] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.454] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.454] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\.") returned 99 [0082.454] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.454] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.454] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.454] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.454] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.454] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.454] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.454] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\..") returned 100 [0082.454] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.454] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.454] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf18b1f08, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf18b1f08, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.454] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.454] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.454] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.454] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.454] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.454] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.454] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.454] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.454] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e3557c, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e3557c, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xaa2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.454] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.454] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.454] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.454] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.454] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.454] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.454] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.454] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e3557c, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e3557c, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18b1f08, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xaa2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.454] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0082.455] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.455] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.456] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.457] CloseHandle (hObject=0x440) returned 1 [0082.457] GetProcessHeap () returned 0x3a00000 [0082.457] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.457] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.457] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.457] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.457] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.457] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.457] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.457] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.457] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.457] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.457] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0082.457] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.458] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.459] CloseHandle (hObject=0x43c) returned 1 [0082.459] GetProcessHeap () returned 0x3a00000 [0082.459] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.459] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf18d8071, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf18d8071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.459] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.459] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.459] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.460] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.461] CloseHandle (hObject=0x438) returned 1 [0082.461] GetProcessHeap () returned 0x3a00000 [0082.461] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.461] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf194aa7c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf194aa7c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{1e05dd5d-a022-46c5-963c-b20de341170f}", cAlternateFileName="{1E05D~1")) returned 1 [0082.461] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Windows") returned -1 [0082.461] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="$Recycle.bin") returned 1 [0082.461] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="System Volume Information") returned -1 [0082.462] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Program Files") returned -1 [0082.462] lstrcmpiW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="Program Files (x86)") returned -1 [0082.462] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}") returned 84 [0082.462] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2=".") returned 1 [0082.462] lstrcmpW (lpString1="{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="..") returned 1 [0082.462] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.462] GetProcessHeap () returned 0x3a00000 [0082.462] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.462] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*") returned 86 [0082.462] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf194aa7c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0082.462] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.462] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.462] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.462] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.462] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.462] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\.") returned 86 [0082.462] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.462] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf194aa7c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.462] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.462] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.462] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.462] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.462] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.462] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\..") returned 87 [0082.462] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.462] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.462] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b86b02, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1b86b02, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.462] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.462] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.462] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.463] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.463] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.463] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.463] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.463] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ebc18d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ebc18d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf18fe327, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x888, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.463] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.463] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.463] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.463] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.463] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.463] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.463] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ebc18d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ebc18d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf194aa7c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.463] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.463] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.463] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.463] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.463] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.463] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.463] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b86b02, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.463] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.463] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.463] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.463] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.463] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.463] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov") returned 89 [0082.463] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.463] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.463] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.463] GetProcessHeap () returned 0x3a00000 [0082.463] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.463] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*") returned 91 [0082.463] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b86b02, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.464] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.464] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.464] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.464] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.464] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.464] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\.") returned 91 [0082.464] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.464] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b86b02, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.464] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.464] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.464] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.464] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.464] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.464] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\..") returned 92 [0082.464] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.464] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.464] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b86b02, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1b86b02, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.464] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.464] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.464] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.464] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.464] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.464] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.464] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.464] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.464] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b6098a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b6098a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.464] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.464] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.464] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.464] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.464] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.464] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime") returned 97 [0082.464] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.465] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.465] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.465] GetProcessHeap () returned 0x3a00000 [0082.465] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.465] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*") returned 99 [0082.465] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b6098a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b6098a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.465] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.465] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.465] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.465] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.465] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.465] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\.") returned 99 [0082.465] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.465] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b6098a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b6098a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.465] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.465] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.465] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.465] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.465] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.465] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\..") returned 100 [0082.465] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.465] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.465] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1b6098a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1b6098a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b6098a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.465] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.465] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.465] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.465] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.465] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.465] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.465] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.465] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.465] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e6fcbc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e6fcbc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1a2f6d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4ec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.465] lstrcmpiW (lpString1="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.466] lstrcmpiW (lpString1="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.466] lstrcmpiW (lpString1="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.466] lstrcmpiW (lpString1="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.466] lstrcmpiW (lpString1="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.466] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\0__Power_Controls.provxml_r00t_{8ew5f6}.ebal") returned 142 [0082.466] StrStrIW (lpFirst="0__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.466] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1b6098a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4ec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.466] lstrcmpiW (lpString1="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.466] lstrcmpiW (lpString1="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.466] lstrcmpiW (lpString1="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.466] lstrcmpiW (lpString1="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.466] lstrcmpiW (lpString1="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.466] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\1__Power_Controls.provxml_r00t_{8ew5f6}.ebal") returned 142 [0082.466] StrStrIW (lpFirst="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.466] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1b6098a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4ec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Controls.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.466] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.466] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.466] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.467] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.468] CloseHandle (hObject=0x440) returned 1 [0082.468] GetProcessHeap () returned 0x3a00000 [0082.468] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.468] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x52f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.468] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.468] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.468] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.468] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.468] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.468] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.468] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.469] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e95f21, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e95f21, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x52f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.469] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.469] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.469] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.470] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.471] CloseHandle (hObject=0x43c) returned 1 [0082.471] GetProcessHeap () returned 0x3a00000 [0082.471] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.471] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d139154, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1b86b02, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1b86b02, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.471] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0082.471] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.471] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{1e05dd5d-a022-46c5-963c-b20de341170f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.472] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.473] CloseHandle (hObject=0x438) returned 1 [0082.473] GetProcessHeap () returned 0x3a00000 [0082.473] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.473] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bacd09, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bacd09, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{23cb517f-5073-4e96-a202-7fe6122a2271}", cAlternateFileName="{23CB5~1")) returned 1 [0082.473] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Windows") returned -1 [0082.473] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="$Recycle.bin") returned 1 [0082.473] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="System Volume Information") returned -1 [0082.473] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Program Files") returned -1 [0082.473] lstrcmpiW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="Program Files (x86)") returned -1 [0082.473] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}") returned 84 [0082.473] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2=".") returned 1 [0082.473] lstrcmpW (lpString1="{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="..") returned 1 [0082.473] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.473] GetProcessHeap () returned 0x3a00000 [0082.473] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.473] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*") returned 86 [0082.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bacd09, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0082.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.474] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.474] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.474] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\.") returned 86 [0082.474] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.474] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bacd09, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.474] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.474] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.474] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.474] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.474] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\..") returned 87 [0082.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.474] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bd3181, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.474] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.474] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.474] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540f90a7, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x540f90a7, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bacd09, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x103d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.474] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.474] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.474] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.474] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.474] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.474] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.474] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bacd09, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.474] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.474] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.474] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.475] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.475] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.475] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.475] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.475] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.475] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.475] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.475] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.475] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.475] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.475] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov") returned 89 [0082.475] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.475] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.475] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.475] GetProcessHeap () returned 0x3a00000 [0082.475] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*") returned 91 [0082.475] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0082.475] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.475] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.475] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.475] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\.") returned 91 [0082.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.475] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\..") returned 92 [0082.476] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.476] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.476] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bd3181, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.476] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.476] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.476] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.476] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.476] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.476] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.476] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.476] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.476] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.476] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.476] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.476] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.476] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.476] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.476] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime") returned 97 [0082.476] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.476] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.476] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.476] GetProcessHeap () returned 0x3a00000 [0082.476] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.476] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*") returned 99 [0082.476] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.476] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.476] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.476] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.476] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.476] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.476] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\.") returned 99 [0082.476] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.476] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.477] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.477] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.477] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.477] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.477] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.477] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\..") returned 100 [0082.477] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.477] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.477] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1bd3181, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.477] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.477] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.477] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.477] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.477] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.477] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.477] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.477] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.477] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54060701, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54060701, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1061, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.477] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.477] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.477] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.477] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.477] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.477] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.477] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.477] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54060701, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54060701, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1061, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.477] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.477] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.477] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.478] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.479] CloseHandle (hObject=0x440) returned 1 [0082.479] GetProcessHeap () returned 0x3a00000 [0082.479] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.479] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.479] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.479] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.479] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.479] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.479] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.480] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.480] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.480] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5408696e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5408696e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.480] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0082.480] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.481] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.482] CloseHandle (hObject=0x43c) returned 1 [0082.482] GetProcessHeap () returned 0x3a00000 [0082.482] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.482] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bd3181, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bd3181, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.482] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0082.482] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.482] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{23cb517f-5073-4e96-a202-7fe6122a2271}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.483] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.484] CloseHandle (hObject=0x438) returned 1 [0082.484] GetProcessHeap () returned 0x3a00000 [0082.484] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.484] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bf94ab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1bf94ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", cAlternateFileName="{268C4~1")) returned 1 [0082.484] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Windows") returned -1 [0082.484] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="$Recycle.bin") returned 1 [0082.484] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="System Volume Information") returned -1 [0082.484] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Program Files") returned -1 [0082.484] lstrcmpiW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="Program Files (x86)") returned -1 [0082.484] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}") returned 84 [0082.484] lstrcmpW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2=".") returned 1 [0082.484] lstrcmpW (lpString1="{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="..") returned 1 [0082.484] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.484] GetProcessHeap () returned 0x3a00000 [0082.484] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.484] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\*") returned 86 [0082.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bf94ab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.484] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.484] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.484] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.485] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\.") returned 86 [0082.485] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.485] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1bf94ab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.485] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.485] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.485] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.485] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.485] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.485] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\..") returned 87 [0082.485] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.485] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.485] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1c6bb4f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1c6bb4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.485] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.485] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.485] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.485] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bf94ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.496] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.496] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.496] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.496] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.496] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.496] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.496] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.496] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1bf94ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.496] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.496] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.496] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.496] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.496] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.496] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.496] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.496] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c6bb4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.496] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.496] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.496] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.496] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.496] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.496] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov") returned 89 [0082.496] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.496] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.496] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.496] GetProcessHeap () returned 0x3a00000 [0082.496] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.496] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\*") returned 91 [0082.496] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c6bb4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0082.497] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.497] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.497] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.497] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.497] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.497] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\.") returned 91 [0082.497] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.497] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c6bb4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.497] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.497] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.497] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.497] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.497] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.497] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\..") returned 92 [0082.497] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.497] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.497] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1c6bb4f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1c6bb4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.497] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.497] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.497] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.497] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.497] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.497] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.497] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.497] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.497] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c459bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c459bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.497] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.497] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.497] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.497] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.497] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.498] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime") returned 97 [0082.498] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.498] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.498] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.498] GetProcessHeap () returned 0x3a00000 [0082.498] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.498] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\*") returned 99 [0082.498] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c459bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c459bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0082.498] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.498] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.498] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.498] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.498] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.498] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\.") returned 99 [0082.498] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.498] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c459bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c459bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.498] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.498] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.498] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.498] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.498] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.498] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\..") returned 100 [0082.498] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.498] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.498] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1c459bf, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1c459bf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c459bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.498] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.498] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.498] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.498] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.498] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.498] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.498] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.498] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.499] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53dc2e6f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53dc2e6f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c459bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x72b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.499] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.499] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.499] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.499] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.499] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.499] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.499] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.499] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53dc2e6f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53dc2e6f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c459bf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x72b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.499] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0082.499] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.499] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.500] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.501] CloseHandle (hObject=0x440) returned 1 [0082.501] GetProcessHeap () returned 0x3a00000 [0082.501] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.501] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x530, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.501] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.501] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.501] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.501] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.501] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.502] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.502] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.502] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x530, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.502] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0082.502] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.502] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.503] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.504] CloseHandle (hObject=0x43c) returned 1 [0082.504] GetProcessHeap () returned 0x3a00000 [0082.504] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.504] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d26a2f7, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c6bb4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.504] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.504] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.504] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.505] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.506] CloseHandle (hObject=0x438) returned 1 [0082.506] GetProcessHeap () returned 0x3a00000 [0082.506] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.506] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", cAlternateFileName="{33D78~1")) returned 1 [0082.506] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Windows") returned -1 [0082.506] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="$Recycle.bin") returned 1 [0082.506] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="System Volume Information") returned -1 [0082.506] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Program Files") returned -1 [0082.506] lstrcmpiW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="Program Files (x86)") returned -1 [0082.506] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}") returned 84 [0082.506] lstrcmpW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2=".") returned 1 [0082.506] lstrcmpW (lpString1="{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="..") returned 1 [0082.506] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.506] GetProcessHeap () returned 0x3a00000 [0082.506] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.506] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\*") returned 86 [0082.506] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.506] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.506] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.506] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.506] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.506] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.506] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\.") returned 86 [0082.507] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.507] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.507] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.507] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.507] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.507] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.507] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.507] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\..") returned 87 [0082.507] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.507] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.507] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1cde27b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1cde27b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.507] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.507] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.507] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.507] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.507] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.507] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.507] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.507] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.507] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c6bb4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x923, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.507] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.507] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.507] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.507] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.507] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.507] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.507] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.507] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.507] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.507] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.507] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.507] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.507] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.507] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.507] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.507] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.508] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.508] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.508] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.508] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.508] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.508] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov") returned 89 [0082.508] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.508] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.508] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.508] GetProcessHeap () returned 0x3a00000 [0082.508] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.508] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\*") returned 91 [0082.508] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.508] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.508] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.508] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.508] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.508] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.508] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\.") returned 91 [0082.508] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.508] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.508] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.508] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.508] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.508] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.508] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.508] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\..") returned 92 [0082.508] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.508] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.508] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1cde27b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1cde27b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.508] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.508] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.509] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.509] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.509] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.509] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.509] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.509] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.509] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.509] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.509] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.509] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.509] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.509] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.509] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime") returned 97 [0082.509] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.509] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.509] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.509] GetProcessHeap () returned 0x3a00000 [0082.509] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.509] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\*") returned 99 [0082.509] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0082.509] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.509] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.509] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.509] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.509] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.509] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\.") returned 99 [0082.509] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.509] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.509] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.509] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.509] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.509] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.509] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.509] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\..") returned 100 [0082.510] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.510] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.510] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1c91ba4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.510] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.510] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.510] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.510] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.510] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.510] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.510] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.510] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.510] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eab83a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53eab83a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.510] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.510] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.510] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.510] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.510] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.510] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.510] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.510] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53eab83a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53eab83a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.510] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0082.510] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.511] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.512] CloseHandle (hObject=0x440) returned 1 [0082.512] GetProcessHeap () returned 0x3a00000 [0082.512] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.512] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.512] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.512] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.512] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.512] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.512] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.512] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.512] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.512] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ed1a9f, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ed1a9f, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.512] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.512] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.513] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.513] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.514] CloseHandle (hObject=0x43c) returned 1 [0082.514] GetProcessHeap () returned 0x3a00000 [0082.515] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.515] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1c91ba4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1c91ba4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.515] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.515] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.515] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.516] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.517] CloseHandle (hObject=0x438) returned 1 [0082.517] GetProcessHeap () returned 0x3a00000 [0082.517] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.517] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", cAlternateFileName="{3742E~1")) returned 1 [0082.517] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Windows") returned -1 [0082.517] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="$Recycle.bin") returned 1 [0082.517] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="System Volume Information") returned -1 [0082.517] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Program Files") returned -1 [0082.517] lstrcmpiW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="Program Files (x86)") returned -1 [0082.517] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}") returned 84 [0082.517] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2=".") returned 1 [0082.517] lstrcmpW (lpString1="{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="..") returned 1 [0082.517] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.517] GetProcessHeap () returned 0x3a00000 [0082.517] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.517] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*") returned 86 [0082.517] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.517] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.517] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.517] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.517] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.517] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.518] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\.") returned 86 [0082.518] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.518] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.518] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.518] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.518] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.518] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.518] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.518] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\..") returned 87 [0082.518] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.518] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.518] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1d2a58c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1d2a58c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.518] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.518] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.518] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.518] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.518] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.518] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.518] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.518] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.518] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5410e9a1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5410e9a1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1cde27b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x14c8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="CUSTOM~1.EBA")) returned 1 [0082.518] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.518] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.518] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.518] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.518] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.518] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.518] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.518] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x540c24cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x540c24cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0082.518] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.518] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.518] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.518] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.518] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.518] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.518] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.518] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d2a58c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.519] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.519] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.519] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.519] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.519] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.519] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov") returned 89 [0082.519] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.519] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.519] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.519] GetProcessHeap () returned 0x3a00000 [0082.519] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.519] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*") returned 91 [0082.519] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d2a58c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.519] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.519] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.519] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.519] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.519] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.519] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\.") returned 91 [0082.519] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.519] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d2a58c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.519] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.519] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.519] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.519] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.519] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.519] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\..") returned 92 [0082.519] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.519] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.519] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1d2a58c, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1d2a58c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.519] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.519] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.520] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.520] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.520] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.520] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.520] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.520] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.520] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.520] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.520] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.520] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.520] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.520] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.520] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime") returned 97 [0082.520] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.520] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.520] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.520] GetProcessHeap () returned 0x3a00000 [0082.520] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.520] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*") returned 99 [0082.520] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.520] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.520] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.520] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.520] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.520] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.520] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\.") returned 99 [0082.520] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.520] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.520] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.520] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.520] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.520] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.520] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\..") returned 100 [0082.522] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.522] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.522] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1d045de, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1d045de, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.522] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.522] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.522] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.522] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.522] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.522] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.522] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.522] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54075ff8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54075ff8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xaa4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="0__POW~1.EBA")) returned 1 [0082.522] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.522] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.522] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.522] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.522] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.522] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.522] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc89, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="1__POW~1.EBA")) returned 1 [0082.522] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.522] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.522] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.522] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.522] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.522] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.522] StrStrIW (lpFirst="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.522] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d045de, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc89, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="1__POW~1.EBA")) returned 0 [0082.522] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.523] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.523] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.524] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.524] CloseHandle (hObject=0x440) returned 1 [0082.525] GetProcessHeap () returned 0x3a00000 [0082.525] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.525] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="RUNTIM~1.EBA")) returned 1 [0082.525] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.525] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.525] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.525] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.525] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.525] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.525] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.525] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5409c262, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5409c262, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="RUNTIM~1.EBA")) returned 0 [0082.525] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.525] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.525] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.526] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.527] CloseHandle (hObject=0x43c) returned 1 [0082.527] GetProcessHeap () returned 0x3a00000 [0082.527] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.527] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x217b4a1a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d2a58c, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d2a58c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.527] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.527] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.527] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.528] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.529] CloseHandle (hObject=0x438) returned 1 [0082.529] GetProcessHeap () returned 0x3a00000 [0082.529] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.529] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d5072e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d5072e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", cAlternateFileName="{7A30A~1")) returned 1 [0082.529] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Windows") returned -1 [0082.529] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="$Recycle.bin") returned 1 [0082.529] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="System Volume Information") returned -1 [0082.529] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Program Files") returned -1 [0082.529] lstrcmpiW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="Program Files (x86)") returned -1 [0082.529] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}") returned 84 [0082.529] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2=".") returned 1 [0082.529] lstrcmpW (lpString1="{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="..") returned 1 [0082.529] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.529] GetProcessHeap () returned 0x3a00000 [0082.529] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.529] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*") returned 86 [0082.530] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d5072e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0082.530] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.530] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.530] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.530] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.530] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.530] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\.") returned 86 [0082.530] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.530] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d5072e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.530] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.530] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.530] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.530] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.530] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.530] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\..") returned 87 [0082.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.564] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1d9cf9a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1d9cf9a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.564] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.564] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.564] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fff1c4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fff1c4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d5072e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x175c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.564] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.564] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.564] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.564] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.564] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.564] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.564] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f8cab3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f8cab3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d5072e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.565] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.565] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.565] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.565] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.565] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.565] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.565] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d9cf9a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.565] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.565] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.565] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.565] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.565] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov") returned 89 [0082.565] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.565] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.565] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.565] GetProcessHeap () returned 0x3a00000 [0082.565] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.565] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*") returned 91 [0082.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d9cf9a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0082.565] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.565] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.566] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\.") returned 91 [0082.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.566] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d9cf9a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\..") returned 92 [0082.566] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.566] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1d9cf9a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1d9cf9a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.566] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.566] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.566] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d76c20, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.566] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.566] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.566] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.566] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.566] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime") returned 97 [0082.566] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.566] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.566] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.566] GetProcessHeap () returned 0x3a00000 [0082.566] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.567] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*") returned 99 [0082.567] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d76c20, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0082.567] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.567] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.567] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.567] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.567] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.567] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\.") returned 99 [0082.567] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.567] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d76c20, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.567] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.567] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.567] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.567] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.567] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.567] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\..") returned 100 [0082.567] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.567] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.567] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1d76c20, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1d76c20, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.567] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.567] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.567] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.567] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f405fa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f405fa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1070, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.568] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.568] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.568] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.568] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.568] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.568] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.568] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.568] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa9a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.568] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.568] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.568] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.568] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.568] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.568] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.568] StrStrIW (lpFirst="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.568] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d76c20, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa9a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.568] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0082.568] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.568] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.569] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.570] CloseHandle (hObject=0x440) returned 1 [0082.571] GetProcessHeap () returned 0x3a00000 [0082.571] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.571] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.571] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.571] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.571] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.571] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.571] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.571] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.571] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.571] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66853, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66853, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.571] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0082.571] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.571] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.572] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.573] CloseHandle (hObject=0x43c) returned 1 [0082.573] GetProcessHeap () returned 0x3a00000 [0082.573] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.573] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1d195e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1d9cf9a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1d9cf9a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.573] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0082.573] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.573] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.590] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.591] CloseHandle (hObject=0x438) returned 1 [0082.591] GetProcessHeap () returned 0x3a00000 [0082.591] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.591] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1dc8147, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1dc8147, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", cAlternateFileName="{8D196~1")) returned 1 [0082.591] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Windows") returned -1 [0082.591] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="$Recycle.bin") returned 1 [0082.591] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="System Volume Information") returned -1 [0082.591] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Program Files") returned -1 [0082.591] lstrcmpiW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="Program Files (x86)") returned -1 [0082.591] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}") returned 84 [0082.591] lstrcmpW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2=".") returned 1 [0082.591] lstrcmpW (lpString1="{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="..") returned 1 [0082.591] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.591] GetProcessHeap () returned 0x3a00000 [0082.591] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.591] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\*") returned 86 [0082.591] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1dc8147, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0082.591] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.591] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.591] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\.") returned 86 [0082.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.592] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1dc8147, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\..") returned 87 [0082.592] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.592] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.592] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1e0f642, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1e0f642, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.592] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.592] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.592] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.592] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.592] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.592] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.592] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.592] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1dc8147, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.592] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.592] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.592] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.592] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.592] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.592] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.592] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.592] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1dc8147, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.592] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.593] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.593] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.593] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.593] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.593] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.593] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.593] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e0f642, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.593] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.593] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.593] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.593] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.593] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.593] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov") returned 89 [0082.593] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.593] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.593] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.593] GetProcessHeap () returned 0x3a00000 [0082.594] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.594] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\*") returned 91 [0082.594] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e0f642, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0082.594] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.594] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.594] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.594] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.594] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.594] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\.") returned 91 [0082.594] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.594] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e0f642, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.594] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.594] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.594] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.594] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.594] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.594] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\..") returned 92 [0082.594] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.594] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.594] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1e0f642, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1e0f642, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.594] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.594] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.594] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.594] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.594] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.594] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.594] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.594] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.595] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1de92b6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1de92b6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.595] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.595] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.595] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.595] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.595] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.595] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime") returned 97 [0082.595] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.595] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.595] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.595] GetProcessHeap () returned 0x3a00000 [0082.595] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.595] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\*") returned 99 [0082.595] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1de92b6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1de92b6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.595] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.595] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.595] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.595] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.595] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.595] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\.") returned 99 [0082.595] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.595] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1de92b6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1de92b6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.595] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.595] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.595] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.595] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.595] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.595] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\..") returned 100 [0082.595] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.596] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.596] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1de92b6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1de92b6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1de92b6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.596] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.596] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.596] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.596] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.596] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.596] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.596] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.596] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.596] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ecd6b4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ecd6b4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1de92b6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x553, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.596] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.596] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.596] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.596] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.596] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.596] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.596] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.596] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ecd6b4, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ecd6b4, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1de92b6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x553, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.596] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.596] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.596] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.597] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.598] CloseHandle (hObject=0x440) returned 1 [0082.598] GetProcessHeap () returned 0x3a00000 [0082.598] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.598] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.598] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.598] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.598] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.598] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.598] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.598] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.599] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.599] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef390d, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef390d, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.599] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0082.599] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.599] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.600] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.601] CloseHandle (hObject=0x43c) returned 1 [0082.601] GetProcessHeap () returned 0x3a00000 [0082.601] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.601] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e0f642, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.601] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0082.601] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.601] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.602] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.603] CloseHandle (hObject=0x438) returned 1 [0082.603] GetProcessHeap () returned 0x3a00000 [0082.603] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.603] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e35832, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e35832, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", cAlternateFileName="{8FB7D~1")) returned 1 [0082.603] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Windows") returned -1 [0082.603] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="$Recycle.bin") returned 1 [0082.603] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="System Volume Information") returned -1 [0082.603] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Program Files") returned -1 [0082.603] lstrcmpiW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="Program Files (x86)") returned -1 [0082.603] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}") returned 84 [0082.603] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2=".") returned 1 [0082.603] lstrcmpW (lpString1="{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="..") returned 1 [0082.603] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.603] GetProcessHeap () returned 0x3a00000 [0082.603] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.603] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*") returned 86 [0082.603] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e35832, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0082.604] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.604] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.604] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.604] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.604] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.604] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\.") returned 86 [0082.604] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.604] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e35832, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.604] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.604] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.604] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.604] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.604] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.604] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\..") returned 87 [0082.604] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.604] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.604] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1e5bab1, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.604] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.604] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.604] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.604] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.604] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.604] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.604] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.604] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.604] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fedfc8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fedfc8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e0f642, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x704, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.604] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.604] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.604] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.604] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.604] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.605] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.605] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.605] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e35832, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.605] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.605] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.605] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.605] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.605] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.605] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.605] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.605] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.605] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.605] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.605] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.605] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.605] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.605] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov") returned 89 [0082.605] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.605] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.605] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.605] GetProcessHeap () returned 0x3a00000 [0082.605] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.605] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*") returned 91 [0082.605] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0082.605] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.605] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.605] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.605] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.605] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.606] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\.") returned 91 [0082.606] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.606] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.606] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.606] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.606] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.606] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.606] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.606] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\..") returned 92 [0082.606] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.606] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.606] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1e5bab1, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.606] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.606] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.606] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.606] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.606] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.606] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.606] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.606] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.606] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.606] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.606] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.606] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.606] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.606] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.606] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime") returned 97 [0082.606] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.606] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.606] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.606] GetProcessHeap () returned 0x3a00000 [0082.606] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.606] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*") returned 99 [0082.607] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0082.607] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.607] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.607] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.607] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.607] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.607] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\.") returned 99 [0082.607] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.607] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.607] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.607] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.607] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.607] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.607] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.607] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\..") returned 100 [0082.607] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.607] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.607] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1e5bab1, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.607] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.607] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.607] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.607] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.607] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.607] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.607] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.607] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.607] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.608] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.608] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.608] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.608] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.608] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.608] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.608] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.608] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x59f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.608] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0082.608] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.608] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.628] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.629] CloseHandle (hObject=0x440) returned 1 [0082.629] GetProcessHeap () returned 0x3a00000 [0082.629] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.630] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.630] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.630] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.630] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.630] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.630] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.630] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.630] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.630] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x486, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.630] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0082.630] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.630] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.631] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.632] CloseHandle (hObject=0x43c) returned 1 [0082.632] GetProcessHeap () returned 0x3a00000 [0082.632] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.632] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e5bab1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e5bab1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.632] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0082.632] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.632] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.633] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.634] CloseHandle (hObject=0x438) returned 1 [0082.634] GetProcessHeap () returned 0x3a00000 [0082.634] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.634] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e81b0a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1e81b0a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{99b095d8-5959-4820-bea7-7448c8427b4e}", cAlternateFileName="{99B09~1")) returned 1 [0082.634] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Windows") returned -1 [0082.634] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="$Recycle.bin") returned 1 [0082.634] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="System Volume Information") returned -1 [0082.634] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Program Files") returned -1 [0082.634] lstrcmpiW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="Program Files (x86)") returned -1 [0082.634] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}") returned 84 [0082.634] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2=".") returned 1 [0082.634] lstrcmpW (lpString1="{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="..") returned 1 [0082.634] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.635] GetProcessHeap () returned 0x3a00000 [0082.635] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.635] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*") returned 86 [0082.635] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e81b0a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0082.635] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.635] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.635] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.635] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.635] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.635] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\.") returned 86 [0082.635] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.635] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1e81b0a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.635] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.635] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.635] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.635] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.635] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.635] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\..") returned 87 [0082.635] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.635] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.635] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1ece209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1ece209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.635] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.636] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.636] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.636] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e5b7d8, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e5b7d8, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e81b0a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.636] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.636] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.636] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.636] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.636] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.636] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.636] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1e81b0a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.636] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.636] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.636] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.636] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.636] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.636] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.636] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ece209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.636] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.636] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.636] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.636] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.636] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.636] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov") returned 89 [0082.636] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.636] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.636] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.636] GetProcessHeap () returned 0x3a00000 [0082.636] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*") returned 91 [0082.637] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ece209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0082.637] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.637] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.637] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.637] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.637] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\.") returned 91 [0082.637] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.637] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ece209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.637] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.637] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.637] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.637] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.637] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\..") returned 92 [0082.637] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.637] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.637] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1ece209, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1ece209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.637] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.637] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.637] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.637] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.637] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.637] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.637] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.637] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.637] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1eaae90, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1eaae90, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.637] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.638] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.638] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.638] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.638] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.638] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime") returned 97 [0082.638] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.638] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.638] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.638] GetProcessHeap () returned 0x3a00000 [0082.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.638] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*") returned 99 [0082.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1eaae90, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1eaae90, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0082.638] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.638] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.638] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.638] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.638] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.638] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\.") returned 99 [0082.638] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.638] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1eaae90, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1eaae90, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.638] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.638] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.638] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.638] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.638] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.638] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\..") returned 100 [0082.638] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.638] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.638] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1eaae90, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1eaae90, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1eaae90, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.638] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.639] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.639] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.639] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.639] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1eaae90, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.639] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.639] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.639] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.639] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.639] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.639] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.639] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.639] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53de90cb, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53de90cb, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1eaae90, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9f4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.639] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0082.639] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.639] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.640] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.641] CloseHandle (hObject=0x440) returned 1 [0082.641] GetProcessHeap () returned 0x3a00000 [0082.641] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.641] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.641] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.641] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.641] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.641] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.641] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.641] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.641] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.641] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53e0f327, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53e0f327, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.642] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0082.642] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.642] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.643] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.643] CloseHandle (hObject=0x43c) returned 1 [0082.644] GetProcessHeap () returned 0x3a00000 [0082.644] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.644] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1854d2, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ece209, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ece209, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.644] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0082.644] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.644] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{99b095d8-5959-4820-bea7-7448c8427b4e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.645] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.646] CloseHandle (hObject=0x438) returned 1 [0082.646] GetProcessHeap () returned 0x3a00000 [0082.646] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.646] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ef4371, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ef4371, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", cAlternateFileName="{9AEC5~1")) returned 1 [0082.646] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Windows") returned -1 [0082.646] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="$Recycle.bin") returned 1 [0082.646] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="System Volume Information") returned -1 [0082.646] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Program Files") returned -1 [0082.646] lstrcmpiW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="Program Files (x86)") returned -1 [0082.646] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}") returned 84 [0082.646] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2=".") returned 1 [0082.646] lstrcmpW (lpString1="{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="..") returned 1 [0082.646] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.646] GetProcessHeap () returned 0x3a00000 [0082.647] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.647] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*") returned 86 [0082.647] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ef4371, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.647] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.647] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.647] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.647] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.647] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.647] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\.") returned 86 [0082.647] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.647] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ef4371, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.647] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.647] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.647] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.647] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.647] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.647] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\..") returned 87 [0082.647] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.647] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.647] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1f1a567, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.647] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.647] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.647] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.647] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.647] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.647] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.648] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.648] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.648] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5410decf, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x5410decf, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1ef4371, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2045, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.648] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.648] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.648] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.648] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.648] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.648] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.648] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.648] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1ef4371, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.648] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.648] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.648] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.648] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.648] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.648] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.648] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.648] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.648] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.648] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.648] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.648] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.648] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.648] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov") returned 89 [0082.648] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.648] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.648] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.648] GetProcessHeap () returned 0x3a00000 [0082.648] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.648] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*") returned 91 [0082.648] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0082.649] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.649] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.649] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.649] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.649] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.649] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\.") returned 91 [0082.649] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.649] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.649] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.649] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.649] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.649] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.649] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.649] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\..") returned 92 [0082.649] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.649] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.649] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1f1a567, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.649] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.649] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.649] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.649] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.649] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.649] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.649] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.649] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.649] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ef4371, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1ef4371, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.649] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.649] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.649] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.650] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.650] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.650] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime") returned 97 [0082.650] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.650] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.650] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.650] GetProcessHeap () returned 0x3a00000 [0082.650] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.650] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*") returned 99 [0082.650] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ef4371, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.650] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.650] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.650] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.650] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.650] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.650] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\.") returned 99 [0082.650] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.650] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1ef4371, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.650] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.650] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.650] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.650] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.650] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.650] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\..") returned 100 [0082.650] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.650] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.650] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1f1a567, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.650] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.651] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.651] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.651] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.651] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.651] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.651] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.651] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.651] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fdcb85, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fdcb85, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1ef4371, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1f32, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.651] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.651] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.651] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.651] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.651] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.651] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.651] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.651] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fdcb85, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fdcb85, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1ef4371, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1f32, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.651] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.651] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.651] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.652] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.653] CloseHandle (hObject=0x440) returned 1 [0082.653] GetProcessHeap () returned 0x3a00000 [0082.653] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.653] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.653] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.653] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.653] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.653] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.653] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.653] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.653] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.653] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54002dee, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x54002dee, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.654] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0082.654] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.654] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.655] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.656] CloseHandle (hObject=0x43c) returned 1 [0082.656] GetProcessHeap () returned 0x3a00000 [0082.656] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.656] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1f1a567, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1f1a567, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.656] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.656] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.656] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.657] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.658] CloseHandle (hObject=0x438) returned 1 [0082.658] GetProcessHeap () returned 0x3a00000 [0082.658] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.658] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", cAlternateFileName="{9DF6A~1")) returned 1 [0082.658] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Windows") returned -1 [0082.658] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="$Recycle.bin") returned 1 [0082.658] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="System Volume Information") returned -1 [0082.658] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Program Files") returned -1 [0082.658] lstrcmpiW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="Program Files (x86)") returned -1 [0082.658] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}") returned 84 [0082.658] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2=".") returned 1 [0082.658] lstrcmpW (lpString1="{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="..") returned 1 [0082.658] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.658] GetProcessHeap () returned 0x3a00000 [0082.658] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.658] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*") returned 86 [0082.659] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0082.659] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.659] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.659] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.659] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.659] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.659] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\.") returned 86 [0082.659] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.659] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.659] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.659] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.659] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.659] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.659] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.659] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\..") returned 87 [0082.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.659] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1fd9163, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1fd9163, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.659] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.659] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.659] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.660] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f9117b, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f9117b, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xbde, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="CUSTOM~1.EBA")) returned 1 [0082.660] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.660] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.660] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.660] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.660] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.660] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.660] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.660] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f6af14, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f6af14, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0082.660] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.660] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.660] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.660] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.660] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.660] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.660] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.660] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fd9163, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.660] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.660] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.660] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.660] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.660] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.660] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov") returned 89 [0082.660] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.660] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.660] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.660] GetProcessHeap () returned 0x3a00000 [0082.660] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.660] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*") returned 91 [0082.660] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fd9163, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0082.661] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.661] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.661] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.661] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.661] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.661] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\.") returned 91 [0082.661] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.661] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fd9163, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.661] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.661] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.661] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.661] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.661] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.661] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\..") returned 92 [0082.661] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.661] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.661] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1fd9163, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1fd9163, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.661] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.661] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.661] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.661] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.661] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.661] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.661] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.661] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.661] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.661] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.661] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.661] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.662] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.662] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.662] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime") returned 97 [0082.662] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.662] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.662] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.662] GetProcessHeap () returned 0x3a00000 [0082.662] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.662] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*") returned 99 [0082.662] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0082.662] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.662] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.662] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.662] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.662] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.662] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\.") returned 99 [0082.662] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.662] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.662] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.662] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.662] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.662] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.662] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.662] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\..") returned 100 [0082.662] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.662] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.662] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1fb2fab, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1fb2fab, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.662] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.662] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.662] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.663] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.663] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.663] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.663] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.663] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1ea40, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1ea40, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa94, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="0__POW~1.EBA")) returned 1 [0082.663] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.663] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.663] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.663] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.663] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.663] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.663] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.663] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1ea40, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1ea40, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fb2fab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa94, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="0__POW~1.EBA")) returned 0 [0082.663] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0082.663] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.664] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.665] CloseHandle (hObject=0x440) returned 1 [0082.665] GetProcessHeap () returned 0x3a00000 [0082.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.665] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f44caa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f44caa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="RUNTIM~1.EBA")) returned 1 [0082.665] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.665] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.665] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.665] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.665] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.665] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.665] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.665] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f44caa, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f44caa, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="RUNTIM~1.EBA")) returned 0 [0082.665] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0082.666] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.666] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.667] CloseHandle (hObject=0x43c) returned 1 [0082.667] GetProcessHeap () returned 0x3a00000 [0082.668] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.668] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1f7bd0, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fd9163, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.668] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0082.668] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.669] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.670] CloseHandle (hObject=0x438) returned 1 [0082.670] GetProcessHeap () returned 0x3a00000 [0082.670] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.670] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", cAlternateFileName="{B0B91~1")) returned 1 [0082.670] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Windows") returned -1 [0082.670] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="$Recycle.bin") returned 1 [0082.670] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="System Volume Information") returned -1 [0082.670] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Program Files") returned -1 [0082.670] lstrcmpiW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="Program Files (x86)") returned -1 [0082.670] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}") returned 84 [0082.670] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2=".") returned 1 [0082.670] lstrcmpW (lpString1="{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="..") returned 1 [0082.670] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.670] GetProcessHeap () returned 0x3a00000 [0082.670] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.670] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*") returned 86 [0082.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.670] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.670] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.670] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.670] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.670] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.671] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\.") returned 86 [0082.671] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.671] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.671] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.671] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.671] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.672] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.672] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.672] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\..") returned 87 [0082.672] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.672] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.673] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2025447, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf2025447, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.673] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.673] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.673] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.673] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.673] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.673] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.673] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.673] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.673] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fb24d6, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fb24d6, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fd9163, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc39, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.673] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.673] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.673] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.673] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.673] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.673] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.673] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.673] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f8c279, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f8c279, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.673] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.673] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.673] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.673] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.673] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.673] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.673] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.673] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2025447, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.673] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.673] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.673] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.673] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.673] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.673] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov") returned 89 [0082.674] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.674] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.674] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.674] GetProcessHeap () returned 0x3a00000 [0082.674] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.674] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*") returned 91 [0082.674] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2025447, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.674] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.674] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.674] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.674] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.674] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.674] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\.") returned 91 [0082.674] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.674] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2025447, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.674] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.674] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.674] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.674] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.674] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.674] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\..") returned 92 [0082.674] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.674] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.674] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2025447, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf2025447, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.674] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.674] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.674] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.675] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.675] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.675] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.675] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.675] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.675] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.675] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.675] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.675] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.675] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.675] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.675] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime") returned 97 [0082.675] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.675] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.675] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.675] GetProcessHeap () returned 0x3a00000 [0082.675] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.675] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*") returned 99 [0082.675] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.675] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.675] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.675] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.675] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.675] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.675] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\.") returned 99 [0082.675] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.675] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.676] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.676] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.676] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.676] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.676] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.676] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\..") returned 100 [0082.676] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.676] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.676] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1fff674, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf1fff674, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.676] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.676] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.676] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.676] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.676] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.676] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.676] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.676] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.676] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.676] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.676] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.676] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.676] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.676] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.676] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.676] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.676] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf1fff674, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.676] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.676] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.676] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.677] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.678] CloseHandle (hObject=0x440) returned 1 [0082.678] GetProcessHeap () returned 0x3a00000 [0082.679] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.679] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.679] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.679] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.679] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.679] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.679] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.679] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.679] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.679] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.679] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.680] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.681] CloseHandle (hObject=0x43c) returned 1 [0082.681] GetProcessHeap () returned 0x3a00000 [0082.681] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.681] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1ab71b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2025447, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.681] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.681] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.682] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.683] CloseHandle (hObject=0x438) returned 1 [0082.683] GetProcessHeap () returned 0x3a00000 [0082.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.683] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf204b606, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf204b606, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{c5dc3753-b6c8-4057-b396-bf13d769311c}", cAlternateFileName="{C5DC3~1")) returned 1 [0082.683] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Windows") returned -1 [0082.683] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="$Recycle.bin") returned 1 [0082.683] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="System Volume Information") returned -1 [0082.683] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Program Files") returned -1 [0082.683] lstrcmpiW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="Program Files (x86)") returned -1 [0082.683] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}") returned 84 [0082.683] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2=".") returned 1 [0082.683] lstrcmpW (lpString1="{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="..") returned 1 [0082.683] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.683] GetProcessHeap () returned 0x3a00000 [0082.683] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.683] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*") returned 86 [0082.684] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf204b606, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.684] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.684] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.684] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.684] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.684] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.684] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\.") returned 86 [0082.684] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.684] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf204b606, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.684] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.684] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.684] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.684] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.684] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.684] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\..") returned 87 [0082.684] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.684] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.684] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2097df7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf2097df7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.684] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.684] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.684] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.684] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.684] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.684] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.684] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.684] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.684] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fc7d5e, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fc7d5e, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2025447, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9ff, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.685] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.685] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.685] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.685] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.685] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.685] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.685] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.685] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf204b606, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.685] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.685] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.685] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.685] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.685] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.685] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.685] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.685] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2097df7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.685] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.685] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.685] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.685] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.685] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.685] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov") returned 89 [0082.685] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.685] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.685] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.685] GetProcessHeap () returned 0x3a00000 [0082.685] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.685] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*") returned 91 [0082.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2097df7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.686] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.686] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.686] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.686] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.686] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.686] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\.") returned 91 [0082.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.686] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2097df7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.686] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.686] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.686] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.686] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.686] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.686] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\..") returned 92 [0082.686] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.686] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.686] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2097df7, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf2097df7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.686] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.686] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.686] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.686] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.686] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.686] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.686] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.686] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.686] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2071888, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2071888, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.687] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.687] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.687] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.687] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.687] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.687] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime") returned 97 [0082.687] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.687] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.687] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.687] GetProcessHeap () returned 0x3a00000 [0082.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.687] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*") returned 99 [0082.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2071888, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2071888, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0082.687] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.687] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.687] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.687] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.687] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.687] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\.") returned 99 [0082.687] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.687] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2071888, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2071888, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.687] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.687] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.687] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.687] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.688] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.688] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\..") returned 100 [0082.688] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.688] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.688] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf2071888, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf2071888, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2071888, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.688] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.688] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.688] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.688] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.688] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.688] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.688] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.688] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.688] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f7b887, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f7b887, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2071888, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x629, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.688] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.688] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.688] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.688] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.688] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.688] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.688] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.688] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f7b887, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f7b887, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2071888, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x629, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.688] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0082.688] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.689] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.690] CloseHandle (hObject=0x440) returned 1 [0082.690] GetProcessHeap () returned 0x3a00000 [0082.691] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.691] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.691] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.691] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.691] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.691] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.691] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.691] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.691] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.691] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53fa1af1, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53fa1af1, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.691] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.691] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.691] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.692] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.693] CloseHandle (hObject=0x43c) returned 1 [0082.693] GetProcessHeap () returned 0x3a00000 [0082.693] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.693] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf2097df7, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf2097df7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.693] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.693] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.693] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{c5dc3753-b6c8-4057-b396-bf13d769311c}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.694] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.695] CloseHandle (hObject=0x438) returned 1 [0082.695] GetProcessHeap () returned 0x3a00000 [0082.695] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.695] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20bdd68, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf20bdd68, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{c8a326e4-f518-4f14-b543-97a57e1a975e}", cAlternateFileName="{C8A32~1")) returned 1 [0082.695] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Windows") returned -1 [0082.695] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="$Recycle.bin") returned 1 [0082.695] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="System Volume Information") returned -1 [0082.695] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Program Files") returned -1 [0082.696] lstrcmpiW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="Program Files (x86)") returned -1 [0082.696] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}") returned 84 [0082.696] lstrcmpW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2=".") returned 1 [0082.696] lstrcmpW (lpString1="{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="..") returned 1 [0082.696] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.696] GetProcessHeap () returned 0x3a00000 [0082.696] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.696] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\*") returned 86 [0082.696] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20bdd68, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a14b79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0082.696] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.696] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.696] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.696] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.696] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.696] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\.") returned 86 [0082.696] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.696] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b2205b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf20bdd68, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a14b79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.696] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.696] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.696] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.696] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.696] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.696] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\..") returned 87 [0082.696] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.696] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.696] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a14b79, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7a14b79, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a3ad49, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.696] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.697] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.697] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.697] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.697] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.697] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.697] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.697] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x930c721b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x930c721b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf20bdd68, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x9bddf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="CUSTOM~1.EBA")) returned 1 [0082.697] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.697] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.697] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.697] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.697] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.697] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.697] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x919d3d65, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x919d3d65, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf20bdd68, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0082.697] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.697] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.697] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.697] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.697] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.697] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.697] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a14b79, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a14b79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.697] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.697] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.697] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.697] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.697] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.697] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov") returned 89 [0082.697] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.697] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.698] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.698] GetProcessHeap () returned 0x3a00000 [0082.698] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\*") returned 91 [0082.698] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a14b79, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a14b79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0082.698] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.698] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.698] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.698] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.698] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\.") returned 91 [0082.698] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.698] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a14b79, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a14b79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.698] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.698] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.698] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.698] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.698] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\..") returned 92 [0082.698] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.698] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.698] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a14b79, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7a14b79, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a14b79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.698] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.698] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.698] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.698] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.698] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.698] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.698] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.698] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.699] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf79ee81e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf79ee81e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.699] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.699] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.699] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.699] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.699] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.699] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime") returned 97 [0082.699] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.699] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.699] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.699] GetProcessHeap () returned 0x3a00000 [0082.699] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.699] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\*") returned 99 [0082.699] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf79ee81e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf79ee81e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0082.699] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.699] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.699] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.699] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.699] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.699] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\.") returned 99 [0082.699] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.699] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x21b6e507, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf79ee81e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf79ee81e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.700] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.700] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.700] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.700] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.700] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.700] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\..") returned 100 [0082.700] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.700] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.700] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf79ee81e, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf79ee81e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf79ee81e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.700] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.700] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.700] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.700] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.700] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.700] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.700] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.700] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.700] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900a4472, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900a4472, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf210a4cb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x661, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="0__CON~1.EBA")) returned 1 [0082.700] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.700] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.700] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.700] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.700] lstrcmpiW (lpString1="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.700] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 205 [0082.700] StrStrIW (lpFirst="0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.700] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21304f8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x616, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="100__C~1.EBA")) returned 1 [0082.700] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.700] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.700] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.700] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.700] lstrcmpiW (lpString1="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.700] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.701] StrStrIW (lpFirst="100__Connections_Cellular_Telia DK (Denmark)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.701] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21304f8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x556, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="101__C~1.EBA")) returned 1 [0082.701] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.701] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.701] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.701] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.701] lstrcmpiW (lpString1="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.701] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.701] StrStrIW (lpFirst="101__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.701] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90437e87, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90437e87, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21304f8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="102__C~1.EBA")) returned 1 [0082.701] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.701] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.701] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.701] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.701] lstrcmpiW (lpString1="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.701] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.701] StrStrIW (lpFirst="102__Connections_Cellular_Claro (Dominican Republic)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.701] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21566bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x622, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="103__C~1.EBA")) returned 1 [0082.701] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.701] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.701] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.701] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.701] lstrcmpiW (lpString1="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.701] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.701] StrStrIW (lpFirst="103__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.701] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21566bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x607, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="104__C~1.EBA")) returned 1 [0082.701] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.701] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.701] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.701] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.701] lstrcmpiW (lpString1="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.702] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.702] StrStrIW (lpFirst="104__Connections_Cellular_PORTA GSM (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.702] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21566bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="105__C~1.EBA")) returned 1 [0082.702] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.702] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.702] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.702] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.702] lstrcmpiW (lpString1="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.702] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.702] StrStrIW (lpFirst="105__Connections_Cellular_Telefonica (Ecuador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.702] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9045e0ef, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9045e0ef, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21566bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="106__C~1.EBA")) returned 1 [0082.702] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.702] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.702] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.702] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.703] lstrcmpiW (lpString1="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.703] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.703] StrStrIW (lpFirst="106__Connections_Cellular_Mobinil (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.703] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21566bd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="107__C~1.EBA")) returned 1 [0082.703] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.703] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.703] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.703] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.703] lstrcmpiW (lpString1="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.703] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.703] StrStrIW (lpFirst="107__Connections_Cellular_Vodafone Egypt (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.703] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf217c93b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="108__C~1.EBA")) returned 1 [0082.703] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.703] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.703] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.703] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.703] lstrcmpiW (lpString1="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.703] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.703] StrStrIW (lpFirst="108__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.703] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf217c93b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="109__C~1.EBA")) returned 1 [0082.703] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.703] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.703] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.703] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.703] lstrcmpiW (lpString1="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.703] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.703] StrStrIW (lpFirst="109__Connections_Cellular_Etisalat Misr (Egypt)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.703] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90116bb1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90116bb1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf217c93b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="10__CO~1.EBA")) returned 1 [0082.703] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.703] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.703] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.704] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.704] lstrcmpiW (lpString1="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.704] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.704] StrStrIW (lpFirst="10__Connections_Cellular_Optus (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.704] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21a2bac, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x645, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="110__C~1.EBA")) returned 1 [0082.704] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.704] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.704] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.704] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.704] lstrcmpiW (lpString1="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.704] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.704] StrStrIW (lpFirst="110__Connections_Cellular_Claro (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.704] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9048435b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9048435b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21a2bac, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x614, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="111__C~1.EBA")) returned 1 [0082.704] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.704] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.704] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.704] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.704] lstrcmpiW (lpString1="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.704] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.704] StrStrIW (lpFirst="111__Connections_Cellular_Claro (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.704] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21a2bac, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="112__C~1.EBA")) returned 1 [0082.704] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.704] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.704] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.704] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.704] lstrcmpiW (lpString1="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.704] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.704] StrStrIW (lpFirst="112__Connections_Cellular_Telefonica (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.705] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21a2bac, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="113__C~1.EBA")) returned 1 [0082.705] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.705] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.705] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.705] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.705] lstrcmpiW (lpString1="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.705] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.705] StrStrIW (lpFirst="113__Connections_Cellular_TIGO (El Salvador)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.705] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21c8df6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x610, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="114__C~1.EBA")) returned 1 [0082.705] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.705] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.705] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.705] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.705] lstrcmpiW (lpString1="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.705] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.705] StrStrIW (lpFirst="114__Connections_Cellular_TIGO (El Salvador)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.705] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904aa5c6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904aa5c6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21c8df6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="115__C~1.EBA")) returned 1 [0082.705] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.705] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.705] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.705] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.705] lstrcmpiW (lpString1="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.705] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0082.705] StrStrIW (lpFirst="115__Connections_Cellular_Elisa Estonia (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.705] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21ef067, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="116__C~1.EBA")) returned 1 [0082.705] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.705] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.705] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.705] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.705] lstrcmpiW (lpString1="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.705] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.706] StrStrIW (lpFirst="116__Connections_Cellular_EMT (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.706] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21ef067, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="117__C~1.EBA")) returned 1 [0082.706] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.706] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.706] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.706] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.706] lstrcmpiW (lpString1="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.706] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.706] StrStrIW (lpFirst="117__Connections_Cellular_EMT (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.706] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf21ef067, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x614, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="118__C~1.EBA")) returned 1 [0082.706] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.706] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.706] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.706] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.706] lstrcmpiW (lpString1="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.706] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.706] StrStrIW (lpFirst="118__Connections_Cellular_Tele2 (Estonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.706] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904d0836, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904d0836, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22152e4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="119__C~1.EBA")) returned 1 [0082.706] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.706] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.706] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.706] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.706] lstrcmpiW (lpString1="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.706] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.706] StrStrIW (lpFirst="119__Connections_Cellular_Tele2 (Estonia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.706] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22152e4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x658, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="11__CO~1.EBA")) returned 1 [0082.706] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.706] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.706] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.706] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.706] lstrcmpiW (lpString1="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.706] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.707] StrStrIW (lpFirst="11__Connections_Cellular_Optus (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.707] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22152e4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="120__C~1.EBA")) returned 1 [0082.707] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.707] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.707] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.707] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.707] lstrcmpiW (lpString1="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.707] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0082.707] StrStrIW (lpFirst="120__Connections_Cellular_Vodafone FO (Faroe Islands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.707] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22152e4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x644, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="121__C~1.EBA")) returned 1 [0082.707] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.707] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.707] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.707] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.707] lstrcmpiW (lpString1="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.707] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.707] StrStrIW (lpFirst="121__Connections_Cellular_Kidanet (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.707] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf223b522, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="122__C~1.EBA")) returned 1 [0082.707] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.707] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.707] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.707] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.707] lstrcmpiW (lpString1="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.707] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.707] StrStrIW (lpFirst="122__Connections_Cellular_Vodafone Fiji (Fiji)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.707] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf223b522, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x662, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="123__C~1.EBA")) returned 1 [0082.707] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.707] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.707] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.707] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.708] lstrcmpiW (lpString1="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.708] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.708] StrStrIW (lpFirst="123__Connections_Cellular_Vodafone Fiji (Fiji)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.708] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x904f6aa1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x904f6aa1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2264ce0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="124__C~1.EBA")) returned 1 [0082.708] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.708] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.708] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.708] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.708] lstrcmpiW (lpString1="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.708] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.708] StrStrIW (lpFirst="124__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.708] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2264ce0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x658, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="125__C~1.EBA")) returned 1 [0082.708] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.708] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.708] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.708] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.708] lstrcmpiW (lpString1="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.708] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0082.708] StrStrIW (lpFirst="125__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.708] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2264ce0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x620, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="126__C~1.EBA")) returned 1 [0082.708] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.708] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.708] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.708] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.708] lstrcmpiW (lpString1="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.708] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0082.708] StrStrIW (lpFirst="126__Connections_Cellular_Alands Mobiltelefon Ab (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.709] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22879f0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x603, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="127__C~1.EBA")) returned 1 [0082.709] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.709] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.709] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.709] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.709] lstrcmpiW (lpString1="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.709] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.709] StrStrIW (lpFirst="127__Connections_Cellular_DNA (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.709] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22879f0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x548, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="128__C~1.EBA")) returned 1 [0082.709] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.709] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.709] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.709] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.709] lstrcmpiW (lpString1="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.709] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.709] StrStrIW (lpFirst="128__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.709] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22879f0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x641, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="129__C~1.EBA")) returned 1 [0082.709] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.709] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.709] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.709] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.709] lstrcmpiW (lpString1="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.709] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.709] StrStrIW (lpFirst="129__Connections_Cellular_Elisa (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.709] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22879f0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="12__CO~1.EBA")) returned 1 [0082.709] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.709] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.709] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.709] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.709] lstrcmpiW (lpString1="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.709] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.709] StrStrIW (lpFirst="12__Connections_Cellular_Optus (Australia)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.710] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9051cd0d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9051cd0d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22adc49, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="130__C~1.EBA")) returned 1 [0082.710] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.710] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.710] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.710] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.710] lstrcmpiW (lpString1="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.710] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.710] StrStrIW (lpFirst="130__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.710] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf22adc49, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x621, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="131__C~1.EBA")) returned 1 [0082.710] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.710] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.710] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.710] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.710] lstrcmpiW (lpString1="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.710] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0082.710] StrStrIW (lpFirst="131__Connections_Cellular_Go Communication Ltd. (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.710] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf23465e3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x61d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="132__C~1.EBA")) returned 1 [0082.710] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.710] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.710] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.710] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.710] lstrcmpiW (lpString1="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.710] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0082.710] StrStrIW (lpFirst="132__Connections_Cellular_Go Communication Ltd. (Finland)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.710] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf23465e3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x618, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="133__C~1.EBA")) returned 1 [0082.710] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.710] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.710] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.710] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.710] lstrcmpiW (lpString1="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.710] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.711] StrStrIW (lpFirst="133__Connections_Cellular_TDC Song Finland (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.711] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90542f74, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90542f74, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf23465e3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x606, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="134__C~1.EBA")) returned 1 [0082.711] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.711] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.711] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.711] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.711] lstrcmpiW (lpString1="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.711] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.711] StrStrIW (lpFirst="134__Connections_Cellular_Sonera (Finland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.711] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf236c825, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x653, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="135__C~1.EBA")) returned 1 [0082.711] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.711] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.711] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.711] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.711] lstrcmpiW (lpString1="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.711] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.711] StrStrIW (lpFirst="135__Connections_Cellular_Bouygues (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.711] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf236c825, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x655, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="136__C~1.EBA")) returned 1 [0082.711] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.711] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.711] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.711] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.711] lstrcmpiW (lpString1="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.711] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.711] StrStrIW (lpFirst="136__Connections_Cellular_Bouygues (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.711] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf236c825, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x55b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="137__C~1.EBA")) returned 1 [0082.711] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.711] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.711] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.711] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.711] lstrcmpiW (lpString1="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.712] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.712] StrStrIW (lpFirst="137__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.712] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905691e4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905691e4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf236c825, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="138__C~1.EBA")) returned 1 [0082.712] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.712] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.712] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.712] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.712] lstrcmpiW (lpString1="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.712] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.712] StrStrIW (lpFirst="138__Connections_Cellular_Free Mobile (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.712] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf236c825, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x652, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="139__C~1.EBA")) returned 1 [0082.712] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.712] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.712] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.712] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.712] lstrcmpiW (lpString1="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.712] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.712] StrStrIW (lpFirst="139__Connections_Cellular_Orange (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.712] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2392a44, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="13__CO~1.EBA")) returned 1 [0082.712] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.712] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.712] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.712] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.712] lstrcmpiW (lpString1="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.712] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.712] StrStrIW (lpFirst="13__Connections_Cellular_Optus (Australia)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.712] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf242b66b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="140__C~1.EBA")) returned 1 [0082.713] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.713] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.713] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.713] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.713] lstrcmpiW (lpString1="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.713] StrStrIW (lpFirst="140__Connections_Cellular_Orange (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.713] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf242b66b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="141__C~1.EBA")) returned 1 [0082.713] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.713] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.713] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.713] lstrcmpiW (lpString1="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.713] StrStrIW (lpFirst="141__Connections_Cellular_Orange (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.713] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf242b66b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="142__C~1.EBA")) returned 1 [0082.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.713] StrStrIW (lpFirst="142__Connections_Cellular_Orange (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.713] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9058f44f, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9058f44f, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf251047d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="143__C~1.EBA")) returned 1 [0082.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.713] StrStrIW (lpFirst="143__Connections_Cellular_Orange (France)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.713] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf251047d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="144__C~1.EBA")) returned 1 [0082.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.713] StrStrIW (lpFirst="144__Connections_Cellular_Orange (France)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.713] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf251047d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6ce, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="145__C~1.EBA")) returned 1 [0082.713] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.714] StrStrIW (lpFirst="145__Connections_Cellular_Orange (France)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf253634c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x646, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="146__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.714] StrStrIW (lpFirst="146__Connections_Cellular_SFR (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905b56bb, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905b56bb, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf253634c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x644, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="147__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.714] StrStrIW (lpFirst="147__Connections_Cellular_SFR (France)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf25cf0ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x647, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="148__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.714] StrStrIW (lpFirst="148__Connections_Cellular_SFR (France)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf25cf0ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x653, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="149__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.714] StrStrIW (lpFirst="149__Connections_Cellular_SFR (France)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf26027ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="14__CO~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.714] StrStrIW (lpFirst="14__Connections_Cellular_Optus (Australia)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf26027ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6da, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="150__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.714] StrStrIW (lpFirst="150__Connections_Cellular_E-Plus (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x905db923, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x905db923, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf261b339, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="151__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.714] StrStrIW (lpFirst="151__Connections_Cellular_Deutsche Telekom (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf261b339, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x658, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="152__C~1.EBA")) returned 1 [0082.714] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.714] StrStrIW (lpFirst="152__Connections_Cellular_Vodafone.de (Germany)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.714] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf27002ac, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="153__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.715] StrStrIW (lpFirst="153__Connections_Cellular_Vodafone.de (Germany)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2753dcc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="154__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.715] StrStrIW (lpFirst="154__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2753dcc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="155__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.715] StrStrIW (lpFirst="155__Connections_Cellular_Vodafone Ghana (Ghana)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2753dcc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="156__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.715] StrStrIW (lpFirst="156__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90601b92, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90601b92, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2772944, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="157__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0082.715] StrStrIW (lpFirst="157__Connections_Cellular_Cosmote Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2772944, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="158__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.715] StrStrIW (lpFirst="158__Connections_Cellular_Q-telecom (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2772944, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x656, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="159__C~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.715] StrStrIW (lpFirst="159__Connections_Cellular_Telestet (STET) (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.715] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf2772944, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x653, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="15__CO~1.EBA")) returned 1 [0082.715] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.715] StrStrIW (lpFirst="15__Connections_Cellular_Optus (Australia)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf28a3c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="160__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.716] StrStrIW (lpFirst="160__Connections_Cellular_Telestet (STET) (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90627dfd, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90627dfd, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf28a3c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="161__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.716] StrStrIW (lpFirst="161__Connections_Cellular_Vodafone Greece (Greece)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf28eff18, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="162__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.716] StrStrIW (lpFirst="162__Connections_Cellular_Vodafone Greece (Greece)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3167964, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="163__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.716] StrStrIW (lpFirst="163__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3167964, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="164__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0082.716] StrStrIW (lpFirst="164__Connections_Cellular_Orange Caraïbe (France)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3167964, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x643, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="165__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.716] StrStrIW (lpFirst="165__Connections_Cellular_Claro (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9064e061, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9064e061, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3167964, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x612, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="166__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.716] StrStrIW (lpFirst="166__Connections_Cellular_Claro (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.716] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf318db0f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="167__C~1.EBA")) returned 1 [0082.716] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.716] StrStrIW (lpFirst="167__Connections_Cellular_Telefonica (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf318db0f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="168__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.717] StrStrIW (lpFirst="168__Connections_Cellular_TIGO (Guatemala)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf318db0f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="169__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.717] StrStrIW (lpFirst="169__Connections_Cellular_TIGO (Guatemala)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9013ce1d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9013ce1d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf318db0f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="16__CO~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.717] StrStrIW (lpFirst="16__Connections_Cellular_Optus (Australia)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906742d4, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906742d4, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf31b3e96, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x642, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="170__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.717] StrStrIW (lpFirst="170__Connections_Cellular_Claro (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf32266f9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="171__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.717] StrStrIW (lpFirst="171__Connections_Cellular_Claro (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf32266f9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="172__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.717] StrStrIW (lpFirst="172__Connections_Cellular_TIGO (Honduras)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf32266f9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="173__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.717] StrStrIW (lpFirst="173__Connections_Cellular_TIGO (Honduras)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9069a53c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9069a53c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf32266f9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x606, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="174__C~1.EBA")) returned 1 [0082.717] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.717] StrStrIW (lpFirst="174__Connections_Cellular_CSL (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.717] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf324c95a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="175__C~1.EBA")) returned 1 [0082.718] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.718] StrStrIW (lpFirst="175__Connections_Cellular_3 (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.718] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf324c95a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x657, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="176__C~1.EBA")) returned 1 [0082.726] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.726] StrStrIW (lpFirst="176__Connections_Cellular_3 (Hong Kong SAR)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.726] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf324c95a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x655, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="177__C~1.EBA")) returned 1 [0082.726] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.726] StrStrIW (lpFirst="177__Connections_Cellular_3 (Hong Kong SAR)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.726] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf324c95a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="178__C~1.EBA")) returned 1 [0082.726] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.726] StrStrIW (lpFirst="178__Connections_Cellular_3 (Hong Kong SAR)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.726] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf327295a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x658, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="179__C~1.EBA")) returned 1 [0082.726] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.726] StrStrIW (lpFirst="179__Connections_Cellular_3 (Hong Kong SAR)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.726] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf33b4e66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x658, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="17__CO~1.EBA")) returned 1 [0082.726] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.726] StrStrIW (lpFirst="17__Connections_Cellular_Optus (Australia)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.726] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906c07a8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906c07a8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf33b4e66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x660, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="180__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.727] StrStrIW (lpFirst="180__Connections_Cellular_3 (Hong Kong SAR)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf33b4e66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x641, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="181__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.727] StrStrIW (lpFirst="181__Connections_Cellular_CMHK (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf33b4e66, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="182__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.727] StrStrIW (lpFirst="182__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf33db18a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x606, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="183__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.727] StrStrIW (lpFirst="183__Connections_Cellular_PCCW (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x906e6a13, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x906e6a13, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf33db18a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="184__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0082.727] StrStrIW (lpFirst="184__Connections_Cellular_SmarTone-Vodafone (Hong Kong SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf340119f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="185__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0082.727] StrStrIW (lpFirst="185__Connections_Cellular_Telenor Hungary (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf340119f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="186__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.727] StrStrIW (lpFirst="186__Connections_Cellular_Magyar Telekom (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34c8e93, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="187__C~1.EBA")) returned 1 [0082.727] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.727] StrStrIW (lpFirst="187__Connections_Cellular_Vodafone HU (Hungary)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.727] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34d5334, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x667, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="188__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.728] StrStrIW (lpFirst="188__Connections_Cellular_Vodafone HU (Hungary)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9070cc83, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9070cc83, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34e01ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="189__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.728] StrStrIW (lpFirst="189__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34e9f56, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x554, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="18__CE~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.728] StrStrIW (lpFirst="18__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34f39d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="190__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.728] StrStrIW (lpFirst="190__Connections_Cellular_Siminn hf (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34f39d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="191__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.728] StrStrIW (lpFirst="191__Connections_Cellular_Vodafone Iceland (Iceland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34f39d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="192__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.728] StrStrIW (lpFirst="192__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90732eea, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90732eea, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf34f39d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x647, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="193__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.728] StrStrIW (lpFirst="193__Connections_Cellular_Aircel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.728] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf351a127, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="194__C~1.EBA")) returned 1 [0082.728] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.729] StrStrIW (lpFirst="194__Connections_Cellular_Airtel (India)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf351a127, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="195__C~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.729] StrStrIW (lpFirst="195__Connections_Cellular_Indosat (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf36251bc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="196__C~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.729] StrStrIW (lpFirst="196__Connections_Cellular_Indosat (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf36251bc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x655, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="197__C~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.729] StrStrIW (lpFirst="197__Connections_Cellular_Telkomsel (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90759156, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90759156, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf364b061, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="198__C~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.729] StrStrIW (lpFirst="198__Connections_Cellular_Telkomsel (Indonesia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf364b061, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="199__C~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.729] StrStrIW (lpFirst="199__Connections_Cellular_Vodafone (Indonesia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf364b061, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="19__CE~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 169 [0082.729] StrStrIW (lpFirst="19__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3671341, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="1__CON~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.729] StrStrIW (lpFirst="1__Connections_Cellular_Vodafone Albania (Albania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf36e3d3b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x565, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="200__C~1.EBA")) returned 1 [0082.729] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.729] StrStrIW (lpFirst="200__Connections_Cellular_AsiaCell (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.729] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3709cfe, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x68c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="201__C~1.EBA")) returned 1 [0082.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.730] StrStrIW (lpFirst="201__Connections_Cellular_KorekTelecom (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.730] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9077f3c5, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9077f3c5, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3992839, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x561, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="202__C~1.EBA")) returned 1 [0082.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0082.730] StrStrIW (lpFirst="202__Connections_Cellular_Zain (Iraq)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.730] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3992839, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x642, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="203__C~1.EBA")) returned 1 [0082.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0082.730] StrStrIW (lpFirst="203__Connections_Cellular_3 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.730] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf39b8951, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="204__C~1.EBA")) returned 1 [0082.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.730] StrStrIW (lpFirst="204__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.730] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf39b8951, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x607, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="205__C~1.EBA")) returned 1 [0082.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.730] StrStrIW (lpFirst="205__Connections_Cellular_O2 (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.730] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf39de953, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="206__C~1.EBA")) returned 1 [0082.730] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.730] StrStrIW (lpFirst="206__Connections_Cellular_Vodafone Ireland (Ireland)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.730] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907a5631, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907a5631, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf39de953, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="207__C~1.EBA")) returned 1 [0082.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.731] StrStrIW (lpFirst="207__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.731] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf39de953, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="208__C~1.EBA")) returned 1 [0082.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.731] StrStrIW (lpFirst="208__Connections_Cellular_Cellcom (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.731] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3a2ae36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="209__C~1.EBA")) returned 1 [0082.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.731] StrStrIW (lpFirst="209__Connections_Cellular_Orange (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.731] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3a2ae36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x669, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="20__CO~1.EBA")) returned 1 [0082.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.731] StrStrIW (lpFirst="20__Connections_Cellular_Telstra (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.731] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3a2ae36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="210__C~1.EBA")) returned 1 [0082.731] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.731] StrStrIW (lpFirst="210__Connections_Cellular_Pelephone (Israel)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3a51075, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x552, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="211__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.732] StrStrIW (lpFirst="211__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907cb89c, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907cb89c, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3a51075, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x642, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="212__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0082.732] StrStrIW (lpFirst="212__Connections_Cellular_TIM (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3ba86be, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="213__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.732] StrStrIW (lpFirst="213__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3ba86be, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="214__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.732] StrStrIW (lpFirst="214__Connections_Cellular_Vodafone IT (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3bcea83, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="215__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.732] StrStrIW (lpFirst="215__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3bcea83, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x607, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="216__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.732] StrStrIW (lpFirst="216__Connections_Cellular_Wind (Italy)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x907f1b04, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x907f1b04, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3bcea83, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="217__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.732] StrStrIW (lpFirst="217__Connections_Cellular_Wind (Italy)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3dbe90d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x697, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="218__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.732] StrStrIW (lpFirst="218__Connections_Cellular_Claro (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.732] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3de4ac5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x67f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="219__C~1.EBA")) returned 1 [0082.732] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.733] StrStrIW (lpFirst="219__Connections_Cellular_Claro (Jamaica)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.733] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3de4ac5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x668, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="21__CO~1.EBA")) returned 1 [0082.733] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.733] StrStrIW (lpFirst="21__Connections_Cellular_Telstra (Australia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.733] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3e0abb4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x572, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="220__C~1.EBA")) returned 1 [0082.733] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 195 [0082.733] StrStrIW (lpFirst="220__Connections_Cellular_Cable and Wireless (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.733] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90817d73, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90817d73, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3e0abb4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x696, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="221__C~1.EBA")) returned 1 [0082.733] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.733] StrStrIW (lpFirst="221__Connections_Cellular_DigiCel (Jamaica)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.733] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3e0abb4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="222__C~1.EBA")) returned 1 [0082.733] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.733] StrStrIW (lpFirst="222__Connections_Cellular_DoCoMo (Japan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.733] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3e0abb4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x662, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="223__C~1.EBA")) returned 1 [0082.733] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.734] StrStrIW (lpFirst="223__Connections_Cellular_DoCoMo (Japan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3e30e34, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x656, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="224__C~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.734] StrStrIW (lpFirst="224__Connections_Cellular_DoCoMo (Japan)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3e30e34, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x657, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="225__C~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.734] StrStrIW (lpFirst="225__Connections_Cellular_DoCoMo (Japan)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9083dfdf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9083dfdf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3fae6af, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6c7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="226__C~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.734] StrStrIW (lpFirst="226__Connections_Cellular_Orange (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3fd47f1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="227__C~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.734] StrStrIW (lpFirst="227__Connections_Cellular_Umniah (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3fd47f1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="228__C~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.734] StrStrIW (lpFirst="228__Connections_Cellular_Zain (Jordan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3fd47f1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x684, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="229__C~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.734] StrStrIW (lpFirst="229__Connections_Cellular_Zain (Jordan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.734] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90163088, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90163088, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3fd47f1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6fa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="22__CO~1.EBA")) returned 1 [0082.734] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.734] StrStrIW (lpFirst="22__Connections_Cellular_Telstra (Australia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9086424b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9086424b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3fd47f1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6c5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="230__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.735] StrStrIW (lpFirst="230__Connections_Cellular_Safaricom (Kenya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3ffa9d2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x622, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="231__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.735] StrStrIW (lpFirst="231__Connections_Cellular_KTF HSDPA Internet (Korea)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3ffa9d2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x612, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="232__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.735] StrStrIW (lpFirst="232__Connections_Cellular_Wataniya (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3ffa9d2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x640, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="233__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.735] StrStrIW (lpFirst="233__Connections_Cellular_Zain (Kuwait)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9088a4b2, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9088a4b2, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf3ffa9d2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="234__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.735] StrStrIW (lpFirst="234__Connections_Cellular_Bite Latvija (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf434209f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x707, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="235__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 179 [0082.735] StrStrIW (lpFirst="235__Connections_Cellular_LMT (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4368073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x694, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="236__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.735] StrStrIW (lpFirst="236__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.735] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908b0722, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908b0722, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4368073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x68d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="237__C~1.EBA")) returned 1 [0082.735] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.735] StrStrIW (lpFirst="237__Connections_Cellular_Tele2 (Latvia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908d698d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908d698d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4368073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="238__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.736] StrStrIW (lpFirst="238__Connections_Cellular_Alfa (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908d698d, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908d698d, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4368073, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x692, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="239__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.736] StrStrIW (lpFirst="239__Connections_Cellular_MTC Touch (Lebanon)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf438e33a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="23__CO~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.736] StrStrIW (lpFirst="23__Connections_Cellular_Vodafone AU (Australia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908fcbf9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908fcbf9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf438e33a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x655, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="240__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0082.736] StrStrIW (lpFirst="240__Connections_Cellular_Vodacom Lesotho (Lesotho)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x908fcbf9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x908fcbf9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf438e33a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x640, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="241__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.736] StrStrIW (lpFirst="241__Connections_Cellular_Libyana (Libya)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf438e33a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x657, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="242__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0082.736] StrStrIW (lpFirst="242__Connections_Cellular_A1 Mobilkom (Liechtenstein)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf44bf7dc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x653, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="243__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.736] StrStrIW (lpFirst="243__Connections_Cellular_Bitė Lietuva (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90922e60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90922e60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf44bf7dc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x686, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="244__C~1.EBA")) returned 1 [0082.736] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.736] StrStrIW (lpFirst="244__Connections_Cellular_Omnitel (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.736] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf44e5a87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="245__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.737] StrStrIW (lpFirst="245__Connections_Cellular_Tele2 (Lithuania)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf44e5a87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="246__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.737] StrStrIW (lpFirst="246__Connections_Cellular_Tele2 (Lithuania)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf44e5a87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="247__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.737] StrStrIW (lpFirst="247__Connections_Cellular_Tango (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909490d0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909490d0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf450b979, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="248__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.737] StrStrIW (lpFirst="248__Connections_Cellular_Orange (Luxembourg)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf450b979, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x649, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="249__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.737] StrStrIW (lpFirst="249__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf450b979, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="24__CE~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.737] StrStrIW (lpFirst="24__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45ca7a1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x607, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="250__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.737] StrStrIW (lpFirst="250__Connections_Cellular_CTM (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.737] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45ca7a1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x655, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="251__C~1.EBA")) returned 1 [0082.737] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0082.737] StrStrIW (lpFirst="251__Connections_Cellular_Hutchison - 3 (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9096f33b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x9096f33b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45ca7a1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="252__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.738] StrStrIW (lpFirst="252__Connections_Cellular_SmarTone (Macao SAR)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45f0a0c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="253__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 203 [0082.738] StrStrIW (lpFirst="253__Connections_Cellular_T-Mobile Macedonia (Macedonia, FYRO)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45f0a0c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6ec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="254__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 203 [0082.738] StrStrIW (lpFirst="254__Connections_Cellular_Vip Operator (Republic of Macedonia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45f0a0c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x55c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="255__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.738] StrStrIW (lpFirst="255__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909955a7, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909955a7, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf45f0a0c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x656, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="256__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 193 [0082.738] StrStrIW (lpFirst="256__Connections_Cellular_Celcom Malaysia (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4616b93, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x604, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="257__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.738] StrStrIW (lpFirst="257__Connections_Cellular_DiGi (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4616b93, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x604, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="258__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.738] StrStrIW (lpFirst="258__Connections_Cellular_DiGi (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf46fba32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x640, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="259__C~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.738] StrStrIW (lpFirst="259__Connections_Cellular_Maxis (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.738] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4721c78, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="25__CE~1.EBA")) returned 1 [0082.738] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 169 [0082.739] StrStrIW (lpFirst="25__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4721c78, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x684, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="260__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.739] StrStrIW (lpFirst="260__Connections_Cellular_Maxis (Malaysia)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909bb812, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909bb812, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4721c78, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x643, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="261__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.739] StrStrIW (lpFirst="261__Connections_Cellular_Maxis (Malaysia)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4721c78, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="262__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.739] StrStrIW (lpFirst="262__Connections_Cellular_Timecel (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4747cf7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x648, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="263__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.739] StrStrIW (lpFirst="263__Connections_Cellular_U Mobile (Malaysia)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4747cf7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="264__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.739] StrStrIW (lpFirst="264__Connections_Cellular_Go Mobile (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x909e1a7e, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x909e1a7e, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4747cf7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x608, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="265__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.739] StrStrIW (lpFirst="265__Connections_Cellular_Go Mobile (Malta)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.739] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4747cf7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="266__C~1.EBA")) returned 1 [0082.739] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.739] StrStrIW (lpFirst="266__Connections_Cellular_Vodafone Malta (Malta)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf48c56c8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="267__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.740] StrStrIW (lpFirst="267__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf48c56c8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x645, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="268__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.740] StrStrIW (lpFirst="268__Connections_Cellular_TELCEL GSM (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf48c56c8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x557, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="269__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.740] StrStrIW (lpFirst="269__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf48c56c8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6bf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="26__CO~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0082.740] StrStrIW (lpFirst="26__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a07ce9, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a07ce9, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf48eb957, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x69b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="270__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.740] StrStrIW (lpFirst="270__Connections_Cellular_Telefonica (Mexico)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf48eb957, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x70d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="271__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.740] StrStrIW (lpFirst="271__Connections_Cellular_Telenor (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf491190c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x68b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="272__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.740] StrStrIW (lpFirst="272__Connections_Cellular_T-Mobile (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a2df51, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a2df51, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf491190c, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="273__C~1.EBA")) returned 1 [0082.740] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0082.740] StrStrIW (lpFirst="273__Connections_Cellular_Crnogorski Telekom (Montenegro)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.740] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a541c1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a541c1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49842e1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x647, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="274__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0082.741] StrStrIW (lpFirst="274__Connections_Cellular_Maroc Telecom (Morocco)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a541c1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a541c1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49842e1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="275__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 198 [0082.741] StrStrIW (lpFirst="275__Connections_Cellular_Vodacom Mozambique (Mozambique)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49842e1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="276__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.741] StrStrIW (lpFirst="276__Connections_Cellular_KPN-Hi (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49842e1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x666, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="277__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.741] StrStrIW (lpFirst="277__Connections_Cellular_KPN-Hi (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49aa4fa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x660, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="278__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.741] StrStrIW (lpFirst="278__Connections_Cellular_KPN-Hi (Netherlands)_i10$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90a7a428, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90a7a428, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49d07d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x664, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="279__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.741] StrStrIW (lpFirst="279__Connections_Cellular_KPN-Hi (Netherlands)_i11$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901892f8, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901892f8, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49d07d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x604, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="27__CO~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 178 [0082.741] StrStrIW (lpFirst="27__Connections_Cellular_A1 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.741] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49d07d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x66c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="280__C~1.EBA")) returned 1 [0082.741] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.742] StrStrIW (lpFirst="280__Connections_Cellular_KPN-Hi (Netherlands)_i12$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49d07d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x657, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="281__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.742] StrStrIW (lpFirst="281__Connections_Cellular_KPN-Hi (Netherlands)_i13$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf49f678f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x660, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="282__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.742] StrStrIW (lpFirst="282__Connections_Cellular_KPN-Hi (Netherlands)_i14$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4a69220, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x663, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="283__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.742] StrStrIW (lpFirst="283__Connections_Cellular_KPN-Hi (Netherlands)_i15$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4a69220, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="284__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.742] StrStrIW (lpFirst="284__Connections_Cellular_KPN-Hi (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aa0698, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aa0698, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4a8f16a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x651, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="285__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.742] StrStrIW (lpFirst="285__Connections_Cellular_KPN-Hi (Netherlands)_i3$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4a8f16a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="286__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.742] StrStrIW (lpFirst="286__Connections_Cellular_KPN-Hi (Netherlands)_i4$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4a8f16a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x661, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="287__C~1.EBA")) returned 1 [0082.742] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.742] StrStrIW (lpFirst="287__Connections_Cellular_KPN-Hi (Netherlands)_i5$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.742] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b01a91, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="288__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.743] StrStrIW (lpFirst="288__Connections_Cellular_KPN-Hi (Netherlands)_i6$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b01a91, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="289__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.743] StrStrIW (lpFirst="289__Connections_Cellular_KPN-Hi (Netherlands)_i7$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b27a24, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="28__CO~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.743] StrStrIW (lpFirst="28__Connections_Cellular_Hutchison - 3 (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b27a24, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x667, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="290__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.743] StrStrIW (lpFirst="290__Connections_Cellular_KPN-Hi (Netherlands)_i8$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90ac6903, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90ac6903, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b9a453, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x656, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="291__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 187 [0082.743] StrStrIW (lpFirst="291__Connections_Cellular_KPN-Hi (Netherlands)_i9$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b9a453, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x618, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="292__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.743] StrStrIW (lpFirst="292__Connections_Cellular_Tele2 (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4b9a453, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="293__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.743] StrStrIW (lpFirst="293__Connections_Cellular_Tele2 (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4bc05d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x659, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="294__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.743] StrStrIW (lpFirst="294__Connections_Cellular_Telfort (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.743] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90aecb6b, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90aecb6b, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4bc05d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="295__C~1.EBA")) returned 1 [0082.743] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.744] StrStrIW (lpFirst="295__Connections_Cellular_Telfort (Netherlands)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4bc05d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x664, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="296__C~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.744] StrStrIW (lpFirst="296__Connections_Cellular_Telfort (Netherlands)_i2$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4bc05d3, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x66b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="297__C~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 201 [0082.744] StrStrIW (lpFirst="297__Connections_Cellular_T-Mobile Netherlands (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4be6835, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="298__C~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0082.744] StrStrIW (lpFirst="298__Connections_Cellular_Vodafone NL (Netherlands)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4be6835, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="299__C~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.744] StrStrIW (lpFirst="299__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4c5905d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="29__CO~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.744] StrStrIW (lpFirst="29__Connections_Cellular_Tele.ring (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x900ca6de, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x900ca6de, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4c5905d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="2__CON~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 181 [0082.744] StrStrIW (lpFirst="2__Connections_Cellular_Djezzy (Algeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.744] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b12dd6, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b12dd6, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4c7efe7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x654, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="300__C~1.EBA")) returned 1 [0082.744] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.744] StrStrIW (lpFirst="300__Connections_Cellular_2degrees (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4c7efe7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x662, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="301__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0082.745] StrStrIW (lpFirst="301__Connections_Cellular_Telecom New Zealand (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4c7efe7, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="302__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 200 [0082.745] StrStrIW (lpFirst="302__Connections_Cellular_Telecom New Zealand (New Zealand)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4ca5510, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x68f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="303__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0082.745] StrStrIW (lpFirst="303__Connections_Cellular_Vodafone NZ (New Zealand)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b39042, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b39042, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4ca5510, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="304__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal") returned 170 [0082.745] StrStrIW (lpFirst="304__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d17aeb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x681, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="305__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.745] StrStrIW (lpFirst="305__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d17aeb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x695, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="306__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.745] StrStrIW (lpFirst="306__Connections_Cellular_Claro (Nicaragua)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d3dd55, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x68b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="307__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 184 [0082.745] StrStrIW (lpFirst="307__Connections_Cellular_Claro (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b5f2b1, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b5f2b1, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d3dd55, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="308__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 189 [0082.745] StrStrIW (lpFirst="308__Connections_Cellular_Telefonica (Nicaragua)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.745] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d3dd55, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x650, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="309__C~1.EBA")) returned 1 [0082.745] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 180 [0082.746] StrStrIW (lpFirst="309__Connections_Cellular_MTN (Nigeria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901af563, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901af563, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d3dd55, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6df, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="30__CO~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 192 [0082.746] StrStrIW (lpFirst="30__Connections_Cellular_T-Mobile Austria (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d63dae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="310__C~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 182 [0082.746] StrStrIW (lpFirst="310__Connections_Cellular_NetCom (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d63dae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x64d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="311__C~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 186 [0082.746] StrStrIW (lpFirst="311__Connections_Cellular_TDC Norway (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90b85519, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90b85519, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4d63dae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x609, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="312__C~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.746] StrStrIW (lpFirst="312__Connections_Cellular_Telenor (Norway)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e4956b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x671, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="313__C~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 218 [0082.746] StrStrIW (lpFirst="313__Connections_Cellular_Omani Qatari Telecommunications Company SAOC (Oman)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e4956b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x61e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="314__C~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0082.746] StrStrIW (lpFirst="314__Connections_Cellular_Mobilink GSM (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e6f112, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x613, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="315__C~1.EBA")) returned 1 [0082.746] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 190 [0082.746] StrStrIW (lpFirst="315__Connections_Cellular_Mobilink GSM (Pakistan)_i1$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.746] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bab788, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bab788, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e6f112, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6ca, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="316__C~1.EBA")) returned 1 [0082.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 185 [0082.747] StrStrIW (lpFirst="316__Connections_Cellular_Telenor (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e6f112, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x60c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="317__C~1.EBA")) returned 1 [0082.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 183 [0082.747] StrStrIW (lpFirst="317__Connections_Cellular_Ufone (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e9511e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x614, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="318__C~1.EBA")) returned 1 [0082.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 191 [0082.747] StrStrIW (lpFirst="318__Connections_Cellular_Warid Telecom (Pakistan)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e9511e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x576, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="319__C~1.EBA")) returned 1 [0082.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 199 [0082.747] StrStrIW (lpFirst="319__Connections_Cellular_Aljawwal (Palestinian Authority)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x901d57cf, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x901d57cf, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e9511e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="31__CO~1.EBA")) returned 1 [0082.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 188 [0082.747] StrStrIW (lpFirst="31__Connections_Cellular_T-Mobile M2M (Austria)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bd19f0, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bd19f0, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4e9511e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="320__C~1.EBA")) returned 1 [0082.747] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{c8a326e4-f518-4f14-b543-97a57e1a975e}\\Prov\\RunTime\\320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal") returned 194 [0082.747] StrStrIW (lpFirst="320__Connections_Cellular_Cable and Wireless (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x90bf7c60, ftCreationTime.dwHighDateTime=0x1d2e96f, ftLastAccessTime.dwLowDateTime=0x90bf7c60, ftLastAccessTime.dwHighDateTime=0x1d2e96f, ftLastWriteTime.dwLowDateTime=0xf4f07a49, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x640, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="321__C~1.EBA")) returned 1 [0082.747] StrStrIW (lpFirst="321__Connections_Cellular_Claro (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.747] StrStrIW (lpFirst="322__Connections_Cellular_Telefonica (Panama)_i0$(__MVID)@WAP.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.759] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.760] CloseHandle (hObject=0x440) returned 1 [0082.760] GetProcessHeap () returned 0x3a00000 [0082.760] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.760] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.760] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.760] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.760] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.760] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.761] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.762] CloseHandle (hObject=0x43c) returned 1 [0082.762] GetProcessHeap () returned 0x3a00000 [0082.762] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.763] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.764] CloseHandle (hObject=0x438) returned 1 [0082.764] GetProcessHeap () returned 0x3a00000 [0082.764] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.764] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="Windows") returned -1 [0082.764] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="$Recycle.bin") returned 1 [0082.764] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="System Volume Information") returned -1 [0082.764] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="Program Files") returned -1 [0082.764] lstrcmpiW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="Program Files (x86)") returned -1 [0082.764] lstrcmpW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2=".") returned 1 [0082.764] lstrcmpW (lpString1="{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="..") returned 1 [0082.764] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.764] GetProcessHeap () returned 0x3a00000 [0082.764] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.764] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*") returned 86 [0082.766] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a3ad49, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0082.766] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.766] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.766] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.766] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.766] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.766] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\.") returned 86 [0082.766] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.766] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a3ad49, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.766] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.766] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.766] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.766] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.766] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.766] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\..") returned 87 [0082.767] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.767] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.767] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a87202, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7a87202, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.767] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.767] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.767] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.767] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.767] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.767] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.767] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.767] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.767] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f66020, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f66020, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a3ad49, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xab6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.767] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.767] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.767] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.767] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.767] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.767] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.767] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.767] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a3ad49, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.767] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.767] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.767] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.767] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.767] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.767] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.767] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.767] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a87202, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.767] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.767] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.767] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.767] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.768] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.768] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov") returned 89 [0082.768] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.768] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.768] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.768] GetProcessHeap () returned 0x3a00000 [0082.768] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.768] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*") returned 91 [0082.768] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a87202, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0082.768] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.768] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.768] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.768] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.768] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.768] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\.") returned 91 [0082.768] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.768] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a87202, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.768] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.768] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.768] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.768] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.768] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.768] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\..") returned 92 [0082.768] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.768] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.768] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a87202, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7a87202, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.768] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.768] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.768] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.769] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.769] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.769] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.769] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.769] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a60ff9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a60ff9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.769] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.769] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.769] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.769] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.769] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.769] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime") returned 97 [0082.769] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.769] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.769] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.769] GetProcessHeap () returned 0x3a00000 [0082.769] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.769] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*") returned 99 [0082.769] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a60ff9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a60ff9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0082.769] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.769] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.769] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.769] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.769] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.769] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\.") returned 99 [0082.769] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.769] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a60ff9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a60ff9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.769] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.769] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.770] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.770] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.770] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.770] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\..") returned 100 [0082.770] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.770] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.770] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7a60ff9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7a60ff9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a60ff9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.770] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.770] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.770] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.770] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.770] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.770] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.770] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.770] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.770] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f19b66, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f19b66, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a60ff9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x79a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.770] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.770] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.770] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.770] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.770] lstrcmpiW (lpString1="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.770] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal") returned 156 [0082.770] StrStrIW (lpFirst="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.770] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f19b66, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f19b66, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a60ff9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x79a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_EnergyEstimationEngine.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.770] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0082.770] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.770] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.771] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.772] CloseHandle (hObject=0x440) returned 1 [0082.772] GetProcessHeap () returned 0x3a00000 [0082.772] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.772] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.772] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.772] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.772] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.772] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.772] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.772] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.773] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.773] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f3fdc3, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f3fdc3, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x550, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.773] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0082.773] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.773] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.774] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.774] CloseHandle (hObject=0x43c) returned 1 [0082.774] GetProcessHeap () returned 0x3a00000 [0082.774] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.774] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d15f260, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7a87202, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.775] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0082.775] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.775] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{ee4aac98-c174-4941-82b1-d121e493e4fb}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.775] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.776] CloseHandle (hObject=0x438) returned 1 [0082.776] GetProcessHeap () returned 0x3a00000 [0082.776] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.776] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", cAlternateFileName="{F1189~1")) returned 1 [0082.776] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="Windows") returned -1 [0082.777] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="$Recycle.bin") returned 1 [0082.777] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="System Volume Information") returned -1 [0082.777] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="Program Files") returned -1 [0082.777] lstrcmpiW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="Program Files (x86)") returned -1 [0082.777] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}") returned 84 [0082.777] lstrcmpW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2=".") returned 1 [0082.777] lstrcmpW (lpString1="{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="..") returned 1 [0082.777] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.777] GetProcessHeap () returned 0x3a00000 [0082.777] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*") returned 86 [0082.777] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7af98d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0082.777] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.777] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.777] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.777] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.777] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\.") returned 86 [0082.777] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.777] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7af98d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.777] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.777] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.777] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.777] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.777] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.777] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\..") returned 87 [0082.777] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.777] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.778] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7ad377b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7ad377b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7af98d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.778] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.778] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.778] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.778] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.778] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.778] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.778] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.778] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f6a449, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f6a449, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7a87202, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc2c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.778] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.778] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.778] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.778] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.778] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.778] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.778] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1df76, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1df76, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.778] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.778] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.778] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.778] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.778] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.778] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.778] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7ad377b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.778] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.778] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.778] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.778] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.778] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.778] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov") returned 89 [0082.778] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.779] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.779] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.779] GetProcessHeap () returned 0x3a00000 [0082.779] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.779] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*") returned 91 [0082.779] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7ad377b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0082.779] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.779] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.779] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.779] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.779] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.779] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\.") returned 91 [0082.779] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.779] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7ad377b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.779] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.779] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.779] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.779] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.779] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.779] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\..") returned 92 [0082.779] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.779] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.779] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7ad377b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7ad377b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.779] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.779] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.779] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.779] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.779] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.780] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.780] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.780] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.780] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.780] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.780] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.780] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.780] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.780] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.780] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime") returned 97 [0082.780] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.780] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.780] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.780] GetProcessHeap () returned 0x3a00000 [0082.780] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.780] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*") returned 99 [0082.780] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0082.781] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.781] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.781] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.781] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.781] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.781] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\.") returned 99 [0082.781] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.781] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d244069, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.781] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.781] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.781] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.781] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.781] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.781] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\..") returned 100 [0082.781] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.781] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.781] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7aadafa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7aadafa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.781] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.781] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.781] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.781] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.781] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.781] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.781] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.781] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.781] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef7d10, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef7d10, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xab6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.781] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.781] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.781] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.781] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.781] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.782] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.782] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.782] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53ef7d10, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53ef7d10, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7aadafa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xab6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.782] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0082.782] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.782] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.783] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.783] CloseHandle (hObject=0x440) returned 1 [0082.784] GetProcessHeap () returned 0x3a00000 [0082.784] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.784] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1df76, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1df76, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.784] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.784] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.784] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.784] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.784] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.784] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.784] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.784] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53f1df76, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x53f1df76, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x47f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.784] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0082.784] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.784] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.785] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.786] CloseHandle (hObject=0x43c) returned 1 [0082.786] GetProcessHeap () returned 0x3a00000 [0082.786] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.786] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d21de20, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7ad377b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ad377b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.786] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0082.786] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.786] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.787] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.788] CloseHandle (hObject=0x438) returned 1 [0082.788] GetProcessHeap () returned 0x3a00000 [0082.788] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.788] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7b6c04b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7b6c04b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 1 [0082.788] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="Windows") returned -1 [0082.788] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="$Recycle.bin") returned 1 [0082.788] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="System Volume Information") returned -1 [0082.788] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="Program Files") returned -1 [0082.788] lstrcmpiW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="Program Files (x86)") returned -1 [0082.788] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}") returned 84 [0082.788] lstrcmpW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2=".") returned 1 [0082.788] lstrcmpW (lpString1="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="..") returned 1 [0082.788] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.788] GetProcessHeap () returned 0x3a00000 [0082.788] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.788] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*") returned 86 [0082.788] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7b6c04b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0082.788] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.788] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.788] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.788] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.788] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.788] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\.") returned 86 [0082.788] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.788] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7b6c04b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.789] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.789] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.789] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.789] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.789] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\..") returned 87 [0082.789] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.789] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.789] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c07454, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.789] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.789] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.789] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.789] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.789] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.789] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.789] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.789] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x560ed25a, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x560ed25a, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7af98d0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x65f8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="customizations.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="CUSTOM~1.EBA")) returned 1 [0082.789] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.789] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.789] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.789] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.789] lstrcmpiW (lpString1="customizations.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\customizations.xml_r00t_{8ew5f6}.ebal") returned 122 [0082.789] StrStrIW (lpFirst="customizations.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.789] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55d0d528, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55d0d528, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7b6c04b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x493, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MasterDatastore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="MASTER~1.EBA")) returned 1 [0082.789] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.789] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.789] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.789] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.789] lstrcmpiW (lpString1="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.789] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\MasterDatastore.xml_r00t_{8ew5f6}.ebal") returned 123 [0082.790] StrStrIW (lpFirst="MasterDatastore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.790] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 1 [0082.790] lstrcmpiW (lpString1="Prov", lpString2="Windows") returned -1 [0082.790] lstrcmpiW (lpString1="Prov", lpString2="$Recycle.bin") returned 1 [0082.790] lstrcmpiW (lpString1="Prov", lpString2="System Volume Information") returned -1 [0082.790] lstrcmpiW (lpString1="Prov", lpString2="Program Files") returned 1 [0082.790] lstrcmpiW (lpString1="Prov", lpString2="Program Files (x86)") returned 1 [0082.790] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov") returned 89 [0082.790] lstrcmpW (lpString1="Prov", lpString2=".") returned 1 [0082.790] lstrcmpW (lpString1="Prov", lpString2="..") returned 1 [0082.790] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.790] GetProcessHeap () returned 0x3a00000 [0082.790] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.790] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*") returned 91 [0082.790] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0082.790] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.790] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.790] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.790] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.790] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.790] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\.") returned 91 [0082.790] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.790] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.790] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.790] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.790] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.790] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.790] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.791] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\..") returned 92 [0082.791] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.791] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.791] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c07454, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.791] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.791] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.791] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.791] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.791] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.791] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.791] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.791] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.791] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7bdedde, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime", cAlternateFileName="")) returned 1 [0082.791] lstrcmpiW (lpString1="RunTime", lpString2="Windows") returned -1 [0082.791] lstrcmpiW (lpString1="RunTime", lpString2="$Recycle.bin") returned 1 [0082.791] lstrcmpiW (lpString1="RunTime", lpString2="System Volume Information") returned -1 [0082.791] lstrcmpiW (lpString1="RunTime", lpString2="Program Files") returned 1 [0082.791] lstrcmpiW (lpString1="RunTime", lpString2="Program Files (x86)") returned 1 [0082.791] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime") returned 97 [0082.791] lstrcmpW (lpString1="RunTime", lpString2=".") returned 1 [0082.791] lstrcmpW (lpString1="RunTime", lpString2="..") returned 1 [0082.791] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.791] GetProcessHeap () returned 0x3a00000 [0082.791] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.791] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*") returned 99 [0082.791] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7bdedde, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.791] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.791] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.791] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.792] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.792] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.792] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\.") returned 99 [0082.792] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.792] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7bdedde, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.792] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.792] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.792] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.792] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.792] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.792] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\..") returned 100 [0082.792] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.792] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.792] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7bdedde, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7bdedde, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.792] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.792] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.792] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.792] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.792] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.792] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.792] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.792] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.792] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c4e960, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55c4e960, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7b92336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xcc1, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="0__POW~1.EBA")) returned 1 [0082.792] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.792] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.792] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.792] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.792] lstrcmpiW (lpString1="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.792] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\0__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.792] StrStrIW (lpFirst="0__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.792] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c74bbc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55c74bbc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7b92336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x139c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="1__POW~1.EBA")) returned 1 [0082.792] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.792] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.793] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.793] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.793] lstrcmpiW (lpString1="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.793] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\1__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.793] StrStrIW (lpFirst="1__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.793] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55c9ae14, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55c9ae14, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7bb8504, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1cbd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="2__POW~1.EBA")) returned 1 [0082.793] lstrcmpiW (lpString1="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.793] lstrcmpiW (lpString1="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.793] lstrcmpiW (lpString1="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.793] lstrcmpiW (lpString1="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.793] lstrcmpiW (lpString1="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.793] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\2__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.793] StrStrIW (lpFirst="2__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.793] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cc1070, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55cc1070, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7bb8504, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1cbd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="3__POW~1.EBA")) returned 1 [0082.793] lstrcmpiW (lpString1="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.793] lstrcmpiW (lpString1="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.793] lstrcmpiW (lpString1="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.793] lstrcmpiW (lpString1="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.793] lstrcmpiW (lpString1="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.793] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\3__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.793] StrStrIW (lpFirst="3__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.793] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cc1070, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55cc1070, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7bb8504, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x11e7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="4__POW~1.EBA")) returned 1 [0082.793] lstrcmpiW (lpString1="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.793] lstrcmpiW (lpString1="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.793] lstrcmpiW (lpString1="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.793] lstrcmpiW (lpString1="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.793] lstrcmpiW (lpString1="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.793] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\4__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.793] StrStrIW (lpFirst="4__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.793] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55cc1070, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55cc1070, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xba6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="5__POW~1.EBA")) returned 1 [0082.793] lstrcmpiW (lpString1="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.793] lstrcmpiW (lpString1="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.794] lstrcmpiW (lpString1="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.794] lstrcmpiW (lpString1="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.794] lstrcmpiW (lpString1="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.794] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\5__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.794] StrStrIW (lpFirst="5__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.794] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xcc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="6__POW~1.EBA")) returned 1 [0082.794] lstrcmpiW (lpString1="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.794] lstrcmpiW (lpString1="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.794] lstrcmpiW (lpString1="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.794] lstrcmpiW (lpString1="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.794] lstrcmpiW (lpString1="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.794] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\6__Power_Policy.provxml_r00t_{8ew5f6}.ebal") returned 140 [0082.794] StrStrIW (lpFirst="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.794] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7bdedde, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xcc3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="6__Power_Policy.provxml_r00t_{8ew5f6}.ebal", cAlternateFileName="6__POW~1.EBA")) returned 0 [0082.794] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.794] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 129 [0082.794] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\runtime\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0082.795] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0082.797] CloseHandle (hObject=0x440) returned 1 [0082.797] GetProcessHeap () returned 0x3a00000 [0082.797] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0082.797] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xccc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="RUNTIM~1.EBA")) returned 1 [0082.797] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.797] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.797] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.797] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.797] lstrcmpiW (lpString1="RunTime.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.797] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\RunTime.xml_r00t_{8ew5f6}.ebal") returned 120 [0082.797] StrStrIW (lpFirst="RunTime.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.797] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x55ce72cc, ftCreationTime.dwHighDateTime=0x1d29f93, ftLastAccessTime.dwLowDateTime=0x55ce72cc, ftLastAccessTime.dwHighDateTime=0x1d29f93, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xccc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RunTime.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="RUNTIM~1.EBA")) returned 0 [0082.797] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0082.797] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 121 [0082.797] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\Prov\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\prov\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.798] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.799] CloseHandle (hObject=0x43c) returned 1 [0082.799] GetProcessHeap () returned 0x3a00000 [0082.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.799] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7c07454, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c07454, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Prov", cAlternateFileName="")) returned 0 [0082.799] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0082.799] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 116 [0082.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.800] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.801] CloseHandle (hObject=0x438) returned 1 [0082.801] GetProcessHeap () returned 0x3a00000 [0082.801] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.801] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2178e943, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xf7b6c04b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7b6c04b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}", cAlternateFileName="{FC01E~1")) returned 0 [0082.801] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0082.801] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0082.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Provisioning\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\provisioning\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.802] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.803] CloseHandle (hObject=0x434) returned 1 [0082.803] GetProcessHeap () returned 0x3a00000 [0082.803] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.803] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb79dd84e, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb7a500e7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb7a500e7, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Search", cAlternateFileName="")) returned 1 [0082.803] lstrcmpiW (lpString1="Search", lpString2="Windows") returned -1 [0082.803] lstrcmpiW (lpString1="Search", lpString2="$Recycle.bin") returned 1 [0082.803] lstrcmpiW (lpString1="Search", lpString2="System Volume Information") returned -1 [0082.803] lstrcmpiW (lpString1="Search", lpString2="Program Files") returned 1 [0082.803] lstrcmpiW (lpString1="Search", lpString2="Program Files (x86)") returned 1 [0082.803] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search") returned 39 [0082.803] lstrcmpW (lpString1="Search", lpString2=".") returned 1 [0082.803] lstrcmpW (lpString1="Search", lpString2="..") returned 1 [0082.803] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.803] GetProcessHeap () returned 0x3a00000 [0082.803] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.803] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*") returned 41 [0082.803] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb79dd84e, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb7a500e7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0082.804] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.804] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.804] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.804] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.804] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.804] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\.") returned 41 [0082.804] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.804] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb79dd84e, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xb7a500e7, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.804] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.804] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.804] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.804] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.804] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.804] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\..") returned 42 [0082.804] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.804] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.804] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c50e7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c50e7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.804] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.804] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.804] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.804] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.804] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.804] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0082.804] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.804] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.804] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x768c9439, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 1 [0082.804] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0082.804] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0082.805] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0082.805] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0082.805] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0082.805] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data") returned 44 [0082.805] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0082.805] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0082.805] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.805] GetProcessHeap () returned 0x3a00000 [0082.805] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.805] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*") returned 46 [0082.805] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0082.805] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.805] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.805] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.805] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.805] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.805] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\.") returned 46 [0082.805] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.805] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.805] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.805] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.805] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.805] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.805] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.805] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\..") returned 47 [0082.805] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.805] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.805] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7c50e7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c50e7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.805] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.806] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.806] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.806] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.806] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.806] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0082.806] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.806] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.806] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x768c9439, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x769ae22f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x769ae22f, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Applications", cAlternateFileName="APPLIC~1")) returned 1 [0082.806] lstrcmpiW (lpString1="Applications", lpString2="Windows") returned -1 [0082.806] lstrcmpiW (lpString1="Applications", lpString2="$Recycle.bin") returned 1 [0082.806] lstrcmpiW (lpString1="Applications", lpString2="System Volume Information") returned -1 [0082.806] lstrcmpiW (lpString1="Applications", lpString2="Program Files") returned -1 [0082.806] lstrcmpiW (lpString1="Applications", lpString2="Program Files (x86)") returned -1 [0082.806] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications") returned 57 [0082.806] lstrcmpW (lpString1="Applications", lpString2=".") returned 1 [0082.806] lstrcmpW (lpString1="Applications", lpString2="..") returned 1 [0082.806] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.806] GetProcessHeap () returned 0x3a00000 [0082.806] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.806] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*") returned 59 [0082.806] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x768c9439, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x769ae22f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7c2ac21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.806] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.806] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.806] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.806] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.806] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.806] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\.") returned 59 [0082.806] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.806] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x768c9439, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x769ae22f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7c2ac21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.807] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.807] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.807] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.807] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.807] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.807] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\..") returned 60 [0082.807] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.807] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.807] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7c2ac21, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c2ac21, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c2ac21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.807] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.807] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.807] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.807] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.807] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.807] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0082.807] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.807] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.807] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ae22f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfd58d8c3, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xfd58d8c3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0082.807] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0082.807] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x769ae22f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xfd58d8c3, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xfd58d8c3, ftLastWriteTime.dwHighDateTime=0x1d336c5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 0 [0082.807] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.807] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0082.807] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Applications\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\applications\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.808] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.809] CloseHandle (hObject=0x43c) returned 1 [0082.809] GetProcessHeap () returned 0x3a00000 [0082.809] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.809] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb99ea4ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb99ea4ee, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0082.809] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0082.809] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0082.809] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0082.809] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0082.809] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0082.809] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp") returned 49 [0082.809] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0082.809] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0082.809] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.809] GetProcessHeap () returned 0x3a00000 [0082.809] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.809] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*") returned 51 [0082.809] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb99ea4ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.810] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\.") returned 51 [0082.810] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.810] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb99ea4ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.810] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.810] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.810] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.810] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.810] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.810] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\..") returned 52 [0082.810] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.810] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.810] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7c50e7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c50e7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.810] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.810] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0082.810] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.810] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.810] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf7c50e7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c50e7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.810] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.811] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0082.811] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.820] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.821] CloseHandle (hObject=0x43c) returned 1 [0082.821] GetProcessHeap () returned 0x3a00000 [0082.821] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.821] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f173b05, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xb99ea4ee, ftLastAccessTime.dwHighDateTime=0x1d33839, ftLastWriteTime.dwLowDateTime=0xb99ea4ee, ftLastWriteTime.dwHighDateTime=0x1d33839, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 0 [0082.821] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0082.821] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0082.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.822] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.823] CloseHandle (hObject=0x438) returned 1 [0082.823] GetProcessHeap () returned 0x3a00000 [0082.823] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.823] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2f068b0c, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x768c9439, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x768c9439, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 0 [0082.823] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0082.823] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0082.823] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Search\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\search\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.824] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.825] CloseHandle (hObject=0x434) returned 1 [0082.825] GetProcessHeap () returned 0x3a00000 [0082.825] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.825] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30e3b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Settings", cAlternateFileName="")) returned 1 [0082.825] lstrcmpiW (lpString1="Settings", lpString2="Windows") returned -1 [0082.825] lstrcmpiW (lpString1="Settings", lpString2="$Recycle.bin") returned 1 [0082.825] lstrcmpiW (lpString1="Settings", lpString2="System Volume Information") returned -1 [0082.825] lstrcmpiW (lpString1="Settings", lpString2="Program Files") returned 1 [0082.825] lstrcmpiW (lpString1="Settings", lpString2="Program Files (x86)") returned 1 [0082.825] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings") returned 41 [0082.825] lstrcmpW (lpString1="Settings", lpString2=".") returned 1 [0082.825] lstrcmpW (lpString1="Settings", lpString2="..") returned 1 [0082.825] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.825] GetProcessHeap () returned 0x3a00000 [0082.825] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.825] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\*") returned 43 [0082.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30e3b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7c77601, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0082.826] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.826] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.826] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.826] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.826] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.826] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\.") returned 43 [0082.826] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.826] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30e3b7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7c77601, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.826] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.826] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.826] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.826] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.826] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.826] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\..") returned 44 [0082.826] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.826] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.826] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c77601, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c77601, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c77601, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.826] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.826] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.826] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.826] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.826] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.826] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0082.826] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.826] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.826] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Accounts", cAlternateFileName="")) returned 1 [0082.826] lstrcmpiW (lpString1="Accounts", lpString2="Windows") returned -1 [0082.826] lstrcmpiW (lpString1="Accounts", lpString2="$Recycle.bin") returned 1 [0082.826] lstrcmpiW (lpString1="Accounts", lpString2="System Volume Information") returned -1 [0082.826] lstrcmpiW (lpString1="Accounts", lpString2="Program Files") returned -1 [0082.826] lstrcmpiW (lpString1="Accounts", lpString2="Program Files (x86)") returned -1 [0082.827] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts") returned 50 [0082.827] lstrcmpW (lpString1="Accounts", lpString2=".") returned 1 [0082.827] lstrcmpW (lpString1="Accounts", lpString2="..") returned 1 [0082.827] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.827] GetProcessHeap () returned 0x3a00000 [0082.827] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.827] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\*") returned 52 [0082.827] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0082.827] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.827] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.827] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.827] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.827] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.827] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\.") returned 52 [0082.827] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.827] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7c50e7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.827] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.827] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.827] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.828] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.828] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.828] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\..") returned 53 [0082.828] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.828] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.828] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c50e7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c50e7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c77601, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.828] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.828] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.828] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.828] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.828] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.828] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0082.828] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.828] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.828] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c50e7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c50e7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c77601, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.828] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0082.828] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0082.828] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\Accounts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\settings\\accounts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.829] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.830] CloseHandle (hObject=0x438) returned 1 [0082.830] GetProcessHeap () returned 0x3a00000 [0082.830] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.830] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe30ecb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Accounts", cAlternateFileName="")) returned 0 [0082.830] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0082.830] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0082.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Settings\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\settings\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.831] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.832] CloseHandle (hObject=0x434) returned 1 [0082.832] GetProcessHeap () returned 0x3a00000 [0082.832] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.832] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dcfea0a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dcfea0a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsRouter", cAlternateFileName="SMSROU~1")) returned 1 [0082.832] lstrcmpiW (lpString1="SmsRouter", lpString2="Windows") returned -1 [0082.832] lstrcmpiW (lpString1="SmsRouter", lpString2="$Recycle.bin") returned 1 [0082.832] lstrcmpiW (lpString1="SmsRouter", lpString2="System Volume Information") returned -1 [0082.832] lstrcmpiW (lpString1="SmsRouter", lpString2="Program Files") returned 1 [0082.832] lstrcmpiW (lpString1="SmsRouter", lpString2="Program Files (x86)") returned 1 [0082.832] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter") returned 42 [0082.832] lstrcmpW (lpString1="SmsRouter", lpString2=".") returned 1 [0082.832] lstrcmpW (lpString1="SmsRouter", lpString2="..") returned 1 [0082.832] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.832] GetProcessHeap () returned 0x3a00000 [0082.832] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.832] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*") returned 44 [0082.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dcfea0a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dcfea0a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.832] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.832] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.832] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.832] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.832] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\.") returned 44 [0082.832] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.833] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dcfea0a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dcfea0a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.833] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.833] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.833] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.833] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.833] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.833] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\..") returned 45 [0082.833] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.833] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.833] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 1 [0082.833] lstrcmpiW (lpString1="MessageStore", lpString2="Windows") returned -1 [0082.833] lstrcmpiW (lpString1="MessageStore", lpString2="$Recycle.bin") returned 1 [0082.833] lstrcmpiW (lpString1="MessageStore", lpString2="System Volume Information") returned -1 [0082.833] lstrcmpiW (lpString1="MessageStore", lpString2="Program Files") returned -1 [0082.833] lstrcmpiW (lpString1="MessageStore", lpString2="Program Files (x86)") returned -1 [0082.833] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore") returned 55 [0082.833] lstrcmpW (lpString1="MessageStore", lpString2=".") returned 1 [0082.833] lstrcmpW (lpString1="MessageStore", lpString2="..") returned 1 [0082.833] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.833] GetProcessHeap () returned 0x3a00000 [0082.833] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.833] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*") returned 57 [0082.833] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.834] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.834] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.834] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.834] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.834] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.834] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\.") returned 57 [0082.834] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.834] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.834] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.834] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.834] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.834] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.834] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.834] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\..") returned 58 [0082.834] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.834] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.834] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd4ae8d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b93f8ea, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0082.834] lstrcmpiW (lpString1="edb.chk", lpString2="Windows") returned -1 [0082.834] lstrcmpiW (lpString1="edb.chk", lpString2="$Recycle.bin") returned 1 [0082.835] lstrcmpiW (lpString1="edb.chk", lpString2="System Volume Information") returned -1 [0082.835] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files") returned -1 [0082.835] lstrcmpiW (lpString1="edb.chk", lpString2="Program Files (x86)") returned -1 [0082.835] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk") returned 63 [0082.835] StrStrIW (lpFirst="edb.chk", lpSrch=".ebal") returned 0x0 [0082.835] lstrcmpW (lpString1="edb.chk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.835] lstrcmpW (lpString1="edb.chk", lpString2="taridd") returned -1 [0082.835] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.chk" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.chk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.835] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd24c5a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dec862e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b93f8ea, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb.log", cAlternateFileName="")) returned 1 [0082.835] lstrcmpiW (lpString1="edb.log", lpString2="Windows") returned -1 [0082.835] lstrcmpiW (lpString1="edb.log", lpString2="$Recycle.bin") returned 1 [0082.835] lstrcmpiW (lpString1="edb.log", lpString2="System Volume Information") returned -1 [0082.835] lstrcmpiW (lpString1="edb.log", lpString2="Program Files") returned -1 [0082.835] lstrcmpiW (lpString1="edb.log", lpString2="Program Files (x86)") returned -1 [0082.835] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log") returned 63 [0082.835] StrStrIW (lpFirst="edb.log", lpSrch=".ebal") returned 0x0 [0082.835] lstrcmpW (lpString1="edb.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.835] lstrcmpW (lpString1="edb.log", lpString2="taridd") returned -1 [0082.835] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.835] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.835] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd24c5a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b42ee8a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edb00002.log", cAlternateFileName="")) returned 1 [0082.835] lstrcmpiW (lpString1="edb00002.log", lpString2="Windows") returned -1 [0082.835] lstrcmpiW (lpString1="edb00002.log", lpString2="$Recycle.bin") returned 1 [0082.835] lstrcmpiW (lpString1="edb00002.log", lpString2="System Volume Information") returned -1 [0082.836] lstrcmpiW (lpString1="edb00002.log", lpString2="Program Files") returned -1 [0082.836] lstrcmpiW (lpString1="edb00002.log", lpString2="Program Files (x86)") returned -1 [0082.836] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00002.log") returned 68 [0082.836] StrStrIW (lpFirst="edb00002.log", lpSrch=".ebal") returned 0x0 [0082.836] lstrcmpW (lpString1="edb00002.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.836] lstrcmpW (lpString1="edb00002.log", lpString2="taridd") returned -1 [0082.836] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00002.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edb00002.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edb00002.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.836] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd4ae8d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dd4ae8d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0082.836] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Windows") returned -1 [0082.836] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="$Recycle.bin") returned 1 [0082.836] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="System Volume Information") returned -1 [0082.836] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files") returned -1 [0082.836] lstrcmpiW (lpString1="edbres00001.jrs", lpString2="Program Files (x86)") returned -1 [0082.836] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs") returned 71 [0082.836] StrStrIW (lpFirst="edbres00001.jrs", lpSrch=".ebal") returned 0x0 [0082.836] lstrcmpW (lpString1="edbres00001.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.836] lstrcmpW (lpString1="edbres00001.jrs", lpString2="taridd") returned -1 [0082.836] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.836] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00001.jrs" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.836] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd4ae8d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd4ae8d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1dd4ae8d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0082.836] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Windows") returned -1 [0082.836] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="$Recycle.bin") returned 1 [0082.836] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="System Volume Information") returned -1 [0082.836] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files") returned -1 [0082.836] lstrcmpiW (lpString1="edbres00002.jrs", lpString2="Program Files (x86)") returned -1 [0082.836] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs") returned 71 [0082.837] StrStrIW (lpFirst="edbres00002.jrs", lpSrch=".ebal") returned 0x0 [0082.837] lstrcmpW (lpString1="edbres00002.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.837] lstrcmpW (lpString1="edbres00002.jrs", lpString2="taridd") returned -1 [0082.837] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbres00002.jrs" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.837] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd24c5a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd24c5a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1deee89a, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="edbtmp.log", cAlternateFileName="")) returned 1 [0082.837] lstrcmpiW (lpString1="edbtmp.log", lpString2="Windows") returned -1 [0082.837] lstrcmpiW (lpString1="edbtmp.log", lpString2="$Recycle.bin") returned 1 [0082.837] lstrcmpiW (lpString1="edbtmp.log", lpString2="System Volume Information") returned -1 [0082.837] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files") returned -1 [0082.837] lstrcmpiW (lpString1="edbtmp.log", lpString2="Program Files (x86)") returned -1 [0082.837] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log") returned 66 [0082.837] StrStrIW (lpFirst="edbtmp.log", lpSrch=".ebal") returned 0x0 [0082.837] lstrcmpW (lpString1="edbtmp.log", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.837] lstrcmpW (lpString1="edbtmp.log", lpString2="taridd") returned -1 [0082.837] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.837] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\edbtmp.log" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\edbtmp.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.837] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd973cb, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd973cb, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b74fcb1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x30000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsInterceptStore.db", cAlternateFileName="SMSINT~1.DB")) returned 1 [0082.837] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="Windows") returned -1 [0082.837] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="$Recycle.bin") returned 1 [0082.837] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="System Volume Information") returned -1 [0082.837] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="Program Files") returned 1 [0082.837] lstrcmpiW (lpString1="SmsInterceptStore.db", lpString2="Program Files (x86)") returned 1 [0082.837] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db") returned 76 [0082.837] StrStrIW (lpFirst="SmsInterceptStore.db", lpSrch=".ebal") returned 0x0 [0082.837] lstrcmpW (lpString1="SmsInterceptStore.db", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.837] lstrcmpW (lpString1="SmsInterceptStore.db", lpString2="taridd") returned -1 [0082.838] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.db" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.db"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.838] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd7110f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd7110f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b74fcb1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsInterceptStore.jfm", cAlternateFileName="SMSINT~1.JFM")) returned 1 [0082.838] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="Windows") returned -1 [0082.838] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="$Recycle.bin") returned 1 [0082.838] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="System Volume Information") returned -1 [0082.838] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="Program Files") returned 1 [0082.838] lstrcmpiW (lpString1="SmsInterceptStore.jfm", lpString2="Program Files (x86)") returned 1 [0082.838] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.jfm") returned 77 [0082.838] StrStrIW (lpFirst="SmsInterceptStore.jfm", lpSrch=".ebal") returned 0x0 [0082.838] lstrcmpW (lpString1="SmsInterceptStore.jfm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.838] lstrcmpW (lpString1="SmsInterceptStore.jfm", lpString2="taridd") returned -1 [0082.838] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.jfm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.838] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\SmsInterceptStore.jfm" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\smsinterceptstore.jfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.838] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1dd7110f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1dd7110f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x1b74fcb1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SmsInterceptStore.jfm", cAlternateFileName="SMSINT~1.JFM")) returned 0 [0082.838] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.839] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0082.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\MessageStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\messagestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.844] GetProcessHeap () returned 0x3a00000 [0082.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.844] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1dcfea0a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x1b408c4a, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0x1b408c4a, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MessageStore", cAlternateFileName="MESSAG~1")) returned 0 [0082.844] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.845] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 74 [0082.845] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\SmsRouter\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\smsrouter\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.845] GetProcessHeap () returned 0x3a00000 [0082.845] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.845] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Spectrum", cAlternateFileName="")) returned 1 [0082.845] lstrcmpiW (lpString1="Spectrum", lpString2="Windows") returned -1 [0082.845] lstrcmpiW (lpString1="Spectrum", lpString2="$Recycle.bin") returned 1 [0082.845] lstrcmpiW (lpString1="Spectrum", lpString2="System Volume Information") returned -1 [0082.845] lstrcmpiW (lpString1="Spectrum", lpString2="Program Files") returned 1 [0082.845] lstrcmpiW (lpString1="Spectrum", lpString2="Program Files (x86)") returned 1 [0082.845] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum") returned 41 [0082.845] lstrcmpW (lpString1="Spectrum", lpString2=".") returned 1 [0082.845] lstrcmpW (lpString1="Spectrum", lpString2="..") returned 1 [0082.845] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.845] GetProcessHeap () returned 0x3a00000 [0082.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.845] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\*") returned 43 [0082.845] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7c9d38a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0082.845] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.845] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.845] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.845] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.845] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.845] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\.") returned 43 [0082.845] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.845] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe3607ea, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7c9d38a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.846] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.846] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.846] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.846] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.846] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.846] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\..") returned 44 [0082.846] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.846] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.846] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c9d38a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c9d38a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c9d38a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.846] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.846] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0082.846] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.846] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.846] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7c9d38a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7c9d38a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7c9d38a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.846] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0082.846] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0082.846] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Spectrum\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\spectrum\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.847] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.848] CloseHandle (hObject=0x434) returned 1 [0082.848] GetProcessHeap () returned 0x3a00000 [0082.848] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.848] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Speech_OneCore", cAlternateFileName="SPEECH~1")) returned 1 [0082.848] lstrcmpiW (lpString1="Speech_OneCore", lpString2="Windows") returned -1 [0082.848] lstrcmpiW (lpString1="Speech_OneCore", lpString2="$Recycle.bin") returned 1 [0082.848] lstrcmpiW (lpString1="Speech_OneCore", lpString2="System Volume Information") returned -1 [0082.848] lstrcmpiW (lpString1="Speech_OneCore", lpString2="Program Files") returned 1 [0082.848] lstrcmpiW (lpString1="Speech_OneCore", lpString2="Program Files (x86)") returned 1 [0082.848] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore") returned 47 [0082.848] lstrcmpW (lpString1="Speech_OneCore", lpString2=".") returned 1 [0082.849] lstrcmpW (lpString1="Speech_OneCore", lpString2="..") returned 1 [0082.849] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.849] GetProcessHeap () returned 0x3a00000 [0082.849] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.849] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\*") returned 49 [0082.849] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7cc35f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0082.849] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.849] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.849] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.849] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.849] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.849] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\.") returned 49 [0082.849] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.849] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe360d61, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7cc35f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.849] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.849] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.849] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.849] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.849] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.849] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\..") returned 50 [0082.849] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.849] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.849] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cc35f2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7cc35f2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7cc35f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.849] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.849] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.849] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.849] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.849] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.849] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0082.850] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.850] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.850] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cc35f2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7cc35f2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7cc35f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.850] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0082.850] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0082.850] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Speech_OneCore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\speech_onecore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.851] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.851] CloseHandle (hObject=0x434) returned 1 [0082.852] GetProcessHeap () returned 0x3a00000 [0082.852] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.852] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7cc35f2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7cc35f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Storage Health", cAlternateFileName="STORAG~1")) returned 1 [0082.852] lstrcmpiW (lpString1="Storage Health", lpString2="Windows") returned -1 [0082.852] lstrcmpiW (lpString1="Storage Health", lpString2="$Recycle.bin") returned 1 [0082.852] lstrcmpiW (lpString1="Storage Health", lpString2="System Volume Information") returned -1 [0082.852] lstrcmpiW (lpString1="Storage Health", lpString2="Program Files") returned 1 [0082.852] lstrcmpiW (lpString1="Storage Health", lpString2="Program Files (x86)") returned 1 [0082.852] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health") returned 47 [0082.852] lstrcmpW (lpString1="Storage Health", lpString2=".") returned 1 [0082.852] lstrcmpW (lpString1="Storage Health", lpString2="..") returned 1 [0082.852] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.852] GetProcessHeap () returned 0x3a00000 [0082.852] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\*") returned 49 [0082.852] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7cc35f2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ce9766, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0082.852] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.852] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.852] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.852] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.852] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.852] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\.") returned 49 [0082.852] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.852] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7cc35f2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ce9766, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.852] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.852] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.852] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.853] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.853] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.853] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\..") returned 50 [0082.853] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.853] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.853] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7cc35f2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7cc35f2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7ce9766, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.853] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.853] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.853] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.853] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.853] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.853] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0082.853] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.853] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.853] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4dcad0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xcb4dcad0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xf7cc35f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x18f5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="STORAG~1.EBA")) returned 1 [0082.853] lstrcmpiW (lpString1="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.853] lstrcmpiW (lpString1="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.853] lstrcmpiW (lpString1="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.853] lstrcmpiW (lpString1="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.853] lstrcmpiW (lpString1="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.853] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\StorageEventsArchive.dat_r00t_{8ew5f6}.ebal") returned 91 [0082.853] StrStrIW (lpFirst="StorageEventsArchive.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.853] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529e643a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x529e643a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x529e643a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1375f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="StorageHealthModel.dat", cAlternateFileName="")) returned 1 [0082.853] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="Windows") returned -1 [0082.853] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="$Recycle.bin") returned 1 [0082.853] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="System Volume Information") returned -1 [0082.853] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="Program Files") returned 1 [0082.853] lstrcmpiW (lpString1="StorageHealthModel.dat", lpString2="Program Files (x86)") returned 1 [0082.853] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\StorageHealthModel.dat") returned 70 [0082.853] StrStrIW (lpFirst="StorageHealthModel.dat", lpSrch=".ebal") returned 0x0 [0082.853] lstrcmpW (lpString1="StorageHealthModel.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.853] lstrcmpW (lpString1="StorageHealthModel.dat", lpString2="taridd") returned -1 [0082.853] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\StorageHealthModel.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\StorageHealthModel.dat" (normalized: "c:\\users\\all users\\microsoft\\storage health\\storagehealthmodel.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.854] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x529e643a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x529e643a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x529e643a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1375f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="StorageHealthModel.dat", cAlternateFileName="")) returned 0 [0082.854] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0082.854] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0082.854] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Storage Health\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\storage health\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.855] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.856] CloseHandle (hObject=0x434) returned 1 [0082.856] GetProcessHeap () returned 0x3a00000 [0082.856] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.856] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe3615f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UEV", cAlternateFileName="")) returned 1 [0082.856] lstrcmpiW (lpString1="UEV", lpString2="Windows") returned -1 [0082.856] lstrcmpiW (lpString1="UEV", lpString2="$Recycle.bin") returned 1 [0082.856] lstrcmpiW (lpString1="UEV", lpString2="System Volume Information") returned 1 [0082.856] lstrcmpiW (lpString1="UEV", lpString2="Program Files") returned 1 [0082.856] lstrcmpiW (lpString1="UEV", lpString2="Program Files (x86)") returned 1 [0082.856] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV") returned 36 [0082.856] lstrcmpW (lpString1="UEV", lpString2=".") returned 1 [0082.856] lstrcmpW (lpString1="UEV", lpString2="..") returned 1 [0082.856] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.856] GetProcessHeap () returned 0x3a00000 [0082.856] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.856] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\*") returned 38 [0082.856] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe3615f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7eb3443, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.856] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.856] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.856] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.856] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.856] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.856] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\.") returned 38 [0082.856] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.857] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe3615f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7eb3443, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.857] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.857] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.857] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.857] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.857] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.857] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\..") returned 39 [0082.857] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.857] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.857] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7eb3443, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7eb3443, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7eb3443, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.857] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.857] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.857] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.857] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.857] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.857] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0082.857] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.857] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.857] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46867b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe825779a, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="InboxTemplates", cAlternateFileName="INBOXT~1")) returned 1 [0082.857] lstrcmpiW (lpString1="InboxTemplates", lpString2="Windows") returned -1 [0082.857] lstrcmpiW (lpString1="InboxTemplates", lpString2="$Recycle.bin") returned 1 [0082.857] lstrcmpiW (lpString1="InboxTemplates", lpString2="System Volume Information") returned -1 [0082.857] lstrcmpiW (lpString1="InboxTemplates", lpString2="Program Files") returned -1 [0082.857] lstrcmpiW (lpString1="InboxTemplates", lpString2="Program Files (x86)") returned -1 [0082.857] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates") returned 51 [0082.857] lstrcmpW (lpString1="InboxTemplates", lpString2=".") returned 1 [0082.857] lstrcmpW (lpString1="InboxTemplates", lpString2="..") returned 1 [0082.857] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.857] GetProcessHeap () returned 0x3a00000 [0082.857] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.857] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\*") returned 53 [0082.857] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46867b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7e8d17a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0082.858] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.858] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.858] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.858] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.858] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.858] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\.") returned 53 [0082.858] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.858] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46867b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7e8d17a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.858] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.858] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.858] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.858] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.858] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.858] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\..") returned 54 [0082.858] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.858] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.858] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7e8d17a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7e8d17a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7e8d17a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.858] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.858] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.858] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.858] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.858] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.858] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.858] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.858] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.859] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf88ddb5, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf88ddb5, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x4771, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DesktopSettings2013.xml", cAlternateFileName="")) returned 1 [0082.859] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="Windows") returned -1 [0082.859] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="$Recycle.bin") returned 1 [0082.859] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="System Volume Information") returned -1 [0082.859] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="Program Files") returned -1 [0082.859] lstrcmpiW (lpString1="DesktopSettings2013.xml", lpString2="Program Files (x86)") returned -1 [0082.859] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\DesktopSettings2013.xml") returned 75 [0082.859] StrStrIW (lpFirst="DesktopSettings2013.xml", lpSrch=".ebal") returned 0x0 [0082.859] lstrcmpW (lpString1="DesktopSettings2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.859] lstrcmpW (lpString1="DesktopSettings2013.xml", lpString2="taridd") returned -1 [0082.859] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\DesktopSettings2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\DesktopSettings2013.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\desktopsettings2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.859] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x173d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="EaseOfAccessSettings2013.xml", cAlternateFileName="")) returned 1 [0082.859] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="Windows") returned -1 [0082.859] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="$Recycle.bin") returned 1 [0082.859] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="System Volume Information") returned -1 [0082.859] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="Program Files") returned -1 [0082.859] lstrcmpiW (lpString1="EaseOfAccessSettings2013.xml", lpString2="Program Files (x86)") returned -1 [0082.859] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\EaseOfAccessSettings2013.xml") returned 80 [0082.859] StrStrIW (lpFirst="EaseOfAccessSettings2013.xml", lpSrch=".ebal") returned 0x0 [0082.859] lstrcmpW (lpString1="EaseOfAccessSettings2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.859] lstrcmpW (lpString1="EaseOfAccessSettings2013.xml", lpString2="taridd") returned -1 [0082.859] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\EaseOfAccessSettings2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.859] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\EaseOfAccessSettings2013.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\easeofaccesssettings2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.860] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc27, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftInternetExplorer2013.xml", cAlternateFileName="")) returned 1 [0082.860] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="Windows") returned -1 [0082.860] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="$Recycle.bin") returned 1 [0082.860] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="System Volume Information") returned -1 [0082.860] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="Program Files") returned -1 [0082.860] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="Program Files (x86)") returned -1 [0082.860] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013.xml") returned 85 [0082.860] StrStrIW (lpFirst="MicrosoftInternetExplorer2013.xml", lpSrch=".ebal") returned 0x0 [0082.860] lstrcmpW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.860] lstrcmpW (lpString1="MicrosoftInternetExplorer2013.xml", lpString2="taridd") returned -1 [0082.860] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.860] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftinternetexplorer2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.861] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x9eb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftInternetExplorer2013Backup.xml", cAlternateFileName="")) returned 1 [0082.861] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="Windows") returned -1 [0082.861] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="$Recycle.bin") returned 1 [0082.861] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="System Volume Information") returned -1 [0082.861] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="Program Files") returned -1 [0082.861] lstrcmpiW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="Program Files (x86)") returned -1 [0082.861] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013Backup.xml") returned 91 [0082.861] StrStrIW (lpFirst="MicrosoftInternetExplorer2013Backup.xml", lpSrch=".ebal") returned 0x0 [0082.861] lstrcmpW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.861] lstrcmpW (lpString1="MicrosoftInternetExplorer2013Backup.xml", lpString2="taridd") returned -1 [0082.861] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013Backup.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.861] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftInternetExplorer2013Backup.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftinternetexplorer2013backup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.862] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xf80, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftLync2010.xml", cAlternateFileName="")) returned 1 [0082.862] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="Windows") returned -1 [0082.862] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="$Recycle.bin") returned 1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="System Volume Information") returned -1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="Program Files") returned -1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2010.xml", lpString2="Program Files (x86)") returned -1 [0082.863] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2010.xml") returned 73 [0082.863] StrStrIW (lpFirst="MicrosoftLync2010.xml", lpSrch=".ebal") returned 0x0 [0082.863] lstrcmpW (lpString1="MicrosoftLync2010.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.863] lstrcmpW (lpString1="MicrosoftLync2010.xml", lpString2="taridd") returned -1 [0082.863] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2010.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2010.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftlync2010.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.863] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb31, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftLync2013Win32.xml", cAlternateFileName="")) returned 1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="Windows") returned -1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="$Recycle.bin") returned 1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="System Volume Information") returned -1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="Program Files") returned -1 [0082.863] lstrcmpiW (lpString1="MicrosoftLync2013Win32.xml", lpString2="Program Files (x86)") returned -1 [0082.863] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win32.xml") returned 78 [0082.863] StrStrIW (lpFirst="MicrosoftLync2013Win32.xml", lpSrch=".ebal") returned 0x0 [0082.863] lstrcmpW (lpString1="MicrosoftLync2013Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.863] lstrcmpW (lpString1="MicrosoftLync2013Win32.xml", lpString2="taridd") returned -1 [0082.863] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.863] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftlync2013win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.863] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb31, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftLync2013Win64.xml", cAlternateFileName="")) returned 1 [0082.864] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="Windows") returned -1 [0082.864] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="$Recycle.bin") returned 1 [0082.864] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="System Volume Information") returned -1 [0082.864] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="Program Files") returned -1 [0082.864] lstrcmpiW (lpString1="MicrosoftLync2013Win64.xml", lpString2="Program Files (x86)") returned -1 [0082.864] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win64.xml") returned 78 [0082.864] StrStrIW (lpFirst="MicrosoftLync2013Win64.xml", lpSrch=".ebal") returned 0x0 [0082.864] lstrcmpW (lpString1="MicrosoftLync2013Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.864] lstrcmpW (lpString1="MicrosoftLync2013Win64.xml", lpString2="taridd") returned -1 [0082.864] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftLync2013Win64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftlync2013win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.864] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3bd, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftNotepad.xml", cAlternateFileName="")) returned 1 [0082.864] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="Windows") returned -1 [0082.864] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="$Recycle.bin") returned 1 [0082.864] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="System Volume Information") returned -1 [0082.864] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="Program Files") returned -1 [0082.864] lstrcmpiW (lpString1="MicrosoftNotepad.xml", lpString2="Program Files (x86)") returned -1 [0082.864] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftNotepad.xml") returned 72 [0082.864] StrStrIW (lpFirst="MicrosoftNotepad.xml", lpSrch=".ebal") returned 0x0 [0082.864] lstrcmpW (lpString1="MicrosoftNotepad.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.864] lstrcmpW (lpString1="MicrosoftNotepad.xml", lpString2="taridd") returned -1 [0082.864] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftNotepad.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftNotepad.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftnotepad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.865] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x11c51, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2010Win32.xml", cAlternateFileName="")) returned 1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="Windows") returned -1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="$Recycle.bin") returned 1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="System Volume Information") returned -1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="Program Files") returned -1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="Program Files (x86)") returned -1 [0082.865] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win32.xml") returned 80 [0082.865] StrStrIW (lpFirst="MicrosoftOffice2010Win32.xml", lpSrch=".ebal") returned 0x0 [0082.865] lstrcmpW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.865] lstrcmpW (lpString1="MicrosoftOffice2010Win32.xml", lpString2="taridd") returned -1 [0082.865] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2010win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.865] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x11c51, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2010Win64.xml", cAlternateFileName="")) returned 1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="Windows") returned -1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="$Recycle.bin") returned 1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="System Volume Information") returned -1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="Program Files") returned -1 [0082.865] lstrcmpiW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="Program Files (x86)") returned -1 [0082.865] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win64.xml") returned 80 [0082.865] StrStrIW (lpFirst="MicrosoftOffice2010Win64.xml", lpSrch=".ebal") returned 0x0 [0082.865] lstrcmpW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.865] lstrcmpW (lpString1="MicrosoftOffice2010Win64.xml", lpString2="taridd") returned -1 [0082.865] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2010Win64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2010win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.866] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013BackupWin32.xml", cAlternateFileName="")) returned 1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="Windows") returned -1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="$Recycle.bin") returned 1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="System Volume Information") returned -1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="Program Files") returned -1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="Program Files (x86)") returned -1 [0082.866] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin32.xml") returned 86 [0082.866] StrStrIW (lpFirst="MicrosoftOffice2013BackupWin32.xml", lpSrch=".ebal") returned 0x0 [0082.866] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.866] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin32.xml", lpString2="taridd") returned -1 [0082.866] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.866] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013backupwin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.866] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013BackupWin64.xml", cAlternateFileName="")) returned 1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="Windows") returned -1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="$Recycle.bin") returned 1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="System Volume Information") returned -1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="Program Files") returned -1 [0082.866] lstrcmpiW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="Program Files (x86)") returned -1 [0082.866] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin64.xml") returned 86 [0082.866] StrStrIW (lpFirst="MicrosoftOffice2013BackupWin64.xml", lpSrch=".ebal") returned 0x0 [0082.866] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.867] lstrcmpW (lpString1="MicrosoftOffice2013BackupWin64.xml", lpString2="taridd") returned -1 [0082.867] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013BackupWin64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013backupwin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.867] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf88ddb5, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf88ddb5, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2964, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Office365Win32.xml", cAlternateFileName="")) returned 1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="Windows") returned -1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="$Recycle.bin") returned 1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="System Volume Information") returned -1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="Program Files") returned -1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="Program Files (x86)") returned -1 [0082.867] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win32.xml") returned 89 [0082.867] StrStrIW (lpFirst="MicrosoftOffice2013Office365Win32.xml", lpSrch=".ebal") returned 0x0 [0082.867] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.867] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win32.xml", lpString2="taridd") returned -1 [0082.867] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.867] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013office365win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.867] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2964, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Office365Win64.xml", cAlternateFileName="")) returned 1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="Windows") returned -1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="$Recycle.bin") returned 1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="System Volume Information") returned -1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="Program Files") returned -1 [0082.867] lstrcmpiW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="Program Files (x86)") returned -1 [0082.867] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win64.xml") returned 89 [0082.867] StrStrIW (lpFirst="MicrosoftOffice2013Office365Win64.xml", lpSrch=".ebal") returned 0x0 [0082.867] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.867] lstrcmpW (lpString1="MicrosoftOffice2013Office365Win64.xml", lpString2="taridd") returned -1 [0082.867] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Office365Win64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013office365win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.868] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x10b0f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Win32.xml", cAlternateFileName="")) returned 1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="Windows") returned -1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="$Recycle.bin") returned 1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="System Volume Information") returned -1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="Program Files") returned -1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="Program Files (x86)") returned -1 [0082.868] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win32.xml") returned 80 [0082.868] StrStrIW (lpFirst="MicrosoftOffice2013Win32.xml", lpSrch=".ebal") returned 0x0 [0082.868] lstrcmpW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.868] lstrcmpW (lpString1="MicrosoftOffice2013Win32.xml", lpString2="taridd") returned -1 [0082.868] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.868] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.868] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x10b0f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2013Win64.xml", cAlternateFileName="")) returned 1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="Windows") returned -1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="$Recycle.bin") returned 1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="System Volume Information") returned -1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="Program Files") returned -1 [0082.868] lstrcmpiW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="Program Files (x86)") returned -1 [0082.868] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win64.xml") returned 80 [0082.868] StrStrIW (lpFirst="MicrosoftOffice2013Win64.xml", lpSrch=".ebal") returned 0x0 [0082.868] lstrcmpW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.868] lstrcmpW (lpString1="MicrosoftOffice2013Win64.xml", lpString2="taridd") returned -1 [0082.869] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2013Win64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2013win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.869] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016BackupWin32.xml", cAlternateFileName="")) returned 1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="Windows") returned -1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="$Recycle.bin") returned 1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="System Volume Information") returned -1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="Program Files") returned -1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="Program Files (x86)") returned -1 [0082.869] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin32.xml") returned 86 [0082.869] StrStrIW (lpFirst="MicrosoftOffice2016BackupWin32.xml", lpSrch=".ebal") returned 0x0 [0082.869] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.869] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin32.xml", lpString2="taridd") returned -1 [0082.869] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016backupwin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.869] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3368, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016BackupWin64.xml", cAlternateFileName="")) returned 1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="Windows") returned -1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="$Recycle.bin") returned 1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="System Volume Information") returned -1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="Program Files") returned -1 [0082.869] lstrcmpiW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="Program Files (x86)") returned -1 [0082.869] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin64.xml") returned 86 [0082.869] StrStrIW (lpFirst="MicrosoftOffice2016BackupWin64.xml", lpSrch=".ebal") returned 0x0 [0082.869] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.869] lstrcmpW (lpString1="MicrosoftOffice2016BackupWin64.xml", lpString2="taridd") returned -1 [0082.870] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016BackupWin64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016backupwin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.870] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x100c3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016Win32.xml", cAlternateFileName="")) returned 1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="Windows") returned -1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="$Recycle.bin") returned 1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="System Volume Information") returned -1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="Program Files") returned -1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="Program Files (x86)") returned -1 [0082.870] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win32.xml") returned 80 [0082.870] StrStrIW (lpFirst="MicrosoftOffice2016Win32.xml", lpSrch=".ebal") returned 0x0 [0082.870] lstrcmpW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.870] lstrcmpW (lpString1="MicrosoftOffice2016Win32.xml", lpString2="taridd") returned -1 [0082.870] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.870] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.870] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x100c6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOffice2016Win64.xml", cAlternateFileName="")) returned 1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="Windows") returned -1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="$Recycle.bin") returned 1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="System Volume Information") returned -1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="Program Files") returned -1 [0082.870] lstrcmpiW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="Program Files (x86)") returned -1 [0082.870] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win64.xml") returned 80 [0082.870] StrStrIW (lpFirst="MicrosoftOffice2016Win64.xml", lpSrch=".ebal") returned 0x0 [0082.870] lstrcmpW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.870] lstrcmpW (lpString1="MicrosoftOffice2016Win64.xml", lpString2="taridd") returned -1 [0082.870] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOffice2016Win64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoffice2016win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.871] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2013CAWin32.xml", cAlternateFileName="")) returned 1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="Windows") returned -1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="$Recycle.bin") returned 1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="System Volume Information") returned -1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="Program Files") returned -1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="Program Files (x86)") returned -1 [0082.871] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin32.xml") returned 83 [0082.871] StrStrIW (lpFirst="MicrosoftOutlook2013CAWin32.xml", lpSrch=".ebal") returned 0x0 [0082.871] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.871] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin32.xml", lpString2="taridd") returned -1 [0082.871] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2013cawin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.871] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x506, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2013CAWin64.xml", cAlternateFileName="")) returned 1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="Windows") returned -1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="$Recycle.bin") returned 1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="System Volume Information") returned -1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="Program Files") returned -1 [0082.871] lstrcmpiW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="Program Files (x86)") returned -1 [0082.871] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin64.xml") returned 83 [0082.871] StrStrIW (lpFirst="MicrosoftOutlook2013CAWin64.xml", lpSrch=".ebal") returned 0x0 [0082.871] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.871] lstrcmpW (lpString1="MicrosoftOutlook2013CAWin64.xml", lpString2="taridd") returned -1 [0082.871] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.871] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2013CAWin64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2013cawin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.872] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x509, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2016CAWin32.xml", cAlternateFileName="")) returned 1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="Windows") returned -1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="$Recycle.bin") returned 1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="System Volume Information") returned -1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="Program Files") returned -1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="Program Files (x86)") returned -1 [0082.872] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin32.xml") returned 83 [0082.872] StrStrIW (lpFirst="MicrosoftOutlook2016CAWin32.xml", lpSrch=".ebal") returned 0x0 [0082.872] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.872] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin32.xml", lpString2="taridd") returned -1 [0082.872] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2016cawin32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.872] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x509, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftOutlook2016CAWin64.xml", cAlternateFileName="")) returned 1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="Windows") returned -1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="$Recycle.bin") returned 1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="System Volume Information") returned -1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="Program Files") returned -1 [0082.872] lstrcmpiW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="Program Files (x86)") returned -1 [0082.872] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin64.xml") returned 83 [0082.872] StrStrIW (lpFirst="MicrosoftOutlook2016CAWin64.xml", lpSrch=".ebal") returned 0x0 [0082.872] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.872] lstrcmpW (lpString1="MicrosoftOutlook2016CAWin64.xml", lpString2="taridd") returned -1 [0082.872] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftOutlook2016CAWin64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftoutlook2016cawin64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.872] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftSkypeForBusiness2016Win32.xml", cAlternateFileName="")) returned 1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="Windows") returned -1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="$Recycle.bin") returned 1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="System Volume Information") returned -1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="Program Files") returned -1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="Program Files (x86)") returned -1 [0082.873] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win32.xml") returned 90 [0082.873] StrStrIW (lpFirst="MicrosoftSkypeForBusiness2016Win32.xml", lpSrch=".ebal") returned 0x0 [0082.873] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.873] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win32.xml", lpString2="taridd") returned -1 [0082.873] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win32.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win32.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftskypeforbusiness2016win32.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.873] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftSkypeForBusiness2016Win64.xml", cAlternateFileName="")) returned 1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="Windows") returned -1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="$Recycle.bin") returned 1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="System Volume Information") returned -1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="Program Files") returned -1 [0082.873] lstrcmpiW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="Program Files (x86)") returned -1 [0082.873] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win64.xml") returned 90 [0082.873] StrStrIW (lpFirst="MicrosoftSkypeForBusiness2016Win64.xml", lpSrch=".ebal") returned 0x0 [0082.873] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.873] lstrcmpW (lpString1="MicrosoftSkypeForBusiness2016Win64.xml", lpString2="taridd") returned -1 [0082.873] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win64.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftSkypeForBusiness2016Win64.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftskypeforbusiness2016win64.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.874] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79ac20de, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79ac20de, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79ac20de, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x3ed, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MicrosoftWordpad.xml", cAlternateFileName="")) returned 1 [0082.874] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="Windows") returned -1 [0082.874] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="$Recycle.bin") returned 1 [0082.874] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="System Volume Information") returned -1 [0082.874] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="Program Files") returned -1 [0082.874] lstrcmpiW (lpString1="MicrosoftWordpad.xml", lpString2="Program Files (x86)") returned -1 [0082.874] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftWordpad.xml") returned 72 [0082.874] StrStrIW (lpFirst="MicrosoftWordpad.xml", lpSrch=".ebal") returned 0x0 [0082.874] lstrcmpW (lpString1="MicrosoftWordpad.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.874] lstrcmpW (lpString1="MicrosoftWordpad.xml", lpString2="taridd") returned -1 [0082.874] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftWordpad.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\MicrosoftWordpad.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\microsoftwordpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.874] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x85f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NetworkPrinters.xml", cAlternateFileName="")) returned 1 [0082.874] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="Windows") returned -1 [0082.874] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="$Recycle.bin") returned 1 [0082.874] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="System Volume Information") returned -1 [0082.874] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="Program Files") returned -1 [0082.874] lstrcmpiW (lpString1="NetworkPrinters.xml", lpString2="Program Files (x86)") returned -1 [0082.874] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\NetworkPrinters.xml") returned 71 [0082.874] StrStrIW (lpFirst="NetworkPrinters.xml", lpSrch=".ebal") returned 0x0 [0082.874] lstrcmpW (lpString1="NetworkPrinters.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.874] lstrcmpW (lpString1="NetworkPrinters.xml", lpString2="taridd") returned -1 [0082.874] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\NetworkPrinters.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.874] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\NetworkPrinters.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\networkprinters.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.875] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd59, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RoamingCredentialSettings.xml", cAlternateFileName="")) returned 1 [0082.875] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="Windows") returned -1 [0082.875] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="$Recycle.bin") returned 1 [0082.875] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="System Volume Information") returned -1 [0082.875] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="Program Files") returned 1 [0082.875] lstrcmpiW (lpString1="RoamingCredentialSettings.xml", lpString2="Program Files (x86)") returned 1 [0082.875] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\RoamingCredentialSettings.xml") returned 81 [0082.875] StrStrIW (lpFirst="RoamingCredentialSettings.xml", lpSrch=".ebal") returned 0x0 [0082.875] lstrcmpW (lpString1="RoamingCredentialSettings.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.875] lstrcmpW (lpString1="RoamingCredentialSettings.xml", lpString2="taridd") returned -1 [0082.875] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\RoamingCredentialSettings.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.875] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\RoamingCredentialSettings.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\roamingcredentialsettings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.879] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a9be83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a9be83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa2e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ThemeSettings2013.xml", cAlternateFileName="")) returned 1 [0082.879] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="Windows") returned -1 [0082.879] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="$Recycle.bin") returned 1 [0082.879] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="System Volume Information") returned 1 [0082.879] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="Program Files") returned 1 [0082.879] lstrcmpiW (lpString1="ThemeSettings2013.xml", lpString2="Program Files (x86)") returned 1 [0082.879] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\ThemeSettings2013.xml") returned 73 [0082.879] StrStrIW (lpFirst="ThemeSettings2013.xml", lpSrch=".ebal") returned 0x0 [0082.879] lstrcmpW (lpString1="ThemeSettings2013.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.879] lstrcmpW (lpString1="ThemeSettings2013.xml", lpString2="taridd") returned 1 [0082.879] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\ThemeSettings2013.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\ThemeSettings2013.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\themesettings2013.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.879] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VdiState.xml", cAlternateFileName="")) returned 1 [0082.879] lstrcmpiW (lpString1="VdiState.xml", lpString2="Windows") returned -1 [0082.879] lstrcmpiW (lpString1="VdiState.xml", lpString2="$Recycle.bin") returned 1 [0082.879] lstrcmpiW (lpString1="VdiState.xml", lpString2="System Volume Information") returned 1 [0082.879] lstrcmpiW (lpString1="VdiState.xml", lpString2="Program Files") returned 1 [0082.879] lstrcmpiW (lpString1="VdiState.xml", lpString2="Program Files (x86)") returned 1 [0082.879] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\VdiState.xml") returned 64 [0082.879] StrStrIW (lpFirst="VdiState.xml", lpSrch=".ebal") returned 0x0 [0082.879] lstrcmpW (lpString1="VdiState.xml", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.880] lstrcmpW (lpString1="VdiState.xml", lpString2="taridd") returned 1 [0082.880] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\VdiState.xml", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\VdiState.xml" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\vdistate.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.880] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x37c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VdiState.xml", cAlternateFileName="")) returned 0 [0082.880] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0082.880] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0082.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\InboxTemplates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\uev\\inboxtemplates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.881] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.882] CloseHandle (hObject=0x438) returned 1 [0082.882] GetProcessHeap () returned 0x3a00000 [0082.882] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.882] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe469068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Scripts", cAlternateFileName="")) returned 1 [0082.882] lstrcmpiW (lpString1="Scripts", lpString2="Windows") returned -1 [0082.882] lstrcmpiW (lpString1="Scripts", lpString2="$Recycle.bin") returned 1 [0082.882] lstrcmpiW (lpString1="Scripts", lpString2="System Volume Information") returned -1 [0082.882] lstrcmpiW (lpString1="Scripts", lpString2="Program Files") returned 1 [0082.882] lstrcmpiW (lpString1="Scripts", lpString2="Program Files (x86)") returned 1 [0082.882] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts") returned 44 [0082.882] lstrcmpW (lpString1="Scripts", lpString2=".") returned 1 [0082.882] lstrcmpW (lpString1="Scripts", lpString2="..") returned 1 [0082.882] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.882] GetProcessHeap () returned 0x3a00000 [0082.883] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.883] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\*") returned 46 [0082.883] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe469068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7e8d17a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0082.883] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.883] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.883] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.883] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.883] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.883] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\.") returned 46 [0082.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.883] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe469068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7e8d17a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.883] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.883] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.883] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.883] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.883] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.883] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\..") returned 47 [0082.883] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.883] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.883] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7e8d17a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7e8d17a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7e8d17a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.883] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.883] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.883] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.883] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.883] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.883] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0082.884] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.884] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.884] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x147, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RegisterInboxTemplates.ps1", cAlternateFileName="")) returned 1 [0082.884] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="Windows") returned -1 [0082.884] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="$Recycle.bin") returned 1 [0082.884] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="System Volume Information") returned -1 [0082.884] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="Program Files") returned 1 [0082.884] lstrcmpiW (lpString1="RegisterInboxTemplates.ps1", lpString2="Program Files (x86)") returned 1 [0082.884] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\RegisterInboxTemplates.ps1") returned 71 [0082.884] StrStrIW (lpFirst="RegisterInboxTemplates.ps1", lpSrch=".ebal") returned 0x0 [0082.884] lstrcmpW (lpString1="RegisterInboxTemplates.ps1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.884] lstrcmpW (lpString1="RegisterInboxTemplates.ps1", lpString2="taridd") returned -1 [0082.884] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\RegisterInboxTemplates.ps1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\RegisterInboxTemplates.ps1" (normalized: "c:\\users\\all users\\microsoft\\uev\\scripts\\registerinboxtemplates.ps1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.884] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x79a75c14, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x79a75c14, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x147, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RegisterInboxTemplates.ps1", cAlternateFileName="")) returned 0 [0082.884] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0082.884] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0082.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Scripts\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\uev\\scripts\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.885] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.886] CloseHandle (hObject=0x438) returned 1 [0082.886] GetProcessHeap () returned 0x3a00000 [0082.886] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.886] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0082.886] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0082.886] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0082.886] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0082.886] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0082.886] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0082.886] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates") returned 46 [0082.886] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0082.886] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0082.886] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.886] GetProcessHeap () returned 0x3a00000 [0082.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.886] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\*") returned 48 [0082.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7eb3443, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0082.887] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.887] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.887] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.887] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.887] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.887] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\.") returned 48 [0082.887] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.887] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7eb3443, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.887] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.887] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.887] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.887] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.887] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.887] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\..") returned 49 [0082.887] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.887] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.887] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7eb3443, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7eb3443, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7eb3443, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.887] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.887] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0082.887] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.887] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.887] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a75c14, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf841903, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf841903, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x25ec, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate.xsd", cAlternateFileName="")) returned 1 [0082.887] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="Windows") returned -1 [0082.887] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="$Recycle.bin") returned 1 [0082.887] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="System Volume Information") returned -1 [0082.887] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="Program Files") returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate.xsd", lpString2="Program Files (x86)") returned 1 [0082.888] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate.xsd") returned 75 [0082.888] StrStrIW (lpFirst="SettingsLocationTemplate.xsd", lpSrch=".ebal") returned 0x0 [0082.888] lstrcmpW (lpString1="SettingsLocationTemplate.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.888] lstrcmpW (lpString1="SettingsLocationTemplate.xsd", lpString2="taridd") returned -1 [0082.888] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate.xsd" (normalized: "c:\\users\\all users\\microsoft\\uev\\templates\\settingslocationtemplate.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.888] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x2c20, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate2013.xsd", cAlternateFileName="")) returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="Windows") returned -1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="$Recycle.bin") returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="System Volume Information") returned -1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="Program Files") returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="Program Files (x86)") returned 1 [0082.888] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013.xsd") returned 79 [0082.888] StrStrIW (lpFirst="SettingsLocationTemplate2013.xsd", lpSrch=".ebal") returned 0x0 [0082.888] lstrcmpW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.888] lstrcmpW (lpString1="SettingsLocationTemplate2013.xsd", lpString2="taridd") returned -1 [0082.888] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.888] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013.xsd" (normalized: "c:\\users\\all users\\microsoft\\uev\\templates\\settingslocationtemplate2013.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.888] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3724, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate2013A.xsd", cAlternateFileName="")) returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="Windows") returned -1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="$Recycle.bin") returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="System Volume Information") returned -1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="Program Files") returned 1 [0082.888] lstrcmpiW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="Program Files (x86)") returned 1 [0082.888] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013A.xsd") returned 80 [0082.888] StrStrIW (lpFirst="SettingsLocationTemplate2013A.xsd", lpSrch=".ebal") returned 0x0 [0082.889] lstrcmpW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.889] lstrcmpW (lpString1="SettingsLocationTemplate2013A.xsd", lpString2="taridd") returned -1 [0082.889] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013A.xsd", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\SettingsLocationTemplate2013A.xsd" (normalized: "c:\\users\\all users\\microsoft\\uev\\templates\\settingslocationtemplate2013a.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.889] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a9be83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xdf867b6e, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xdf867b6e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x3724, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SettingsLocationTemplate2013A.xsd", cAlternateFileName="")) returned 0 [0082.889] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0082.889] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0082.889] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\Templates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\uev\\templates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.890] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.891] CloseHandle (hObject=0x438) returned 1 [0082.891] GetProcessHeap () returned 0x3a00000 [0082.891] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.891] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xbe46954b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe827d9f8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 0 [0082.891] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.891] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0082.891] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\UEV\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\uev\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.892] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.893] CloseHandle (hObject=0x434) returned 1 [0082.893] GetProcessHeap () returned 0x3a00000 [0082.893] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.893] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7f4be7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="User Account Pictures", cAlternateFileName="USERAC~1")) returned 1 [0082.893] lstrcmpiW (lpString1="User Account Pictures", lpString2="Windows") returned -1 [0082.893] lstrcmpiW (lpString1="User Account Pictures", lpString2="$Recycle.bin") returned 1 [0082.893] lstrcmpiW (lpString1="User Account Pictures", lpString2="System Volume Information") returned 1 [0082.893] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files") returned 1 [0082.893] lstrcmpiW (lpString1="User Account Pictures", lpString2="Program Files (x86)") returned 1 [0082.893] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures") returned 54 [0082.893] lstrcmpW (lpString1="User Account Pictures", lpString2=".") returned 1 [0082.893] lstrcmpW (lpString1="User Account Pictures", lpString2="..") returned 1 [0082.893] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.893] GetProcessHeap () returned 0x3a00000 [0082.893] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.893] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*") returned 56 [0082.893] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7f4be7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0082.893] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.893] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.893] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.893] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.893] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.893] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\.") returned 56 [0082.893] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.893] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf7f4be7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.894] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.894] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.894] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.894] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.894] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.894] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\..") returned 57 [0082.894] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.894] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.894] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7f4be7f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7f4be7f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.894] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.894] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.894] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.894] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.894] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.894] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0082.894] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.894] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.894] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4ecc15f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa4ecc15f, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf7ed95f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x93454, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Default User.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="DEFAUL~1.EBA")) returned 1 [0082.894] lstrcmpiW (lpString1="Default User.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.894] lstrcmpiW (lpString1="Default User.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.894] lstrcmpiW (lpString1="Default User.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.894] lstrcmpiW (lpString1="Default User.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.894] lstrcmpiW (lpString1="Default User.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.894] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\Default User.dat_r00t_{8ew5f6}.ebal") returned 90 [0082.894] StrStrIW (lpFirst="Default User.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.894] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37896d36, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37896d36, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf7ed95f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="FD1HVy.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.894] lstrcmpiW (lpString1="FD1HVy.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.894] lstrcmpiW (lpString1="FD1HVy.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.894] lstrcmpiW (lpString1="FD1HVy.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.894] lstrcmpiW (lpString1="FD1HVy.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.894] lstrcmpiW (lpString1="FD1HVy.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.894] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\FD1HVy.dat_r00t_{8ew5f6}.ebal") returned 84 [0082.895] StrStrIW (lpFirst="FD1HVy.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.895] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7ed95f2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x933bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="guest.bmp_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.895] lstrcmpiW (lpString1="guest.bmp_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.895] lstrcmpiW (lpString1="guest.bmp_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.895] lstrcmpiW (lpString1="guest.bmp_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.895] lstrcmpiW (lpString1="guest.bmp_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.895] lstrcmpiW (lpString1="guest.bmp_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.895] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.bmp_r00t_{8ew5f6}.ebal") returned 83 [0082.895] StrStrIW (lpFirst="guest.bmp_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.895] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7eff88e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x189c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="guest.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.895] lstrcmpiW (lpString1="guest.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.895] lstrcmpiW (lpString1="guest.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.895] lstrcmpiW (lpString1="guest.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.895] lstrcmpiW (lpString1="guest.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.895] lstrcmpiW (lpString1="guest.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.895] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\guest.png_r00t_{8ew5f6}.ebal") returned 83 [0082.895] StrStrIW (lpFirst="guest.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.895] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7eff88e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xceb, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-192.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.895] lstrcmpiW (lpString1="user-192.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.895] lstrcmpiW (lpString1="user-192.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.895] lstrcmpiW (lpString1="user-192.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.895] lstrcmpiW (lpString1="user-192.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.895] lstrcmpiW (lpString1="user-192.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.895] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-192.png_r00t_{8ew5f6}.ebal") returned 86 [0082.895] StrStrIW (lpFirst="user-192.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.895] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7f25b1a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x523, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-32.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.895] lstrcmpiW (lpString1="user-32.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.895] lstrcmpiW (lpString1="user-32.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.895] lstrcmpiW (lpString1="user-32.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.895] lstrcmpiW (lpString1="user-32.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.895] lstrcmpiW (lpString1="user-32.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.895] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-32.png_r00t_{8ew5f6}.ebal") returned 85 [0082.896] StrStrIW (lpFirst="user-32.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.896] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7f25b1a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x535, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-40.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.896] lstrcmpiW (lpString1="user-40.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.896] lstrcmpiW (lpString1="user-40.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.896] lstrcmpiW (lpString1="user-40.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.896] lstrcmpiW (lpString1="user-40.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.896] lstrcmpiW (lpString1="user-40.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.896] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-40.png_r00t_{8ew5f6}.ebal") returned 85 [0082.896] StrStrIW (lpFirst="user-40.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.896] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7f25b1a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x579, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user-48.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.896] lstrcmpiW (lpString1="user-48.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.896] lstrcmpiW (lpString1="user-48.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.896] lstrcmpiW (lpString1="user-48.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.896] lstrcmpiW (lpString1="user-48.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.896] lstrcmpiW (lpString1="user-48.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.896] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user-48.png_r00t_{8ew5f6}.ebal") returned 85 [0082.896] StrStrIW (lpFirst="user-48.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.896] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x933bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user.bmp_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.896] lstrcmpiW (lpString1="user.bmp_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.896] lstrcmpiW (lpString1="user.bmp_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.896] lstrcmpiW (lpString1="user.bmp_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.896] lstrcmpiW (lpString1="user.bmp_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.896] lstrcmpiW (lpString1="user.bmp_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.896] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.bmp_r00t_{8ew5f6}.ebal") returned 82 [0082.896] StrStrIW (lpFirst="user.bmp_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.896] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x189c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0082.896] lstrcmpiW (lpString1="user.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.896] lstrcmpiW (lpString1="user.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.896] lstrcmpiW (lpString1="user.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0082.896] lstrcmpiW (lpString1="user.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0082.896] lstrcmpiW (lpString1="user.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0082.896] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\user.png_r00t_{8ew5f6}.ebal") returned 82 [0082.897] StrStrIW (lpFirst="user.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.897] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a8d7b2a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5ed1465, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf7f4be7f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x189c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="user.png_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0082.897] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0082.897] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0082.897] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\User Account Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\user account pictures\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.898] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.898] CloseHandle (hObject=0x434) returned 1 [0082.898] GetProcessHeap () returned 0x3a00000 [0082.898] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.898] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4bcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x448126f7, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Vault", cAlternateFileName="")) returned 1 [0082.899] lstrcmpiW (lpString1="Vault", lpString2="Windows") returned -1 [0082.899] lstrcmpiW (lpString1="Vault", lpString2="$Recycle.bin") returned 1 [0082.899] lstrcmpiW (lpString1="Vault", lpString2="System Volume Information") returned 1 [0082.899] lstrcmpiW (lpString1="Vault", lpString2="Program Files") returned 1 [0082.899] lstrcmpiW (lpString1="Vault", lpString2="Program Files (x86)") returned 1 [0082.899] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault") returned 38 [0082.899] lstrcmpW (lpString1="Vault", lpString2=".") returned 1 [0082.899] lstrcmpW (lpString1="Vault", lpString2="..") returned 1 [0082.899] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.899] GetProcessHeap () returned 0x3a00000 [0082.899] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.899] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*") returned 40 [0082.899] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4bcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0082.899] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.899] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.899] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.899] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.899] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.899] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\.") returned 40 [0082.899] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.899] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2c3a2, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbe4bcf6d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.899] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.899] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.899] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.899] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.899] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.899] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\..") returned 41 [0082.900] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.900] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.900] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7fe468a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7fe468a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.900] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.900] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.900] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.900] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.900] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.900] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 70 [0082.900] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.900] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.900] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf7fe468a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 1 [0082.900] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="Windows") returned -1 [0082.900] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="$Recycle.bin") returned 1 [0082.900] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="System Volume Information") returned -1 [0082.900] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="Program Files") returned -1 [0082.900] lstrcmpiW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="Program Files (x86)") returned -1 [0082.900] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204") returned 75 [0082.900] lstrcmpW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2=".") returned 1 [0082.900] lstrcmpW (lpString1="AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="..") returned 1 [0082.900] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.900] GetProcessHeap () returned 0x3a00000 [0082.900] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.900] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*") returned 77 [0082.900] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf7fe468a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0082.900] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.900] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.900] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.900] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.900] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.901] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\.") returned 77 [0082.901] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.901] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf7fe468a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.901] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.901] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.901] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.901] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.901] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.901] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\..") returned 78 [0082.901] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.901] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.901] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf7fe468a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf7fe468a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.901] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.901] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.901] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.901] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.901] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.901] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0082.901] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.901] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.901] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc041220b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7fbfc79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", cAlternateFileName="154E23~1.EBA")) returned 1 [0082.901] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.901] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.901] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.901] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.901] lstrcmpiW (lpString1="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.901] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal") returned 136 [0082.901] StrStrIW (lpFirst="154E23D0-C644-4E6F-8CE6-5069272F999F.vsch_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.901] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc041220b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7fbfc79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3f2, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", cAlternateFileName="2F1A65~1.EBA")) returned 1 [0082.902] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.902] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.902] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.902] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.902] lstrcmpiW (lpString1="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.902] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal") returned 136 [0082.902] StrStrIW (lpFirst="2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.902] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc041220b, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc041220b, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7fbfc79, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x48a, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", cAlternateFileName="3CCD54~1.EBA")) returned 1 [0082.902] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.902] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.902] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.902] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.902] lstrcmpiW (lpString1="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.902] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal") returned 136 [0082.902] StrStrIW (lpFirst="3CCD5499-87A8-4B10-A215-608888DD3B55.vsch_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.902] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc02e0f2e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc02e0f2e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Policy.vpol_r00t_{8ew5f6}.ebal", cAlternateFileName="POLICY~1.EBA")) returned 1 [0082.902] lstrcmpiW (lpString1="Policy.vpol_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.902] lstrcmpiW (lpString1="Policy.vpol_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.902] lstrcmpiW (lpString1="Policy.vpol_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.902] lstrcmpiW (lpString1="Policy.vpol_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.902] lstrcmpiW (lpString1="Policy.vpol_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.902] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\Policy.vpol_r00t_{8ew5f6}.ebal") returned 106 [0082.902] StrStrIW (lpFirst="Policy.vpol_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.902] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc02e0f2e, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc02e0f2e, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Policy.vpol_r00t_{8ew5f6}.ebal", cAlternateFileName="POLICY~1.EBA")) returned 0 [0082.902] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0082.902] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0082.902] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\AC658CB4-9126-49BD-B877-31EEDAB3F204\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\vault\\ac658cb4-9126-49bd-b877-31eedab3f204\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.903] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.904] CloseHandle (hObject=0x438) returned 1 [0082.904] GetProcessHeap () returned 0x3a00000 [0082.904] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.904] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x448126f7, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf7fe468a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf7fe468a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AC658CB4-9126-49BD-B877-31EEDAB3F204", cAlternateFileName="AC658C~1")) returned 0 [0082.904] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0082.904] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 70 [0082.904] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Vault\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\vault\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.905] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.906] CloseHandle (hObject=0x434) returned 1 [0082.906] GetProcessHeap () returned 0x3a00000 [0082.906] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.906] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17cbb4ff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WDF", cAlternateFileName="")) returned 1 [0082.906] lstrcmpiW (lpString1="WDF", lpString2="Windows") returned -1 [0082.907] lstrcmpiW (lpString1="WDF", lpString2="$Recycle.bin") returned 1 [0082.907] lstrcmpiW (lpString1="WDF", lpString2="System Volume Information") returned 1 [0082.907] lstrcmpiW (lpString1="WDF", lpString2="Program Files") returned 1 [0082.907] lstrcmpiW (lpString1="WDF", lpString2="Program Files (x86)") returned 1 [0082.907] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF") returned 36 [0082.907] lstrcmpW (lpString1="WDF", lpString2=".") returned 1 [0082.907] lstrcmpW (lpString1="WDF", lpString2="..") returned 1 [0082.907] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.907] GetProcessHeap () returned 0x3a00000 [0082.907] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.907] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*") returned 38 [0082.907] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0082.907] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.907] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.907] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.907] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.907] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.907] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\.") returned 38 [0082.907] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.907] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbe4be180, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.907] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.907] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.907] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.907] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.907] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.907] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\..") returned 39 [0082.907] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.907] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.908] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8030c32, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8030c32, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.908] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.908] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.908] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.908] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.908] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.908] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0082.908] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.908] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.908] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8030c32, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8030c32, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.908] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0082.908] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0082.908] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WDF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\wdf\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0082.909] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.910] CloseHandle (hObject=0x434) returned 1 [0082.910] GetProcessHeap () returned 0x3a00000 [0082.910] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0082.910] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17cbb4ff, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xedcf5f61, ftLastAccessTime.dwHighDateTime=0x1d336d9, ftLastWriteTime.dwLowDateTime=0xedcf5f61, ftLastWriteTime.dwHighDateTime=0x1d336d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0082.910] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0082.910] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ce1766, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc25d4e74, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb320aac5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Defender", cAlternateFileName="WINDOW~1")) returned 1 [0082.910] lstrcmpiW (lpString1="Windows Defender", lpString2="Windows") returned 1 [0082.910] lstrcmpiW (lpString1="Windows Defender", lpString2="$Recycle.bin") returned 1 [0082.910] lstrcmpiW (lpString1="Windows Defender", lpString2="System Volume Information") returned 1 [0082.910] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files") returned 1 [0082.910] lstrcmpiW (lpString1="Windows Defender", lpString2="Program Files (x86)") returned 1 [0082.910] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender") returned 49 [0082.910] lstrcmpW (lpString1="Windows Defender", lpString2=".") returned 1 [0082.910] lstrcmpW (lpString1="Windows Defender", lpString2="..") returned 1 [0082.910] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.910] GetProcessHeap () returned 0x3a00000 [0082.910] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0082.910] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*") returned 51 [0082.910] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ce1766, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc25d4e74, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0082.910] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.910] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.910] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.910] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.910] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.910] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\.") returned 51 [0082.910] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.910] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17ce1766, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc25d4e74, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.911] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.911] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.911] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.911] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.911] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.911] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\..") returned 52 [0082.911] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.911] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.911] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a78e87, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a78e87, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.911] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.911] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.911] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.911] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.911] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.911] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0082.911] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.911] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.911] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Clean Store", cAlternateFileName="CLEANS~1")) returned 1 [0082.911] lstrcmpiW (lpString1="Clean Store", lpString2="Windows") returned -1 [0082.911] lstrcmpiW (lpString1="Clean Store", lpString2="$Recycle.bin") returned 1 [0082.911] lstrcmpiW (lpString1="Clean Store", lpString2="System Volume Information") returned -1 [0082.911] lstrcmpiW (lpString1="Clean Store", lpString2="Program Files") returned -1 [0082.911] lstrcmpiW (lpString1="Clean Store", lpString2="Program Files (x86)") returned -1 [0082.911] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store") returned 61 [0082.911] lstrcmpW (lpString1="Clean Store", lpString2=".") returned 1 [0082.911] lstrcmpW (lpString1="Clean Store", lpString2="..") returned 1 [0082.911] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.911] GetProcessHeap () returned 0x3a00000 [0082.911] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.911] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*") returned 63 [0082.911] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0082.912] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.912] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.912] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.912] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.912] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.912] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\.") returned 63 [0082.912] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.912] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d5968, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.912] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.912] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.912] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.912] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.912] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.912] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\..") returned 64 [0082.912] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.912] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.912] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8030c32, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8030c32, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.912] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.912] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.912] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.912] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.912] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.912] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.912] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.912] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.912] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8030c32, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8030c32, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.912] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0082.913] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0082.913] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Clean Store\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\clean store\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.913] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.914] CloseHandle (hObject=0x438) returned 1 [0082.914] GetProcessHeap () returned 0x3a00000 [0082.914] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.914] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb2ba2529, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2ba2529, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Definition Updates", cAlternateFileName="DEFINI~1")) returned 1 [0082.914] lstrcmpiW (lpString1="Definition Updates", lpString2="Windows") returned -1 [0082.914] lstrcmpiW (lpString1="Definition Updates", lpString2="$Recycle.bin") returned 1 [0082.914] lstrcmpiW (lpString1="Definition Updates", lpString2="System Volume Information") returned -1 [0082.915] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files") returned -1 [0082.915] lstrcmpiW (lpString1="Definition Updates", lpString2="Program Files (x86)") returned -1 [0082.915] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates") returned 68 [0082.915] lstrcmpW (lpString1="Definition Updates", lpString2=".") returned 1 [0082.915] lstrcmpW (lpString1="Definition Updates", lpString2="..") returned 1 [0082.915] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.915] GetProcessHeap () returned 0x3a00000 [0082.915] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.915] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*") returned 70 [0082.915] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb2ba2529, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf80a3274, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0082.915] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.915] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.915] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.915] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.915] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.915] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\.") returned 70 [0082.915] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.915] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb2ba2529, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf80a3274, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.915] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.915] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.915] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.915] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.915] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.915] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\..") returned 71 [0082.915] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.915] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.915] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80a3274, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf80a3274, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80a3274, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.915] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.916] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.916] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.916] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.916] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.916] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0082.916] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.916] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.916] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Backup", cAlternateFileName="")) returned 1 [0082.916] lstrcmpiW (lpString1="Backup", lpString2="Windows") returned -1 [0082.916] lstrcmpiW (lpString1="Backup", lpString2="$Recycle.bin") returned 1 [0082.916] lstrcmpiW (lpString1="Backup", lpString2="System Volume Information") returned -1 [0082.916] lstrcmpiW (lpString1="Backup", lpString2="Program Files") returned -1 [0082.916] lstrcmpiW (lpString1="Backup", lpString2="Program Files (x86)") returned -1 [0082.916] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup") returned 75 [0082.916] lstrcmpW (lpString1="Backup", lpString2=".") returned 1 [0082.916] lstrcmpW (lpString1="Backup", lpString2="..") returned 1 [0082.916] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.916] GetProcessHeap () returned 0x3a00000 [0082.916] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.916] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*") returned 77 [0082.916] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.916] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.916] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.916] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.916] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.916] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.916] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\.") returned 77 [0082.916] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.916] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc25d6ec5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8030c32, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.917] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.917] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.917] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.917] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.917] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.917] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\..") returned 78 [0082.917] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.917] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.917] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8030c32, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8030c32, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8056e9d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.917] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.917] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.917] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.917] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.917] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.917] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0082.917] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.917] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.917] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8030c32, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8030c32, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8056e9d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.917] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.917] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0082.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Backup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\backup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.918] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.919] CloseHandle (hObject=0x43c) returned 1 [0082.919] GetProcessHeap () returned 0x3a00000 [0082.919] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.919] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26252c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Default", cAlternateFileName="")) returned 1 [0082.919] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0082.919] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0082.919] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0082.919] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0082.919] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0082.919] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default") returned 76 [0082.919] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0082.919] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0082.919] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.919] GetProcessHeap () returned 0x3a00000 [0082.919] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.919] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*") returned 78 [0082.919] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26252c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0082.920] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.920] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.920] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.920] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.920] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.920] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\.") returned 78 [0082.920] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.920] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26252c7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.920] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.920] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.920] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.920] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.920] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.920] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\..") returned 79 [0082.920] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.920] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.920] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf807cfad, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf807cfad, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.920] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.920] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.920] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.920] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.920] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.920] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0082.920] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.920] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.920] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x11d0d0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="GapaEngine.dll", cAlternateFileName="")) returned 1 [0082.920] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="Windows") returned -1 [0082.920] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="$Recycle.bin") returned 1 [0082.921] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="System Volume Information") returned -1 [0082.933] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="Program Files") returned -1 [0082.933] lstrcmpiW (lpString1="GapaEngine.dll", lpString2="Program Files (x86)") returned -1 [0082.933] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll") returned 91 [0082.933] StrStrIW (lpFirst="GapaEngine.dll", lpSrch=".ebal") returned 0x0 [0082.933] lstrcmpW (lpString1="GapaEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.933] lstrcmpW (lpString1="GapaEngine.dll", lpString2="taridd") returned -1 [0082.933] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.933] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\GapaEngine.dll" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\gapaengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.933] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26af3c42, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26af3c42, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26b66370, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x22f6710, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAsBase.vdm", cAlternateFileName="")) returned 1 [0082.933] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="Windows") returned -1 [0082.934] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="$Recycle.bin") returned 1 [0082.934] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="System Volume Information") returned -1 [0082.934] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="Program Files") returned -1 [0082.934] lstrcmpiW (lpString1="MpAsBase.vdm", lpString2="Program Files (x86)") returned -1 [0082.934] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm") returned 89 [0082.934] StrStrIW (lpFirst="MpAsBase.vdm", lpSrch=".ebal") returned 0x0 [0082.934] lstrcmpW (lpString1="MpAsBase.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.934] lstrcmpW (lpString1="MpAsBase.vdm", lpString2="taridd") returned -1 [0082.934] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsBase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\mpasbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.934] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26af3c42, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26af3c42, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26af3c42, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8f10, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAsDlta.vdm", cAlternateFileName="")) returned 1 [0082.934] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="Windows") returned -1 [0082.934] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="$Recycle.bin") returned 1 [0082.934] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="System Volume Information") returned -1 [0082.934] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="Program Files") returned -1 [0082.934] lstrcmpiW (lpString1="MpAsDlta.vdm", lpString2="Program Files (x86)") returned -1 [0082.934] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm") returned 89 [0082.934] StrStrIW (lpFirst="MpAsDlta.vdm", lpSrch=".ebal") returned 0x0 [0082.934] lstrcmpW (lpString1="MpAsDlta.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.934] lstrcmpW (lpString1="MpAsDlta.vdm", lpString2="taridd") returned -1 [0082.934] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAsDlta.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\mpasdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.934] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b66370, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26b66370, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x563cd10, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAvBase.vdm", cAlternateFileName="")) returned 1 [0082.934] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="Windows") returned -1 [0082.934] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="$Recycle.bin") returned 1 [0082.934] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="System Volume Information") returned -1 [0082.935] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="Program Files") returned -1 [0082.935] lstrcmpiW (lpString1="MpAvBase.vdm", lpString2="Program Files (x86)") returned -1 [0082.935] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm") returned 89 [0082.935] StrStrIW (lpFirst="MpAvBase.vdm", lpSrch=".ebal") returned 0x0 [0082.935] lstrcmpW (lpString1="MpAvBase.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.935] lstrcmpW (lpString1="MpAvBase.vdm", lpString2="taridd") returned -1 [0082.935] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvBase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\mpavbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.935] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26af3c42, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26af3c42, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26af3c42, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x15910, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpAvDlta.vdm", cAlternateFileName="")) returned 1 [0082.935] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="Windows") returned -1 [0082.935] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="$Recycle.bin") returned 1 [0082.935] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="System Volume Information") returned -1 [0082.935] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="Program Files") returned -1 [0082.935] lstrcmpiW (lpString1="MpAvDlta.vdm", lpString2="Program Files (x86)") returned -1 [0082.935] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm") returned 89 [0082.935] StrStrIW (lpFirst="MpAvDlta.vdm", lpSrch=".ebal") returned 0x0 [0082.935] lstrcmpW (lpString1="MpAvDlta.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.935] lstrcmpW (lpString1="MpAvDlta.vdm", lpString2="taridd") returned -1 [0082.935] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.935] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpAvDlta.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\mpavdlta.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.935] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c4b1e3, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc11740, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MpEngine.dll", cAlternateFileName="")) returned 1 [0082.935] lstrcmpiW (lpString1="MpEngine.dll", lpString2="Windows") returned -1 [0082.935] lstrcmpiW (lpString1="MpEngine.dll", lpString2="$Recycle.bin") returned 1 [0082.935] lstrcmpiW (lpString1="MpEngine.dll", lpString2="System Volume Information") returned -1 [0082.935] lstrcmpiW (lpString1="MpEngine.dll", lpString2="Program Files") returned -1 [0082.935] lstrcmpiW (lpString1="MpEngine.dll", lpString2="Program Files (x86)") returned -1 [0082.935] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll") returned 89 [0082.936] StrStrIW (lpFirst="MpEngine.dll", lpSrch=".ebal") returned 0x0 [0082.936] lstrcmpW (lpString1="MpEngine.dll", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.936] lstrcmpW (lpString1="MpEngine.dll", lpString2="taridd") returned -1 [0082.936] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\MpEngine.dll" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\mpengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.936] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e318, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisBase.vdm", cAlternateFileName="")) returned 1 [0082.936] lstrcmpiW (lpString1="NisBase.vdm", lpString2="Windows") returned -1 [0082.936] lstrcmpiW (lpString1="NisBase.vdm", lpString2="$Recycle.bin") returned 1 [0082.936] lstrcmpiW (lpString1="NisBase.vdm", lpString2="System Volume Information") returned -1 [0082.936] lstrcmpiW (lpString1="NisBase.vdm", lpString2="Program Files") returned -1 [0082.936] lstrcmpiW (lpString1="NisBase.vdm", lpString2="Program Files (x86)") returned -1 [0082.936] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm") returned 88 [0082.936] StrStrIW (lpFirst="NisBase.vdm", lpSrch=".ebal") returned 0x0 [0082.936] lstrcmpW (lpString1="NisBase.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.936] lstrcmpW (lpString1="NisBase.vdm", lpString2="taridd") returned -1 [0082.936] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.936] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisBase.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\nisbase.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.936] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e718, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisFull.vdm", cAlternateFileName="")) returned 1 [0082.936] lstrcmpiW (lpString1="NisFull.vdm", lpString2="Windows") returned -1 [0082.936] lstrcmpiW (lpString1="NisFull.vdm", lpString2="$Recycle.bin") returned 1 [0082.936] lstrcmpiW (lpString1="NisFull.vdm", lpString2="System Volume Information") returned -1 [0082.936] lstrcmpiW (lpString1="NisFull.vdm", lpString2="Program Files") returned -1 [0082.936] lstrcmpiW (lpString1="NisFull.vdm", lpString2="Program Files (x86)") returned -1 [0082.936] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm") returned 88 [0082.937] StrStrIW (lpFirst="NisFull.vdm", lpSrch=".ebal") returned 0x0 [0082.937] lstrcmpW (lpString1="NisFull.vdm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0082.937] lstrcmpW (lpString1="NisFull.vdm", lpString2="taridd") returned -1 [0082.937] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0082.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\NisFull.vdm" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\nisfull.vdm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0082.937] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c24f7c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x26c24f7c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x26c24f7c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e718, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisFull.vdm", cAlternateFileName="")) returned 0 [0082.937] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0082.937] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0082.937] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\default\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.938] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.939] CloseHandle (hObject=0x43c) returned 1 [0082.940] GetProcessHeap () returned 0x3a00000 [0082.940] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.940] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisBackup", cAlternateFileName="NISBAC~1")) returned 1 [0082.940] lstrcmpiW (lpString1="NisBackup", lpString2="Windows") returned -1 [0082.940] lstrcmpiW (lpString1="NisBackup", lpString2="$Recycle.bin") returned 1 [0082.940] lstrcmpiW (lpString1="NisBackup", lpString2="System Volume Information") returned -1 [0082.940] lstrcmpiW (lpString1="NisBackup", lpString2="Program Files") returned -1 [0082.941] lstrcmpiW (lpString1="NisBackup", lpString2="Program Files (x86)") returned -1 [0082.941] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup") returned 78 [0082.941] lstrcmpW (lpString1="NisBackup", lpString2=".") returned 1 [0082.941] lstrcmpW (lpString1="NisBackup", lpString2="..") returned 1 [0082.941] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.941] GetProcessHeap () returned 0x3a00000 [0082.941] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.941] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*") returned 80 [0082.941] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0082.941] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.941] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.941] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.941] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.941] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.941] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\.") returned 80 [0082.941] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.941] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.941] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.941] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.941] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.941] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.941] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.941] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\..") returned 81 [0082.941] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.941] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.941] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf807cfad, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf807cfad, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.941] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.941] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.942] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.942] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.942] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.942] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 110 [0082.942] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.942] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.942] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf807cfad, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf807cfad, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.942] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0082.942] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 110 [0082.942] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\NisBackup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\nisbackup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.943] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.943] CloseHandle (hObject=0x43c) returned 1 [0082.947] GetProcessHeap () returned 0x3a00000 [0082.947] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.947] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Updates", cAlternateFileName="")) returned 1 [0082.947] lstrcmpiW (lpString1="Updates", lpString2="Windows") returned -1 [0082.947] lstrcmpiW (lpString1="Updates", lpString2="$Recycle.bin") returned 1 [0082.947] lstrcmpiW (lpString1="Updates", lpString2="System Volume Information") returned 1 [0082.947] lstrcmpiW (lpString1="Updates", lpString2="Program Files") returned 1 [0082.947] lstrcmpiW (lpString1="Updates", lpString2="Program Files (x86)") returned 1 [0082.947] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates") returned 76 [0082.947] lstrcmpW (lpString1="Updates", lpString2=".") returned 1 [0082.948] lstrcmpW (lpString1="Updates", lpString2="..") returned 1 [0082.948] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.948] GetProcessHeap () returned 0x3a00000 [0082.948] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.948] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*") returned 78 [0082.948] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0082.948] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.948] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.948] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.948] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.948] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.948] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\.") returned 78 [0082.948] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.948] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf807cfad, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.948] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.948] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.948] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.948] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.948] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.948] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\..") returned 79 [0082.948] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.948] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.948] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf807cfad, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf807cfad, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80a3274, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.948] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.948] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.948] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.948] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.948] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.948] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0082.949] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.949] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.949] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf807cfad, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf807cfad, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80a3274, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.949] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0082.949] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0082.949] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\Updates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\updates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.950] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.950] CloseHandle (hObject=0x43c) returned 1 [0082.950] GetProcessHeap () returned 0x3a00000 [0082.950] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.950] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2626eab, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Updates", cAlternateFileName="")) returned 0 [0082.951] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0082.951] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0082.951] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Definition Updates\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\definition updates\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.951] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.953] CloseHandle (hObject=0x438) returned 1 [0082.953] GetProcessHeap () returned 0x3a00000 [0082.953] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.953] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Features", cAlternateFileName="")) returned 1 [0082.953] lstrcmpiW (lpString1="Features", lpString2="Windows") returned -1 [0082.953] lstrcmpiW (lpString1="Features", lpString2="$Recycle.bin") returned 1 [0082.953] lstrcmpiW (lpString1="Features", lpString2="System Volume Information") returned -1 [0082.953] lstrcmpiW (lpString1="Features", lpString2="Program Files") returned -1 [0082.953] lstrcmpiW (lpString1="Features", lpString2="Program Files (x86)") returned -1 [0082.953] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features") returned 58 [0082.953] lstrcmpW (lpString1="Features", lpString2=".") returned 1 [0082.953] lstrcmpW (lpString1="Features", lpString2="..") returned 1 [0082.953] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.953] GetProcessHeap () returned 0x3a00000 [0082.953] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.953] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*") returned 60 [0082.953] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf80c977d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0082.953] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.953] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.953] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.953] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.953] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.953] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\.") returned 60 [0082.954] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.954] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc26279a1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf80c977d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.954] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.954] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.954] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.954] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.954] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.954] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\..") returned 61 [0082.954] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.954] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.954] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80c977d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf80c977d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.954] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.954] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.954] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.954] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.954] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.954] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0082.954] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.954] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.954] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80c977d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf80c977d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.954] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0082.954] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0082.954] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Features\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\features\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.955] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.956] CloseHandle (hObject=0x438) returned 1 [0082.956] GetProcessHeap () returned 0x3a00000 [0082.956] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.956] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd525f5, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="LocalCopy", cAlternateFileName="LOCALC~1")) returned 1 [0082.956] lstrcmpiW (lpString1="LocalCopy", lpString2="Windows") returned -1 [0082.956] lstrcmpiW (lpString1="LocalCopy", lpString2="$Recycle.bin") returned 1 [0082.956] lstrcmpiW (lpString1="LocalCopy", lpString2="System Volume Information") returned -1 [0082.956] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files") returned -1 [0082.956] lstrcmpiW (lpString1="LocalCopy", lpString2="Program Files (x86)") returned -1 [0082.956] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy") returned 59 [0082.956] lstrcmpW (lpString1="LocalCopy", lpString2=".") returned 1 [0082.956] lstrcmpW (lpString1="LocalCopy", lpString2="..") returned 1 [0082.956] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.956] GetProcessHeap () returned 0x3a00000 [0082.956] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.956] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*") returned 61 [0082.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0082.957] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.957] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.957] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.957] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.957] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.957] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\.") returned 61 [0082.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.957] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc26281f9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.957] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.957] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.957] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.957] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.957] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.957] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\..") returned 62 [0082.957] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.957] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80ef9cf, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.957] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.957] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.957] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.957] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.957] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.957] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0082.957] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.957] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.957] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80ef9cf, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.958] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0082.958] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0082.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\LocalCopy\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\localcopy\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.959] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.959] CloseHandle (hObject=0x438) returned 1 [0082.959] GetProcessHeap () returned 0x3a00000 [0082.959] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.960] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2628aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2bc876c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Network Inspection System", cAlternateFileName="NETWOR~1")) returned 1 [0082.960] lstrcmpiW (lpString1="Network Inspection System", lpString2="Windows") returned -1 [0082.960] lstrcmpiW (lpString1="Network Inspection System", lpString2="$Recycle.bin") returned 1 [0082.960] lstrcmpiW (lpString1="Network Inspection System", lpString2="System Volume Information") returned -1 [0082.960] lstrcmpiW (lpString1="Network Inspection System", lpString2="Program Files") returned -1 [0082.960] lstrcmpiW (lpString1="Network Inspection System", lpString2="Program Files (x86)") returned -1 [0082.960] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System") returned 75 [0082.960] lstrcmpW (lpString1="Network Inspection System", lpString2=".") returned 1 [0082.960] lstrcmpW (lpString1="Network Inspection System", lpString2="..") returned 1 [0082.960] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.960] GetProcessHeap () returned 0x3a00000 [0082.960] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.960] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*") returned 77 [0082.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2628aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0082.960] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.960] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.960] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.960] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.960] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.960] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\.") returned 77 [0082.960] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.960] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2628aa5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.960] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.960] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.960] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.960] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.960] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.960] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\..") returned 78 [0082.960] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.961] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.961] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.961] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.961] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.961] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.961] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.961] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.961] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0082.961] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.961] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.961] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 1 [0082.961] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0082.961] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0082.961] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0082.961] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0082.961] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0082.961] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support") returned 83 [0082.961] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0082.961] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0082.961] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.961] GetProcessHeap () returned 0x3a00000 [0082.961] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.961] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*") returned 85 [0082.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0082.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.961] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\.") returned 85 [0082.962] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.962] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.962] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\..") returned 86 [0082.962] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.962] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.962] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf80ef9cf, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.962] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.962] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.962] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.962] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.962] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.962] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0082.962] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.962] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.962] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366fbd4a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisLog.txt_r00t_{8ew5f6}.ebal", cAlternateFileName="NISLOG~1.EBA")) returned 1 [0082.962] lstrcmpiW (lpString1="NisLog.txt_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0082.962] lstrcmpiW (lpString1="NisLog.txt_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0082.962] lstrcmpiW (lpString1="NisLog.txt_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0082.962] lstrcmpiW (lpString1="NisLog.txt_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0082.962] lstrcmpiW (lpString1="NisLog.txt_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0082.962] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\NisLog.txt_r00t_{8ew5f6}.ebal") returned 113 [0082.962] StrStrIW (lpFirst="NisLog.txt_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0082.962] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x366fbd4a, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x366fbd4a, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NisLog.txt_r00t_{8ew5f6}.ebal", cAlternateFileName="NISLOG~1.EBA")) returned 0 [0082.962] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0082.962] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0082.963] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\network inspection system\\support\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.963] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.964] CloseHandle (hObject=0x43c) returned 1 [0082.964] GetProcessHeap () returned 0x3a00000 [0082.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.964] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd525f5, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf80ef9cf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf80ef9cf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 0 [0082.964] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0082.964] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0082.964] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Network Inspection System\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\network inspection system\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.965] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.966] CloseHandle (hObject=0x438) returned 1 [0082.966] GetProcessHeap () returned 0x3a00000 [0082.966] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.966] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Platform", cAlternateFileName="")) returned 1 [0082.966] lstrcmpiW (lpString1="Platform", lpString2="Windows") returned -1 [0082.966] lstrcmpiW (lpString1="Platform", lpString2="$Recycle.bin") returned 1 [0082.966] lstrcmpiW (lpString1="Platform", lpString2="System Volume Information") returned -1 [0082.966] lstrcmpiW (lpString1="Platform", lpString2="Program Files") returned -1 [0082.966] lstrcmpiW (lpString1="Platform", lpString2="Program Files (x86)") returned -1 [0082.966] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform") returned 58 [0082.966] lstrcmpW (lpString1="Platform", lpString2=".") returned 1 [0082.966] lstrcmpW (lpString1="Platform", lpString2="..") returned 1 [0082.966] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.966] GetProcessHeap () returned 0x3a00000 [0082.966] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.967] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\*") returned 60 [0082.967] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.967] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.967] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.967] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.967] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.967] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.967] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\.") returned 60 [0082.967] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.967] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc262a040, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.967] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.967] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.967] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.967] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.967] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.967] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\..") returned 61 [0082.967] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.967] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.967] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.967] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.967] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.967] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.967] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.967] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.967] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0082.967] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.967] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.968] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.968] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.985] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0082.985] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Platform\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\platform\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.986] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.986] CloseHandle (hObject=0x438) returned 1 [0082.987] GetProcessHeap () returned 0x3a00000 [0082.987] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.987] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Quarantine", cAlternateFileName="QUARAN~1")) returned 1 [0082.987] lstrcmpiW (lpString1="Quarantine", lpString2="Windows") returned -1 [0082.987] lstrcmpiW (lpString1="Quarantine", lpString2="$Recycle.bin") returned 1 [0082.987] lstrcmpiW (lpString1="Quarantine", lpString2="System Volume Information") returned -1 [0082.987] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files") returned 1 [0082.987] lstrcmpiW (lpString1="Quarantine", lpString2="Program Files (x86)") returned 1 [0082.987] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine") returned 60 [0082.987] lstrcmpW (lpString1="Quarantine", lpString2=".") returned 1 [0082.987] lstrcmpW (lpString1="Quarantine", lpString2="..") returned 1 [0082.987] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.987] GetProcessHeap () returned 0x3a00000 [0082.987] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.987] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*") returned 62 [0082.987] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.987] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.987] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.987] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.987] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.987] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.987] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\.") returned 62 [0082.987] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.987] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc262a749, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.987] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.988] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.988] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.988] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.988] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.988] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\..") returned 63 [0082.988] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.988] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.988] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.988] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.988] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.988] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.988] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.988] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.988] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0082.988] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.988] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.988] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.988] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.988] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0082.988] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Quarantine\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\quarantine\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0082.989] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0082.990] CloseHandle (hObject=0x438) returned 1 [0082.990] GetProcessHeap () returned 0x3a00000 [0082.990] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0082.990] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Scans", cAlternateFileName="")) returned 1 [0082.990] lstrcmpiW (lpString1="Scans", lpString2="Windows") returned -1 [0082.990] lstrcmpiW (lpString1="Scans", lpString2="$Recycle.bin") returned 1 [0082.990] lstrcmpiW (lpString1="Scans", lpString2="System Volume Information") returned -1 [0082.990] lstrcmpiW (lpString1="Scans", lpString2="Program Files") returned 1 [0082.990] lstrcmpiW (lpString1="Scans", lpString2="Program Files (x86)") returned 1 [0082.990] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans") returned 55 [0082.990] lstrcmpW (lpString1="Scans", lpString2=".") returned 1 [0082.990] lstrcmpW (lpString1="Scans", lpString2="..") returned 1 [0082.990] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.990] GetProcessHeap () returned 0x3a00000 [0082.990] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0082.990] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*") returned 57 [0082.990] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0082.991] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.991] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.991] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.991] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.991] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.991] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\.") returned 57 [0082.991] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.991] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.991] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.991] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.991] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.991] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.991] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.991] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\..") returned 58 [0082.991] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.991] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.991] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89ba1fb, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.991] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.991] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.991] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.991] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.991] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.991] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0082.991] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.991] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.991] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CleanFileTelemetry", cAlternateFileName="CLEANF~1")) returned 1 [0082.992] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="Windows") returned -1 [0082.992] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="$Recycle.bin") returned 1 [0082.992] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="System Volume Information") returned -1 [0082.992] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="Program Files") returned -1 [0082.992] lstrcmpiW (lpString1="CleanFileTelemetry", lpString2="Program Files (x86)") returned -1 [0082.992] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry") returned 74 [0082.992] lstrcmpW (lpString1="CleanFileTelemetry", lpString2=".") returned 1 [0082.992] lstrcmpW (lpString1="CleanFileTelemetry", lpString2="..") returned 1 [0082.992] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.992] GetProcessHeap () returned 0x3a00000 [0082.992] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.992] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*") returned 76 [0082.992] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0082.992] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.992] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.992] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.992] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.992] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.992] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\.") returned 76 [0082.992] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.992] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc270158c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.992] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.992] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.992] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.992] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.992] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.992] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\..") returned 77 [0082.993] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.993] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.993] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.993] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.993] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.993] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.993] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.993] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.993] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 106 [0082.993] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.993] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.993] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8115b48, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8115b48, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8115b48, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.993] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0082.993] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 106 [0082.993] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanFileTelemetry\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanfiletelemetry\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0082.994] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0082.995] CloseHandle (hObject=0x43c) returned 1 [0082.995] GetProcessHeap () returned 0x3a00000 [0082.995] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0082.995] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2703fb5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac58c824, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CleanStore", cAlternateFileName="CLEANS~1")) returned 1 [0082.995] lstrcmpiW (lpString1="CleanStore", lpString2="Windows") returned -1 [0082.995] lstrcmpiW (lpString1="CleanStore", lpString2="$Recycle.bin") returned 1 [0082.995] lstrcmpiW (lpString1="CleanStore", lpString2="System Volume Information") returned -1 [0082.995] lstrcmpiW (lpString1="CleanStore", lpString2="Program Files") returned -1 [0082.995] lstrcmpiW (lpString1="CleanStore", lpString2="Program Files (x86)") returned -1 [0082.995] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore") returned 66 [0082.995] lstrcmpW (lpString1="CleanStore", lpString2=".") returned 1 [0082.995] lstrcmpW (lpString1="CleanStore", lpString2="..") returned 1 [0082.995] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.996] GetProcessHeap () returned 0x3a00000 [0082.996] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0082.996] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*") returned 68 [0082.996] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2703fb5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0082.996] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.996] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.996] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.996] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.996] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.996] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\.") returned 68 [0082.996] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.996] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2703fb5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.996] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.996] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.996] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.996] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.996] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.996] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\..") returned 69 [0082.996] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.996] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.996] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8188a77, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8188a77, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.996] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.996] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.996] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.996] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.997] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.997] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0082.997] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.997] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.997] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Entries", cAlternateFileName="")) returned 1 [0082.997] lstrcmpiW (lpString1="Entries", lpString2="Windows") returned -1 [0082.997] lstrcmpiW (lpString1="Entries", lpString2="$Recycle.bin") returned 1 [0082.997] lstrcmpiW (lpString1="Entries", lpString2="System Volume Information") returned -1 [0082.997] lstrcmpiW (lpString1="Entries", lpString2="Program Files") returned -1 [0082.997] lstrcmpiW (lpString1="Entries", lpString2="Program Files (x86)") returned -1 [0082.997] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries") returned 74 [0082.997] lstrcmpW (lpString1="Entries", lpString2=".") returned 1 [0082.997] lstrcmpW (lpString1="Entries", lpString2="..") returned 1 [0082.997] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0082.997] GetProcessHeap () returned 0x3a00000 [0082.997] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0082.997] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*") returned 76 [0082.997] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf813bdd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0082.997] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0082.997] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0082.997] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0082.997] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0082.997] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0082.997] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\.") returned 76 [0082.997] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0082.997] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc278a841, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf813bdd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0082.997] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0082.997] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0082.997] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0082.998] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0082.998] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0082.998] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\..") returned 77 [0082.998] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0082.998] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0082.998] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf813bdd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf813bdd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf813bdd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0082.998] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0082.998] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0082.998] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0082.998] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0082.998] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0082.998] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 106 [0082.998] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0082.998] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0082.998] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf813bdd2, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf813bdd2, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf813bdd2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0082.998] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0082.998] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 106 [0082.998] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Entries\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\entries\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.002] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.003] CloseHandle (hObject=0x440) returned 1 [0083.003] GetProcessHeap () returned 0x3a00000 [0083.003] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.003] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ResourceData", cAlternateFileName="RESOUR~1")) returned 1 [0083.003] lstrcmpiW (lpString1="ResourceData", lpString2="Windows") returned -1 [0083.003] lstrcmpiW (lpString1="ResourceData", lpString2="$Recycle.bin") returned 1 [0083.003] lstrcmpiW (lpString1="ResourceData", lpString2="System Volume Information") returned -1 [0083.003] lstrcmpiW (lpString1="ResourceData", lpString2="Program Files") returned 1 [0083.003] lstrcmpiW (lpString1="ResourceData", lpString2="Program Files (x86)") returned 1 [0083.003] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData") returned 79 [0083.003] lstrcmpW (lpString1="ResourceData", lpString2=".") returned 1 [0083.003] lstrcmpW (lpString1="ResourceData", lpString2="..") returned 1 [0083.003] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.003] GetProcessHeap () returned 0x3a00000 [0083.003] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.003] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*") returned 81 [0083.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8162139, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.003] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.003] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.003] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.003] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.003] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.003] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\.") returned 81 [0083.004] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.004] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283e428, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8162139, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.004] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.004] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.004] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.004] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.004] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.004] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\..") returned 82 [0083.004] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.004] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.004] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8162139, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8162139, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8162139, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.004] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.004] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.004] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.004] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.004] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.004] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0083.004] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.004] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.004] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8162139, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8162139, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8162139, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.004] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.004] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 111 [0083.004] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\ResourceData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\resourcedata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.005] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.006] CloseHandle (hObject=0x440) returned 1 [0083.006] GetProcessHeap () returned 0x3a00000 [0083.006] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.006] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 1 [0083.006] lstrcmpiW (lpString1="Resources", lpString2="Windows") returned -1 [0083.006] lstrcmpiW (lpString1="Resources", lpString2="$Recycle.bin") returned 1 [0083.006] lstrcmpiW (lpString1="Resources", lpString2="System Volume Information") returned -1 [0083.006] lstrcmpiW (lpString1="Resources", lpString2="Program Files") returned 1 [0083.006] lstrcmpiW (lpString1="Resources", lpString2="Program Files (x86)") returned 1 [0083.006] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources") returned 76 [0083.006] lstrcmpW (lpString1="Resources", lpString2=".") returned 1 [0083.006] lstrcmpW (lpString1="Resources", lpString2="..") returned 1 [0083.006] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.006] GetProcessHeap () returned 0x3a00000 [0083.006] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.006] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*") returned 78 [0083.006] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8162139, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0083.007] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.007] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.007] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.007] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.007] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.007] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\.") returned 78 [0083.007] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.007] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8162139, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.007] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.007] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.007] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.007] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.007] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.007] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\..") returned 79 [0083.007] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.007] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.007] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8162139, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8162139, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.007] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.007] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.007] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.007] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.007] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.007] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.007] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.007] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.007] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8162139, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8162139, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.007] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0083.007] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.008] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\Resources\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\resources\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.008] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.009] CloseHandle (hObject=0x440) returned 1 [0083.009] GetProcessHeap () returned 0x3a00000 [0083.009] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.009] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc283ed5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Resources", cAlternateFileName="RESOUR~2")) returned 0 [0083.009] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0083.009] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0083.009] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\CleanStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\cleanstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.010] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.011] CloseHandle (hObject=0x43c) returned 1 [0083.011] GetProcessHeap () returned 0x3a00000 [0083.011] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.011] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28a95cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3125c62, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="History", cAlternateFileName="")) returned 1 [0083.011] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0083.011] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0083.011] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0083.011] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0083.011] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0083.011] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History") returned 63 [0083.011] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0083.011] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0083.011] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.011] GetProcessHeap () returned 0x3a00000 [0083.011] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.012] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*") returned 65 [0083.012] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28a95cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0083.012] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.012] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.012] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.012] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.012] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.012] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\.") returned 65 [0083.012] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.012] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28a95cf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.012] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.012] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.012] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.012] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.012] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.012] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\..") returned 66 [0083.012] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.012] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.012] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.012] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.012] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.012] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.012] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.012] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.012] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0083.012] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.012] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.012] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1712929f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CacheManager", cAlternateFileName="CACHEM~1")) returned 1 [0083.013] lstrcmpiW (lpString1="CacheManager", lpString2="Windows") returned -1 [0083.013] lstrcmpiW (lpString1="CacheManager", lpString2="$Recycle.bin") returned 1 [0083.013] lstrcmpiW (lpString1="CacheManager", lpString2="System Volume Information") returned -1 [0083.013] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files") returned -1 [0083.013] lstrcmpiW (lpString1="CacheManager", lpString2="Program Files (x86)") returned -1 [0083.013] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager") returned 76 [0083.013] lstrcmpW (lpString1="CacheManager", lpString2=".") returned 1 [0083.013] lstrcmpW (lpString1="CacheManager", lpString2="..") returned 1 [0083.013] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.013] GetProcessHeap () returned 0x3a00000 [0083.013] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.013] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*") returned 78 [0083.013] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0083.013] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.013] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.013] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.013] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.013] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.013] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\.") returned 78 [0083.013] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.013] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1712929f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc28aa444, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8188a77, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.013] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.013] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.013] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.013] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.013] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.013] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\..") returned 79 [0083.013] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.013] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.013] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8188a77, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8188a77, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.014] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.014] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.014] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.014] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.014] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.014] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.014] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.014] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.014] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8188a77, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8188a77, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.014] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0083.014] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.014] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\CacheManager\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\cachemanager\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.015] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.016] CloseHandle (hObject=0x440) returned 1 [0083.016] GetProcessHeap () returned 0x3a00000 [0083.016] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.016] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28aac86, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb2dde708, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Mput", cAlternateFileName="")) returned 1 [0083.016] lstrcmpiW (lpString1="Mput", lpString2="Windows") returned -1 [0083.016] lstrcmpiW (lpString1="Mput", lpString2="$Recycle.bin") returned 1 [0083.016] lstrcmpiW (lpString1="Mput", lpString2="System Volume Information") returned -1 [0083.016] lstrcmpiW (lpString1="Mput", lpString2="Program Files") returned -1 [0083.016] lstrcmpiW (lpString1="Mput", lpString2="Program Files (x86)") returned -1 [0083.016] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput") returned 68 [0083.016] lstrcmpW (lpString1="Mput", lpString2=".") returned 1 [0083.016] lstrcmpW (lpString1="Mput", lpString2="..") returned 1 [0083.016] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.016] GetProcessHeap () returned 0x3a00000 [0083.016] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.016] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*") returned 70 [0083.016] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28aac86, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0083.016] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.016] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.017] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.017] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.017] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.017] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\.") returned 70 [0083.017] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.017] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28aac86, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.017] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.017] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.017] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.017] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.017] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.017] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\..") returned 71 [0083.017] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.017] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.017] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf839e20f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.017] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.017] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.017] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.017] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.017] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.017] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0083.017] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.017] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.017] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3040e3a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 1 [0083.017] lstrcmpiW (lpString1="MputHistory", lpString2="Windows") returned -1 [0083.017] lstrcmpiW (lpString1="MputHistory", lpString2="$Recycle.bin") returned 1 [0083.017] lstrcmpiW (lpString1="MputHistory", lpString2="System Volume Information") returned -1 [0083.017] lstrcmpiW (lpString1="MputHistory", lpString2="Program Files") returned -1 [0083.017] lstrcmpiW (lpString1="MputHistory", lpString2="Program Files (x86)") returned -1 [0083.017] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory") returned 80 [0083.017] lstrcmpW (lpString1="MputHistory", lpString2=".") returned 1 [0083.018] lstrcmpW (lpString1="MputHistory", lpString2="..") returned 1 [0083.018] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.018] GetProcessHeap () returned 0x3a00000 [0083.018] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.018] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*") returned 82 [0083.018] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0083.018] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.018] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.018] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.018] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.018] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.018] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\.") returned 82 [0083.018] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.018] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.018] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.018] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.018] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.018] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.018] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.018] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\..") returned 83 [0083.018] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.018] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.018] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf839e20f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.018] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.018] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.018] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.018] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.018] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.018] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0083.019] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.019] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.019] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81ae4c1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="00", cAlternateFileName="")) returned 1 [0083.019] lstrcmpiW (lpString1="00", lpString2="Windows") returned -1 [0083.019] lstrcmpiW (lpString1="00", lpString2="$Recycle.bin") returned 1 [0083.019] lstrcmpiW (lpString1="00", lpString2="System Volume Information") returned -1 [0083.019] lstrcmpiW (lpString1="00", lpString2="Program Files") returned -1 [0083.019] lstrcmpiW (lpString1="00", lpString2="Program Files (x86)") returned -1 [0083.019] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00") returned 83 [0083.019] lstrcmpW (lpString1="00", lpString2=".") returned 1 [0083.019] lstrcmpW (lpString1="00", lpString2="..") returned 1 [0083.019] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.019] GetProcessHeap () returned 0x3a00000 [0083.019] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.019] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*") returned 85 [0083.019] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81ae4c1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0083.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.019] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\.") returned 85 [0083.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.019] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81ae4c1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.020] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\..") returned 86 [0083.020] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.020] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.020] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf81ae4c1, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf81ae4c1, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.020] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.020] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.020] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.020] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.020] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.020] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.020] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.020] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.020] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.020] lstrcmpiW (lpString1="192_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.020] lstrcmpiW (lpString1="192_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.020] lstrcmpiW (lpString1="192_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.020] lstrcmpiW (lpString1="192_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.020] lstrcmpiW (lpString1="192_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.020] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\192_r00t_{8ew5f6}.ebal") returned 106 [0083.020] StrStrIW (lpFirst="192_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.020] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf81ae4c1, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="192_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.020] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0083.020] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.020] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\00\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\00\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.021] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.022] CloseHandle (hObject=0x450) returned 1 [0083.022] GetProcessHeap () returned 0x3a00000 [0083.022] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.022] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81d4578, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81d4578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="01", cAlternateFileName="")) returned 1 [0083.022] lstrcmpiW (lpString1="01", lpString2="Windows") returned -1 [0083.022] lstrcmpiW (lpString1="01", lpString2="$Recycle.bin") returned 1 [0083.022] lstrcmpiW (lpString1="01", lpString2="System Volume Information") returned -1 [0083.022] lstrcmpiW (lpString1="01", lpString2="Program Files") returned -1 [0083.022] lstrcmpiW (lpString1="01", lpString2="Program Files (x86)") returned -1 [0083.022] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01") returned 83 [0083.022] lstrcmpW (lpString1="01", lpString2=".") returned 1 [0083.022] lstrcmpW (lpString1="01", lpString2="..") returned 1 [0083.022] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.022] GetProcessHeap () returned 0x3a00000 [0083.022] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.022] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*") returned 85 [0083.023] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81d4578, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81d4578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.023] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.023] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.023] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.023] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.023] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.023] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\.") returned 85 [0083.023] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.023] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81d4578, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81d4578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.023] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.023] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.023] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.023] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.023] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.023] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\..") returned 86 [0083.023] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.023] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.023] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf81d4578, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf81d4578, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81d4578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.023] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.023] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.023] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.023] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.023] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.023] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.023] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.023] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.023] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf81d4578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.024] lstrcmpiW (lpString1="271_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.024] lstrcmpiW (lpString1="271_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.024] lstrcmpiW (lpString1="271_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.024] lstrcmpiW (lpString1="271_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.024] lstrcmpiW (lpString1="271_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.024] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\271_r00t_{8ew5f6}.ebal") returned 106 [0083.024] StrStrIW (lpFirst="271_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.024] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf81d4578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="271_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.024] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.024] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\01\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\01\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.025] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.026] CloseHandle (hObject=0x450) returned 1 [0083.026] GetProcessHeap () returned 0x3a00000 [0083.026] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.026] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81fa74b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81fa74b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="02", cAlternateFileName="")) returned 1 [0083.026] lstrcmpiW (lpString1="02", lpString2="Windows") returned -1 [0083.026] lstrcmpiW (lpString1="02", lpString2="$Recycle.bin") returned 1 [0083.026] lstrcmpiW (lpString1="02", lpString2="System Volume Information") returned -1 [0083.026] lstrcmpiW (lpString1="02", lpString2="Program Files") returned -1 [0083.026] lstrcmpiW (lpString1="02", lpString2="Program Files (x86)") returned -1 [0083.026] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02") returned 83 [0083.026] lstrcmpW (lpString1="02", lpString2=".") returned 1 [0083.026] lstrcmpW (lpString1="02", lpString2="..") returned 1 [0083.026] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.026] GetProcessHeap () returned 0x3a00000 [0083.026] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.026] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*") returned 85 [0083.026] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81fa74b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81fa74b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0083.026] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.026] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.026] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.026] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.026] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.026] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\.") returned 85 [0083.026] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.026] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf81fa74b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81fa74b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.026] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.026] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.026] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.027] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.027] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.027] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\..") returned 86 [0083.027] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.027] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.027] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf81fa74b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf81fa74b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf81fa74b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.027] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.027] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.027] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.027] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.027] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.027] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.027] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.027] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.027] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf81fa74b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109004_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.027] lstrcmpiW (lpString1="109004_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.027] lstrcmpiW (lpString1="109004_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.027] lstrcmpiW (lpString1="109004_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.027] lstrcmpiW (lpString1="109004_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.027] lstrcmpiW (lpString1="109004_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.027] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\109004_r00t_{8ew5f6}.ebal") returned 109 [0083.027] StrStrIW (lpFirst="109004_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.027] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf81fa74b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109004_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.027] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0083.027] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.027] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\02\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\02\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.028] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.029] CloseHandle (hObject=0x450) returned 1 [0083.029] GetProcessHeap () returned 0x3a00000 [0083.029] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.029] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8220ce5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="04", cAlternateFileName="")) returned 1 [0083.029] lstrcmpiW (lpString1="04", lpString2="Windows") returned -1 [0083.029] lstrcmpiW (lpString1="04", lpString2="$Recycle.bin") returned 1 [0083.029] lstrcmpiW (lpString1="04", lpString2="System Volume Information") returned -1 [0083.029] lstrcmpiW (lpString1="04", lpString2="Program Files") returned -1 [0083.029] lstrcmpiW (lpString1="04", lpString2="Program Files (x86)") returned -1 [0083.029] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04") returned 83 [0083.029] lstrcmpW (lpString1="04", lpString2=".") returned 1 [0083.029] lstrcmpW (lpString1="04", lpString2="..") returned 1 [0083.029] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.029] GetProcessHeap () returned 0x3a00000 [0083.029] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.029] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*") returned 85 [0083.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8220ce5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.030] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.030] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.030] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.030] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.030] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.030] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\.") returned 85 [0083.030] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.030] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8220ce5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.030] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.030] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.030] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.030] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.030] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.030] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\..") returned 86 [0083.030] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.030] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.030] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8220ce5, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8220ce5, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.054] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.054] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.054] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.054] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.054] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.055] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.055] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.055] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.055] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109005_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.055] lstrcmpiW (lpString1="109005_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.055] lstrcmpiW (lpString1="109005_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.055] lstrcmpiW (lpString1="109005_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.055] lstrcmpiW (lpString1="109005_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.055] lstrcmpiW (lpString1="109005_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.055] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\109005_r00t_{8ew5f6}.ebal") returned 109 [0083.055] StrStrIW (lpFirst="109005_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.055] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.055] lstrcmpiW (lpString1="259_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.055] lstrcmpiW (lpString1="259_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.055] lstrcmpiW (lpString1="259_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.055] lstrcmpiW (lpString1="259_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.055] lstrcmpiW (lpString1="259_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.055] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\259_r00t_{8ew5f6}.ebal") returned 106 [0083.055] StrStrIW (lpFirst="259_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.055] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8220ce5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="259_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.055] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.055] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.055] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\04\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\04\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.056] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.057] CloseHandle (hObject=0x450) returned 1 [0083.057] GetProcessHeap () returned 0x3a00000 [0083.057] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.057] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="05", cAlternateFileName="")) returned 1 [0083.057] lstrcmpiW (lpString1="05", lpString2="Windows") returned -1 [0083.057] lstrcmpiW (lpString1="05", lpString2="$Recycle.bin") returned 1 [0083.057] lstrcmpiW (lpString1="05", lpString2="System Volume Information") returned -1 [0083.057] lstrcmpiW (lpString1="05", lpString2="Program Files") returned -1 [0083.057] lstrcmpiW (lpString1="05", lpString2="Program Files (x86)") returned -1 [0083.057] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05") returned 83 [0083.057] lstrcmpW (lpString1="05", lpString2=".") returned 1 [0083.057] lstrcmpW (lpString1="05", lpString2="..") returned 1 [0083.057] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.058] GetProcessHeap () returned 0x3a00000 [0083.058] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.058] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*") returned 85 [0083.058] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.058] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.058] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.058] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.058] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.058] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.058] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\.") returned 85 [0083.058] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.058] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.058] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.058] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.058] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.058] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.058] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.058] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\..") returned 86 [0083.058] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.058] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.058] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8246efd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.058] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.058] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.058] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.058] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.058] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.058] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.058] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.059] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.059] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.059] lstrcmpiW (lpString1="191_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.059] lstrcmpiW (lpString1="191_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.059] lstrcmpiW (lpString1="191_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.059] lstrcmpiW (lpString1="191_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.059] lstrcmpiW (lpString1="191_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.059] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\191_r00t_{8ew5f6}.ebal") returned 106 [0083.059] StrStrIW (lpFirst="191_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.059] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="191_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.059] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.059] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.059] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\05\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\05\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.060] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.061] CloseHandle (hObject=0x450) returned 1 [0083.061] GetProcessHeap () returned 0x3a00000 [0083.061] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.061] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="09", cAlternateFileName="")) returned 1 [0083.061] lstrcmpiW (lpString1="09", lpString2="Windows") returned -1 [0083.061] lstrcmpiW (lpString1="09", lpString2="$Recycle.bin") returned 1 [0083.061] lstrcmpiW (lpString1="09", lpString2="System Volume Information") returned -1 [0083.061] lstrcmpiW (lpString1="09", lpString2="Program Files") returned -1 [0083.061] lstrcmpiW (lpString1="09", lpString2="Program Files (x86)") returned -1 [0083.061] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09") returned 83 [0083.061] lstrcmpW (lpString1="09", lpString2=".") returned 1 [0083.061] lstrcmpW (lpString1="09", lpString2="..") returned 1 [0083.061] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.061] GetProcessHeap () returned 0x3a00000 [0083.061] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.061] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*") returned 85 [0083.061] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.061] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.061] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.061] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.062] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.062] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.062] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\.") returned 85 [0083.062] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.062] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.062] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.062] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.062] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.062] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.062] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.062] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\..") returned 86 [0083.062] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.062] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.062] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8246efd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8246efd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf826d1c2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.062] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.062] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.062] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.062] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.062] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.063] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.063] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.063] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.063] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.063] lstrcmpiW (lpString1="287_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.063] lstrcmpiW (lpString1="287_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.063] lstrcmpiW (lpString1="287_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.063] lstrcmpiW (lpString1="287_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.063] lstrcmpiW (lpString1="287_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.063] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\287_r00t_{8ew5f6}.ebal") returned 106 [0083.063] StrStrIW (lpFirst="287_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.063] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8246efd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="287_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.063] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.063] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.063] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\09\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\09\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.064] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.065] CloseHandle (hObject=0x450) returned 1 [0083.065] GetProcessHeap () returned 0x3a00000 [0083.065] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.065] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8293198, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="10", cAlternateFileName="")) returned 1 [0083.065] lstrcmpiW (lpString1="10", lpString2="Windows") returned -1 [0083.065] lstrcmpiW (lpString1="10", lpString2="$Recycle.bin") returned 1 [0083.065] lstrcmpiW (lpString1="10", lpString2="System Volume Information") returned -1 [0083.065] lstrcmpiW (lpString1="10", lpString2="Program Files") returned -1 [0083.065] lstrcmpiW (lpString1="10", lpString2="Program Files (x86)") returned -1 [0083.065] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10") returned 83 [0083.065] lstrcmpW (lpString1="10", lpString2=".") returned 1 [0083.065] lstrcmpW (lpString1="10", lpString2="..") returned 1 [0083.065] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.065] GetProcessHeap () returned 0x3a00000 [0083.065] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.065] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*") returned 85 [0083.065] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8293198, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.065] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.065] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.065] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.065] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.065] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.066] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\.") returned 85 [0083.066] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.066] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8293198, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.066] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.066] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.066] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.066] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.066] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.066] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\..") returned 86 [0083.066] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.066] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.066] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8293198, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8293198, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.066] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.066] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.066] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.066] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.066] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.066] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.066] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.066] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.066] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="267_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.066] lstrcmpiW (lpString1="267_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.066] lstrcmpiW (lpString1="267_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.066] lstrcmpiW (lpString1="267_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.066] lstrcmpiW (lpString1="267_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.066] lstrcmpiW (lpString1="267_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.066] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\267_r00t_{8ew5f6}.ebal") returned 106 [0083.066] StrStrIW (lpFirst="267_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.066] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.066] lstrcmpiW (lpString1="286_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.066] lstrcmpiW (lpString1="286_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.067] lstrcmpiW (lpString1="286_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.067] lstrcmpiW (lpString1="286_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.067] lstrcmpiW (lpString1="286_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.067] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\286_r00t_{8ew5f6}.ebal") returned 106 [0083.067] StrStrIW (lpFirst="286_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.067] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="286_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.067] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.067] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.067] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\10\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\10\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.068] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.068] CloseHandle (hObject=0x450) returned 1 [0083.069] GetProcessHeap () returned 0x3a00000 [0083.069] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.069] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa2297c25, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="11", cAlternateFileName="")) returned 1 [0083.069] lstrcmpiW (lpString1="11", lpString2="Windows") returned -1 [0083.069] lstrcmpiW (lpString1="11", lpString2="$Recycle.bin") returned 1 [0083.069] lstrcmpiW (lpString1="11", lpString2="System Volume Information") returned -1 [0083.069] lstrcmpiW (lpString1="11", lpString2="Program Files") returned -1 [0083.069] lstrcmpiW (lpString1="11", lpString2="Program Files (x86)") returned -1 [0083.069] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11") returned 83 [0083.069] lstrcmpW (lpString1="11", lpString2=".") returned 1 [0083.069] lstrcmpW (lpString1="11", lpString2="..") returned 1 [0083.069] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.069] GetProcessHeap () returned 0x3a00000 [0083.069] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.069] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*") returned 85 [0083.069] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0083.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.069] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.069] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.069] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\.") returned 85 [0083.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.069] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc29540e7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.070] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.070] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.070] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.070] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.070] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\..") returned 86 [0083.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.070] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8293198, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8293198, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.070] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.070] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.070] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.070] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.070] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.070] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.070] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.070] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.070] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8293198, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8293198, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8293198, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.070] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0083.070] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\11\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\11\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.071] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.072] CloseHandle (hObject=0x450) returned 1 [0083.072] GetProcessHeap () returned 0x3a00000 [0083.072] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.072] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="12", cAlternateFileName="")) returned 1 [0083.072] lstrcmpiW (lpString1="12", lpString2="Windows") returned -1 [0083.072] lstrcmpiW (lpString1="12", lpString2="$Recycle.bin") returned 1 [0083.072] lstrcmpiW (lpString1="12", lpString2="System Volume Information") returned -1 [0083.072] lstrcmpiW (lpString1="12", lpString2="Program Files") returned -1 [0083.072] lstrcmpiW (lpString1="12", lpString2="Program Files (x86)") returned -1 [0083.072] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12") returned 83 [0083.072] lstrcmpW (lpString1="12", lpString2=".") returned 1 [0083.072] lstrcmpW (lpString1="12", lpString2="..") returned 1 [0083.072] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.072] GetProcessHeap () returned 0x3a00000 [0083.072] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.072] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*") returned 85 [0083.072] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.072] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.072] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.073] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.073] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.073] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.073] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\.") returned 85 [0083.073] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.073] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.073] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.073] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.073] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.073] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.073] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.073] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\..") returned 86 [0083.073] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.073] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.073] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf82b9336, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.073] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.073] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.073] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.073] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.073] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.073] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.073] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.073] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.073] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.073] lstrcmpiW (lpString1="194_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.073] lstrcmpiW (lpString1="194_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.073] lstrcmpiW (lpString1="194_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.073] lstrcmpiW (lpString1="194_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.073] lstrcmpiW (lpString1="194_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.073] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\194_r00t_{8ew5f6}.ebal") returned 106 [0083.073] StrStrIW (lpFirst="194_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.073] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="194_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.074] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.074] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.074] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\12\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\12\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.074] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.075] CloseHandle (hObject=0x450) returned 1 [0083.075] GetProcessHeap () returned 0x3a00000 [0083.075] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.075] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="15", cAlternateFileName="")) returned 1 [0083.075] lstrcmpiW (lpString1="15", lpString2="Windows") returned -1 [0083.075] lstrcmpiW (lpString1="15", lpString2="$Recycle.bin") returned 1 [0083.075] lstrcmpiW (lpString1="15", lpString2="System Volume Information") returned -1 [0083.076] lstrcmpiW (lpString1="15", lpString2="Program Files") returned -1 [0083.076] lstrcmpiW (lpString1="15", lpString2="Program Files (x86)") returned -1 [0083.076] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15") returned 83 [0083.076] lstrcmpW (lpString1="15", lpString2=".") returned 1 [0083.076] lstrcmpW (lpString1="15", lpString2="..") returned 1 [0083.076] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.076] GetProcessHeap () returned 0x3a00000 [0083.076] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.076] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*") returned 85 [0083.076] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0083.076] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.076] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.076] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.076] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.076] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.076] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\.") returned 85 [0083.076] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.076] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82b9336, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.076] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.076] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.076] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.076] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.076] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.076] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\..") returned 86 [0083.076] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.076] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.076] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf82df5d8, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf82df5d8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.076] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.076] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.077] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.077] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.077] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.077] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.077] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.077] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.077] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="196_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.077] lstrcmpiW (lpString1="196_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.077] lstrcmpiW (lpString1="196_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.077] lstrcmpiW (lpString1="196_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.077] lstrcmpiW (lpString1="196_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.077] lstrcmpiW (lpString1="196_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.077] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\196_r00t_{8ew5f6}.ebal") returned 106 [0083.077] StrStrIW (lpFirst="196_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.077] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.077] lstrcmpiW (lpString1="262_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.077] lstrcmpiW (lpString1="262_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.077] lstrcmpiW (lpString1="262_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.077] lstrcmpiW (lpString1="262_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.077] lstrcmpiW (lpString1="262_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.077] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\262_r00t_{8ew5f6}.ebal") returned 106 [0083.078] StrStrIW (lpFirst="262_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.078] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82b9336, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="262_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.078] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0083.078] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.078] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\15\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\15\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.078] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.079] CloseHandle (hObject=0x450) returned 1 [0083.079] GetProcessHeap () returned 0x3a00000 [0083.079] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.079] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82df5d8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17", cAlternateFileName="")) returned 1 [0083.080] lstrcmpiW (lpString1="17", lpString2="Windows") returned -1 [0083.080] lstrcmpiW (lpString1="17", lpString2="$Recycle.bin") returned 1 [0083.080] lstrcmpiW (lpString1="17", lpString2="System Volume Information") returned -1 [0083.080] lstrcmpiW (lpString1="17", lpString2="Program Files") returned -1 [0083.080] lstrcmpiW (lpString1="17", lpString2="Program Files (x86)") returned -1 [0083.080] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17") returned 83 [0083.080] lstrcmpW (lpString1="17", lpString2=".") returned 1 [0083.080] lstrcmpW (lpString1="17", lpString2="..") returned 1 [0083.080] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.080] GetProcessHeap () returned 0x3a00000 [0083.080] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.080] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*") returned 85 [0083.080] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82df5d8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0083.080] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.080] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.080] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.080] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.080] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.080] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\.") returned 85 [0083.080] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.080] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf82df5d8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.080] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.080] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.080] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.080] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.080] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.080] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\..") returned 86 [0083.080] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.081] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.081] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf82df5d8, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf82df5d8, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.081] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.081] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.081] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.081] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.081] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.081] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.081] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.081] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.081] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109001_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.081] lstrcmpiW (lpString1="109001_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.081] lstrcmpiW (lpString1="109001_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.081] lstrcmpiW (lpString1="109001_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.081] lstrcmpiW (lpString1="109001_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.081] lstrcmpiW (lpString1="109001_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.081] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\109001_r00t_{8ew5f6}.ebal") returned 109 [0083.081] StrStrIW (lpFirst="109001_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.081] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.081] lstrcmpiW (lpString1="193_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.081] lstrcmpiW (lpString1="193_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.081] lstrcmpiW (lpString1="193_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.081] lstrcmpiW (lpString1="193_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.081] lstrcmpiW (lpString1="193_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.081] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\193_r00t_{8ew5f6}.ebal") returned 106 [0083.081] StrStrIW (lpFirst="193_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.081] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf82df5d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="193_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.081] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0083.081] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.081] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\17\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\17\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.082] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.083] CloseHandle (hObject=0x450) returned 1 [0083.083] GetProcessHeap () returned 0x3a00000 [0083.083] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.083] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8305857, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="18", cAlternateFileName="")) returned 1 [0083.083] lstrcmpiW (lpString1="18", lpString2="Windows") returned -1 [0083.083] lstrcmpiW (lpString1="18", lpString2="$Recycle.bin") returned 1 [0083.083] lstrcmpiW (lpString1="18", lpString2="System Volume Information") returned -1 [0083.083] lstrcmpiW (lpString1="18", lpString2="Program Files") returned -1 [0083.083] lstrcmpiW (lpString1="18", lpString2="Program Files (x86)") returned -1 [0083.083] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18") returned 83 [0083.083] lstrcmpW (lpString1="18", lpString2=".") returned 1 [0083.083] lstrcmpW (lpString1="18", lpString2="..") returned 1 [0083.083] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.083] GetProcessHeap () returned 0x3a00000 [0083.083] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.083] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*") returned 85 [0083.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8305857, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.084] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.084] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.084] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.084] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.084] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.084] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\.") returned 85 [0083.084] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.084] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8305857, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.084] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.084] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.084] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.084] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.084] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.084] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\..") returned 86 [0083.084] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.084] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.084] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8305857, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8305857, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.084] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.084] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.084] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.084] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.084] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.084] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.084] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.084] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.084] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109002_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.084] lstrcmpiW (lpString1="109002_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.085] lstrcmpiW (lpString1="109002_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.085] lstrcmpiW (lpString1="109002_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.085] lstrcmpiW (lpString1="109002_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.085] lstrcmpiW (lpString1="109002_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.085] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\109002_r00t_{8ew5f6}.ebal") returned 109 [0083.085] StrStrIW (lpFirst="109002_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.085] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.085] lstrcmpiW (lpString1="195_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.085] lstrcmpiW (lpString1="195_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.085] lstrcmpiW (lpString1="195_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.085] lstrcmpiW (lpString1="195_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.085] lstrcmpiW (lpString1="195_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.085] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\195_r00t_{8ew5f6}.ebal") returned 106 [0083.085] StrStrIW (lpFirst="195_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.085] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8305857, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="195_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.085] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.085] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.085] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\18\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\18\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.086] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.087] CloseHandle (hObject=0x450) returned 1 [0083.087] GetProcessHeap () returned 0x3a00000 [0083.087] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.087] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf832baf6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="19", cAlternateFileName="")) returned 1 [0083.087] lstrcmpiW (lpString1="19", lpString2="Windows") returned -1 [0083.087] lstrcmpiW (lpString1="19", lpString2="$Recycle.bin") returned 1 [0083.087] lstrcmpiW (lpString1="19", lpString2="System Volume Information") returned -1 [0083.087] lstrcmpiW (lpString1="19", lpString2="Program Files") returned -1 [0083.087] lstrcmpiW (lpString1="19", lpString2="Program Files (x86)") returned -1 [0083.087] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19") returned 83 [0083.087] lstrcmpW (lpString1="19", lpString2=".") returned 1 [0083.087] lstrcmpW (lpString1="19", lpString2="..") returned 1 [0083.087] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.087] GetProcessHeap () returned 0x3a00000 [0083.087] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.087] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*") returned 85 [0083.087] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf832baf6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.087] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.087] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.087] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.087] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.087] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.087] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\.") returned 85 [0083.088] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.088] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf832baf6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.088] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.088] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.088] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.088] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.088] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.088] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\..") returned 86 [0083.088] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.088] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.088] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf832baf6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf832baf6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.088] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.088] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.088] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.088] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.088] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.088] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.088] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.088] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.088] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="266_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.088] lstrcmpiW (lpString1="266_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.088] lstrcmpiW (lpString1="266_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.088] lstrcmpiW (lpString1="266_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.088] lstrcmpiW (lpString1="266_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.088] lstrcmpiW (lpString1="266_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.088] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\266_r00t_{8ew5f6}.ebal") returned 106 [0083.088] StrStrIW (lpFirst="266_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.088] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="272_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.088] lstrcmpiW (lpString1="272_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.088] lstrcmpiW (lpString1="272_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.088] lstrcmpiW (lpString1="272_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.088] lstrcmpiW (lpString1="272_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.089] lstrcmpiW (lpString1="272_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.089] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\272_r00t_{8ew5f6}.ebal") returned 106 [0083.089] StrStrIW (lpFirst="272_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.089] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="328_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.089] lstrcmpiW (lpString1="328_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.089] lstrcmpiW (lpString1="328_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.089] lstrcmpiW (lpString1="328_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.089] lstrcmpiW (lpString1="328_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.089] lstrcmpiW (lpString1="328_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.089] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\328_r00t_{8ew5f6}.ebal") returned 106 [0083.089] StrStrIW (lpFirst="328_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.089] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf832baf6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="328_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.089] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.089] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\19\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\19\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.090] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.091] CloseHandle (hObject=0x450) returned 1 [0083.091] GetProcessHeap () returned 0x3a00000 [0083.091] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.091] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8351c1b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8351c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="21", cAlternateFileName="")) returned 1 [0083.091] lstrcmpiW (lpString1="21", lpString2="Windows") returned -1 [0083.091] lstrcmpiW (lpString1="21", lpString2="$Recycle.bin") returned 1 [0083.091] lstrcmpiW (lpString1="21", lpString2="System Volume Information") returned -1 [0083.091] lstrcmpiW (lpString1="21", lpString2="Program Files") returned -1 [0083.091] lstrcmpiW (lpString1="21", lpString2="Program Files (x86)") returned -1 [0083.091] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21") returned 83 [0083.091] lstrcmpW (lpString1="21", lpString2=".") returned 1 [0083.091] lstrcmpW (lpString1="21", lpString2="..") returned 1 [0083.091] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.091] GetProcessHeap () returned 0x3a00000 [0083.091] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.091] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*") returned 85 [0083.091] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8351c1b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8351c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.091] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.091] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.091] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.092] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.092] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.092] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\.") returned 85 [0083.092] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.092] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf8351c1b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8351c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.092] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.092] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.092] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.092] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.092] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.092] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\..") returned 86 [0083.092] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.092] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.092] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8351c1b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8351c1b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8351c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.092] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.092] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.092] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.092] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.092] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.092] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.092] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.092] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.092] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8351c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.092] lstrcmpiW (lpString1="260_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.092] lstrcmpiW (lpString1="260_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.092] lstrcmpiW (lpString1="260_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.092] lstrcmpiW (lpString1="260_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.092] lstrcmpiW (lpString1="260_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.092] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\260_r00t_{8ew5f6}.ebal") returned 106 [0083.092] StrStrIW (lpFirst="260_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.092] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa22bde00, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa22bde00, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf8351c1b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="260_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.093] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.093] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.094] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\21\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\21\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.095] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.096] CloseHandle (hObject=0x450) returned 1 [0083.096] GetProcessHeap () returned 0x3a00000 [0083.096] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.096] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22", cAlternateFileName="")) returned 1 [0083.096] lstrcmpiW (lpString1="22", lpString2="Windows") returned -1 [0083.096] lstrcmpiW (lpString1="22", lpString2="$Recycle.bin") returned 1 [0083.096] lstrcmpiW (lpString1="22", lpString2="System Volume Information") returned -1 [0083.096] lstrcmpiW (lpString1="22", lpString2="Program Files") returned -1 [0083.097] lstrcmpiW (lpString1="22", lpString2="Program Files (x86)") returned -1 [0083.097] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22") returned 83 [0083.097] lstrcmpW (lpString1="22", lpString2=".") returned 1 [0083.097] lstrcmpW (lpString1="22", lpString2="..") returned 1 [0083.097] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.097] GetProcessHeap () returned 0x3a00000 [0083.097] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a670 [0083.097] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*") returned 85 [0083.097] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.097] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.097] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.097] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.097] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.097] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.097] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\.") returned 85 [0083.097] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.097] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.097] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.097] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.097] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.097] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.097] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.097] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\..") returned 86 [0083.097] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.097] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.097] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf839e20f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.097] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.097] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.097] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.097] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.098] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.098] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.098] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.098] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.098] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109003_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.098] lstrcmpiW (lpString1="109003_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.098] lstrcmpiW (lpString1="109003_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.098] lstrcmpiW (lpString1="109003_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.098] lstrcmpiW (lpString1="109003_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.098] lstrcmpiW (lpString1="109003_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.098] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109003_r00t_{8ew5f6}.ebal") returned 109 [0083.098] StrStrIW (lpFirst="109003_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.098] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109006_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.098] lstrcmpiW (lpString1="109006_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.098] lstrcmpiW (lpString1="109006_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.098] lstrcmpiW (lpString1="109006_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.098] lstrcmpiW (lpString1="109006_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.098] lstrcmpiW (lpString1="109006_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.098] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\109006_r00t_{8ew5f6}.ebal") returned 109 [0083.098] StrStrIW (lpFirst="109006_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.098] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa2297c25, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x40c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="109006_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 0 [0083.098] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.098] wnsprintfW (in: pszDest=0x3a6a670, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 115 [0083.098] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\22\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\22\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x450 [0083.099] WriteFile (in: hFile=0x450, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0083.100] CloseHandle (hObject=0x450) returned 1 [0083.100] GetProcessHeap () returned 0x3a00000 [0083.100] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a670 | out: hHeap=0x3a00000) returned 1 [0083.100] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xf839e20f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf839e20f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="22", cAlternateFileName="")) returned 0 [0083.100] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0083.100] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 112 [0083.100] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\MputHistory\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\mputhistory\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.101] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.102] CloseHandle (hObject=0x44c) returned 1 [0083.102] GetProcessHeap () returned 0x3a00000 [0083.102] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.102] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2297c25, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xc28ab6dc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3040e3a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MputHistory", cAlternateFileName="MPUTHI~1")) returned 0 [0083.102] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0083.102] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0083.102] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Mput\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\mput\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.103] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.104] CloseHandle (hObject=0x440) returned 1 [0083.104] GetProcessHeap () returned 0x3a00000 [0083.104] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.104] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RemCheck", cAlternateFileName="")) returned 1 [0083.104] lstrcmpiW (lpString1="RemCheck", lpString2="Windows") returned -1 [0083.104] lstrcmpiW (lpString1="RemCheck", lpString2="$Recycle.bin") returned 1 [0083.104] lstrcmpiW (lpString1="RemCheck", lpString2="System Volume Information") returned -1 [0083.104] lstrcmpiW (lpString1="RemCheck", lpString2="Program Files") returned 1 [0083.104] lstrcmpiW (lpString1="RemCheck", lpString2="Program Files (x86)") returned 1 [0083.104] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck") returned 72 [0083.104] lstrcmpW (lpString1="RemCheck", lpString2=".") returned 1 [0083.104] lstrcmpW (lpString1="RemCheck", lpString2="..") returned 1 [0083.104] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.104] GetProcessHeap () returned 0x3a00000 [0083.104] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.104] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*") returned 74 [0083.104] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.104] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.104] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.104] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.104] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.104] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.105] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\.") returned 74 [0083.105] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.105] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2958c27, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.105] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.105] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.105] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.105] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.105] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.105] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\..") returned 75 [0083.105] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.105] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.105] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.105] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.105] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.105] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.105] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.105] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.105] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0083.105] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.105] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.105] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.105] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.105] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 104 [0083.105] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\RemCheck\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\remcheck\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.106] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.107] CloseHandle (hObject=0x440) returned 1 [0083.107] GetProcessHeap () returned 0x3a00000 [0083.107] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.107] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Results", cAlternateFileName="")) returned 1 [0083.107] lstrcmpiW (lpString1="Results", lpString2="Windows") returned -1 [0083.107] lstrcmpiW (lpString1="Results", lpString2="$Recycle.bin") returned 1 [0083.107] lstrcmpiW (lpString1="Results", lpString2="System Volume Information") returned -1 [0083.107] lstrcmpiW (lpString1="Results", lpString2="Program Files") returned 1 [0083.107] lstrcmpiW (lpString1="Results", lpString2="Program Files (x86)") returned 1 [0083.107] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results") returned 71 [0083.107] lstrcmpW (lpString1="Results", lpString2=".") returned 1 [0083.107] lstrcmpW (lpString1="Results", lpString2="..") returned 1 [0083.107] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.107] GetProcessHeap () returned 0x3a00000 [0083.107] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.107] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*") returned 73 [0083.107] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0083.108] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.108] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.108] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.108] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.108] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.108] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\.") returned 73 [0083.108] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.108] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d8813, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.108] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.108] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.108] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.108] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.108] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.108] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\..") returned 74 [0083.108] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.108] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.108] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.108] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.108] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.108] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.108] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.108] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.108] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0083.108] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.109] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.109] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.109] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0083.109] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0083.109] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Results\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\results\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.110] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.110] CloseHandle (hObject=0x440) returned 1 [0083.110] GetProcessHeap () returned 0x3a00000 [0083.110] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.110] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1717573f, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Service", cAlternateFileName="")) returned 1 [0083.110] lstrcmpiW (lpString1="Service", lpString2="Windows") returned -1 [0083.111] lstrcmpiW (lpString1="Service", lpString2="$Recycle.bin") returned 1 [0083.111] lstrcmpiW (lpString1="Service", lpString2="System Volume Information") returned -1 [0083.111] lstrcmpiW (lpString1="Service", lpString2="Program Files") returned 1 [0083.111] lstrcmpiW (lpString1="Service", lpString2="Program Files (x86)") returned 1 [0083.111] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service") returned 71 [0083.111] lstrcmpW (lpString1="Service", lpString2=".") returned 1 [0083.111] lstrcmpW (lpString1="Service", lpString2="..") returned 1 [0083.111] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.111] GetProcessHeap () returned 0x3a00000 [0083.111] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.111] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*") returned 73 [0083.111] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381b8 [0083.111] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.111] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.111] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.111] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.111] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.111] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\.") returned 73 [0083.111] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.111] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1717573f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29d9954, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.111] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.111] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.111] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.111] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.111] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.111] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\..") returned 74 [0083.111] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.111] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.111] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.112] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.112] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.112] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.112] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.112] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.112] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0083.112] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.112] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.112] FindNextFileW (in: hFindFile=0x3a381b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.112] FindClose (in: hFindFile=0x3a381b8 | out: hFindFile=0x3a381b8) returned 1 [0083.112] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0083.112] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Service\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\service\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.113] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.113] CloseHandle (hObject=0x440) returned 1 [0083.114] GetProcessHeap () returned 0x3a00000 [0083.114] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.114] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Store", cAlternateFileName="")) returned 1 [0083.114] lstrcmpiW (lpString1="Store", lpString2="Windows") returned -1 [0083.114] lstrcmpiW (lpString1="Store", lpString2="$Recycle.bin") returned 1 [0083.114] lstrcmpiW (lpString1="Store", lpString2="System Volume Information") returned -1 [0083.114] lstrcmpiW (lpString1="Store", lpString2="Program Files") returned 1 [0083.114] lstrcmpiW (lpString1="Store", lpString2="Program Files (x86)") returned 1 [0083.114] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store") returned 69 [0083.114] lstrcmpW (lpString1="Store", lpString2=".") returned 1 [0083.114] lstrcmpW (lpString1="Store", lpString2="..") returned 1 [0083.114] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.114] GetProcessHeap () returned 0x3a00000 [0083.114] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.114] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*") returned 71 [0083.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.114] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.114] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.114] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.114] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.114] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.114] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\.") returned 71 [0083.114] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.114] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.114] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.115] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.115] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.115] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\..") returned 72 [0083.115] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.115] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.115] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.115] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.115] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.115] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.115] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.115] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.115] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 101 [0083.115] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.115] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.115] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.115] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.115] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 101 [0083.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\Store\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\store\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.116] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.117] CloseHandle (hObject=0x440) returned 1 [0083.117] GetProcessHeap () returned 0x3a00000 [0083.117] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.117] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29da6f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fad6a80, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Store", cAlternateFileName="")) returned 0 [0083.117] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0083.117] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 95 [0083.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\History\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\history\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.118] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.119] CloseHandle (hObject=0x43c) returned 1 [0083.119] GetProcessHeap () returned 0x3a00000 [0083.119] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.119] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29db382, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MetaStore", cAlternateFileName="METAST~1")) returned 1 [0083.119] lstrcmpiW (lpString1="MetaStore", lpString2="Windows") returned -1 [0083.119] lstrcmpiW (lpString1="MetaStore", lpString2="$Recycle.bin") returned 1 [0083.119] lstrcmpiW (lpString1="MetaStore", lpString2="System Volume Information") returned -1 [0083.119] lstrcmpiW (lpString1="MetaStore", lpString2="Program Files") returned -1 [0083.119] lstrcmpiW (lpString1="MetaStore", lpString2="Program Files (x86)") returned -1 [0083.119] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore") returned 65 [0083.119] lstrcmpW (lpString1="MetaStore", lpString2=".") returned 1 [0083.119] lstrcmpW (lpString1="MetaStore", lpString2="..") returned 1 [0083.119] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.119] GetProcessHeap () returned 0x3a00000 [0083.119] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.119] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*") returned 67 [0083.119] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29db382, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0083.119] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.119] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.119] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.119] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.119] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.119] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\.") returned 67 [0083.119] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.119] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29db382, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.120] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.120] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.120] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.120] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.120] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.120] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\..") returned 68 [0083.120] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.120] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.120] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf860075d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf860075d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.120] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.120] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.120] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.120] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.120] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.120] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0083.120] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.120] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.120] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="1", cAlternateFileName="")) returned 1 [0083.120] lstrcmpiW (lpString1="1", lpString2="Windows") returned -1 [0083.120] lstrcmpiW (lpString1="1", lpString2="$Recycle.bin") returned 1 [0083.120] lstrcmpiW (lpString1="1", lpString2="System Volume Information") returned -1 [0083.120] lstrcmpiW (lpString1="1", lpString2="Program Files") returned -1 [0083.120] lstrcmpiW (lpString1="1", lpString2="Program Files (x86)") returned -1 [0083.120] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1") returned 67 [0083.120] lstrcmpW (lpString1="1", lpString2=".") returned 1 [0083.120] lstrcmpW (lpString1="1", lpString2="..") returned 1 [0083.120] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.120] GetProcessHeap () returned 0x3a00000 [0083.120] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.120] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*") returned 69 [0083.120] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0083.121] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.121] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.121] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.121] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.121] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.121] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\.") returned 69 [0083.121] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.121] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dbfd0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83c44aa, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.121] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.121] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.121] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.121] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.121] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.121] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\..") returned 70 [0083.121] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.121] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.121] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.121] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.121] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.121] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.121] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.121] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.121] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.121] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.121] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.121] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83c44aa, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83c44aa, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.121] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0083.121] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.122] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\1\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\1\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.122] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.123] CloseHandle (hObject=0x440) returned 1 [0083.123] GetProcessHeap () returned 0x3a00000 [0083.123] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.123] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dc87e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xb3198210, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="2", cAlternateFileName="")) returned 1 [0083.123] lstrcmpiW (lpString1="2", lpString2="Windows") returned -1 [0083.123] lstrcmpiW (lpString1="2", lpString2="$Recycle.bin") returned 1 [0083.123] lstrcmpiW (lpString1="2", lpString2="System Volume Information") returned -1 [0083.123] lstrcmpiW (lpString1="2", lpString2="Program Files") returned -1 [0083.123] lstrcmpiW (lpString1="2", lpString2="Program Files (x86)") returned -1 [0083.123] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2") returned 67 [0083.123] lstrcmpW (lpString1="2", lpString2=".") returned 1 [0083.123] lstrcmpW (lpString1="2", lpString2="..") returned 1 [0083.123] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.124] GetProcessHeap () returned 0x3a00000 [0083.124] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.124] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*") returned 69 [0083.124] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dc87e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.124] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.124] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.124] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.124] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.124] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.124] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\.") returned 69 [0083.124] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.124] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc29dc87e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.124] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.124] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.124] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.124] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.124] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.124] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\..") returned 70 [0083.124] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.124] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.124] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83ea643, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83ea643, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.124] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.125] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.125] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.125] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.125] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.125] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.125] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.125] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.125] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf83ea643, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="94", cAlternateFileName="")) returned 1 [0083.125] lstrcmpiW (lpString1="94", lpString2="Windows") returned -1 [0083.125] lstrcmpiW (lpString1="94", lpString2="$Recycle.bin") returned 1 [0083.125] lstrcmpiW (lpString1="94", lpString2="System Volume Information") returned -1 [0083.125] lstrcmpiW (lpString1="94", lpString2="Program Files") returned -1 [0083.125] lstrcmpiW (lpString1="94", lpString2="Program Files (x86)") returned -1 [0083.125] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94") returned 70 [0083.125] lstrcmpW (lpString1="94", lpString2=".") returned 1 [0083.125] lstrcmpW (lpString1="94", lpString2="..") returned 1 [0083.125] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.125] GetProcessHeap () returned 0x3a00000 [0083.125] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.125] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\*") returned 72 [0083.125] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf83ea643, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.125] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.125] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.125] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.125] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.125] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.125] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\.") returned 72 [0083.125] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.125] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf83ea643, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.126] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.126] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.126] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.126] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.126] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.126] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\..") returned 73 [0083.126] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.126] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.126] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf83ea643, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf83ea643, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.126] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.126] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.126] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.126] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.126] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.126] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 102 [0083.126] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.126] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.126] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7710f5c8, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x175d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="A75BFD~1.EBA")) returned 1 [0083.126] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.126] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.126] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.126] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.126] lstrcmpiW (lpString1="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.126] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal") returned 110 [0083.126] StrStrIW (lpFirst="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.126] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x7710f5c8, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x175d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="A75BFDE52F3DD8E6.dat_r00t_{8ew5f6}.ebal", cAlternateFileName="A75BFD~1.EBA")) returned 0 [0083.126] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.126] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 102 [0083.126] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\94\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\2\\94\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.208] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.209] CloseHandle (hObject=0x44c) returned 1 [0083.209] GetProcessHeap () returned 0x3a00000 [0083.209] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.210] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4fdfe49b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xf83ea643, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf83ea643, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="94", cAlternateFileName="")) returned 0 [0083.210] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.210] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.210] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\2\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\2\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.211] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.211] CloseHandle (hObject=0x440) returned 1 [0083.211] GetProcessHeap () returned 0x3a00000 [0083.212] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.212] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37aacd1b, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="3", cAlternateFileName="")) returned 1 [0083.212] lstrcmpiW (lpString1="3", lpString2="Windows") returned -1 [0083.212] lstrcmpiW (lpString1="3", lpString2="$Recycle.bin") returned 1 [0083.212] lstrcmpiW (lpString1="3", lpString2="System Volume Information") returned -1 [0083.212] lstrcmpiW (lpString1="3", lpString2="Program Files") returned -1 [0083.212] lstrcmpiW (lpString1="3", lpString2="Program Files (x86)") returned -1 [0083.212] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3") returned 67 [0083.212] lstrcmpW (lpString1="3", lpString2=".") returned 1 [0083.212] lstrcmpW (lpString1="3", lpString2="..") returned 1 [0083.212] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.212] GetProcessHeap () returned 0x3a00000 [0083.212] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.212] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*") returned 69 [0083.212] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0083.212] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.212] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.212] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.212] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.212] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.212] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\.") returned 69 [0083.212] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.212] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37aacd1b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a3432b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.212] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.212] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.212] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.212] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.213] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.213] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\..") returned 70 [0083.213] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.213] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.213] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf860075d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf860075d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.213] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.213] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.213] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.213] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.213] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.213] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.213] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.213] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.213] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf860075d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf860075d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.213] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0083.213] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\3\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\3\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.214] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.215] CloseHandle (hObject=0x440) returned 1 [0083.215] GetProcessHeap () returned 0x3a00000 [0083.215] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.215] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4", cAlternateFileName="")) returned 1 [0083.215] lstrcmpiW (lpString1="4", lpString2="Windows") returned -1 [0083.215] lstrcmpiW (lpString1="4", lpString2="$Recycle.bin") returned 1 [0083.215] lstrcmpiW (lpString1="4", lpString2="System Volume Information") returned -1 [0083.215] lstrcmpiW (lpString1="4", lpString2="Program Files") returned -1 [0083.215] lstrcmpiW (lpString1="4", lpString2="Program Files (x86)") returned -1 [0083.215] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4") returned 67 [0083.215] lstrcmpW (lpString1="4", lpString2=".") returned 1 [0083.215] lstrcmpW (lpString1="4", lpString2="..") returned 1 [0083.215] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.215] GetProcessHeap () returned 0x3a00000 [0083.215] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.215] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*") returned 69 [0083.215] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0083.215] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.215] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.215] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.215] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.215] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.215] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\.") returned 69 [0083.215] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.216] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.216] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.216] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.216] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.216] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.216] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.216] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\..") returned 70 [0083.216] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.216] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.216] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf860075d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf860075d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.216] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.216] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.216] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.216] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.216] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.216] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.216] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.216] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.216] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf860075d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf860075d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf860075d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.216] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0083.216] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.216] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\4\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\4\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.217] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.218] CloseHandle (hObject=0x440) returned 1 [0083.218] GetProcessHeap () returned 0x3a00000 [0083.218] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.218] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37ad2f56, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a352ee, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x37ad2f56, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="4", cAlternateFileName="")) returned 0 [0083.218] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0083.218] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0083.218] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\MetaStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\metastore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.219] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.220] CloseHandle (hObject=0x43c) returned 1 [0083.220] GetProcessHeap () returned 0x3a00000 [0083.220] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.220] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3797bae0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3797bae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf8626a26, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x18ea968, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.220] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal") returned 130 [0083.220] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.5B_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.220] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37149d8d, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37149d8d, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf864cbd5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6a1aef0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.220] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.220] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal") returned 130 [0083.220] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.67_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.221] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0x37575d5f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37575d5f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf8672e99, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3b14384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.221] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal") returned 130 [0083.221] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.79_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.221] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0x3771965f, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3771965f, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf8699011, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x529384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.221] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal") returned 130 [0083.221] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7C_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.221] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x37765b02, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x37765b02, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf86bf25d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3d029c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.221] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal") returned 130 [0083.221] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.7E_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.221] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x378e31c3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x378e31c3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf86bf25d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xcfdfc7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.221] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.221] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal") returned 130 [0083.222] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.80_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.222] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0x3795589b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3795589b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf86f5be5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1d82bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.222] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal") returned 130 [0083.222] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.83_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.222] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3792f650, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3792f650, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf870b748, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1a3de5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.222] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal") returned 130 [0083.222] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.87_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.222] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3795589b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3795589b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf870b748, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3592b3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.222] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal") returned 130 [0083.222] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.A0_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.222] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3797bae0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3797bae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf873315f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6037d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.222] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.222] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal") returned 130 [0083.223] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CB_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.223] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3797bae0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x3797bae0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf873315f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x44525, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.223] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal") returned 130 [0083.223] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin.CC_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.223] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fab0876, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2fab0876, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xf8626a26, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa2b01b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="")) returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.223] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal") returned 127 [0083.223] StrStrIW (lpFirst="mpcache-3B2FA0352F7866F295FE76520C4D8AC0F30337F5.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.223] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18e1ad1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18e1ad1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf877ded6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x18ea968, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", cAlternateFileName="MPCACH~2.EBA")) returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.223] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal") returned 130 [0083.223] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.5B_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.223] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1206ea7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1206ea7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf877ded6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6a1aef0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", cAlternateFileName="MPCACH~3.EBA")) returned 1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.223] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.224] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal") returned 130 [0083.224] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.67_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.224] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xd159a713, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd159a713, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf87ca5c5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3b14384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", cAlternateFileName="MPCACH~4.EBA")) returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.224] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal") returned 130 [0083.224] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.79_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.224] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xd167f527, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd167f527, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf88d53d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x529384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", cAlternateFileName="MP6CEB~1.EBA")) returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.224] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal") returned 130 [0083.224] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7C_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.224] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd16cb9d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd16cb9d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf88fb92d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3d029c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", cAlternateFileName="MP8298~1.EBA")) returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.224] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal") returned 130 [0083.224] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.7E_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.224] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1822efb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1822efb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf896dc9f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xcfdfc7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", cAlternateFileName="MP8C32~1.EBA")) returned 1 [0083.224] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.225] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal") returned 130 [0083.225] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.80_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.225] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x820, ftCreationTime.dwLowDateTime=0xd18bb86e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18bb86e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf896dc9f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1d82bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", cAlternateFileName="MP534F~1.EBA")) returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.225] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal") returned 130 [0083.225] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.83_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.225] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1895623, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1895623, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf896dc9f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1a3de5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", cAlternateFileName="MP886D~1.EBA")) returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.225] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal") returned 130 [0083.225] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.87_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.225] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18bb86e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18bb86e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf8994039, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3592b3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", cAlternateFileName="MP5FC7~1.EBA")) returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.225] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.225] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal") returned 130 [0083.225] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.A0_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.225] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18e1ad1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18e1ad1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf8994039, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6037d, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", cAlternateFileName="MP19AD~1.EBA")) returned 1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.226] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal") returned 130 [0083.226] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CB_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.226] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd18e1ad1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd18e1ad1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x44525, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", cAlternateFileName="MP736F~1.EBA")) returned 1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.226] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal") returned 130 [0083.226] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin.CC_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.226] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccf915d5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xccf915d5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf8757c0a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xa2b01b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="MPCACH~1.EBA")) returned 1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.226] lstrcmpiW (lpString1="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.226] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal") returned 127 [0083.226] StrStrIW (lpFirst="mpcache-CC7537BD57F4E352D7CDEA5852D447A507E0F749.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.226] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac709f73, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RtSigs", cAlternateFileName="")) returned 1 [0083.226] lstrcmpiW (lpString1="RtSigs", lpString2="Windows") returned -1 [0083.226] lstrcmpiW (lpString1="RtSigs", lpString2="$Recycle.bin") returned 1 [0083.226] lstrcmpiW (lpString1="RtSigs", lpString2="System Volume Information") returned -1 [0083.226] lstrcmpiW (lpString1="RtSigs", lpString2="Program Files") returned 1 [0083.226] lstrcmpiW (lpString1="RtSigs", lpString2="Program Files (x86)") returned 1 [0083.226] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs") returned 62 [0083.226] lstrcmpW (lpString1="RtSigs", lpString2=".") returned 1 [0083.226] lstrcmpW (lpString1="RtSigs", lpString2="..") returned 1 [0083.227] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.227] GetProcessHeap () returned 0x3a00000 [0083.227] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.227] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*") returned 64 [0083.227] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.227] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.227] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.227] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.227] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.227] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.227] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\.") returned 64 [0083.227] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.227] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.227] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.227] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.227] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.227] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.227] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.227] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\..") returned 65 [0083.227] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.227] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.227] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89ba1fb, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.227] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.227] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.227] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.227] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.227] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.227] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0083.228] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.228] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.228] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 1 [0083.228] lstrcmpiW (lpString1="Data", lpString2="Windows") returned -1 [0083.228] lstrcmpiW (lpString1="Data", lpString2="$Recycle.bin") returned 1 [0083.228] lstrcmpiW (lpString1="Data", lpString2="System Volume Information") returned -1 [0083.228] lstrcmpiW (lpString1="Data", lpString2="Program Files") returned -1 [0083.228] lstrcmpiW (lpString1="Data", lpString2="Program Files (x86)") returned -1 [0083.228] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data") returned 67 [0083.228] lstrcmpW (lpString1="Data", lpString2=".") returned 1 [0083.228] lstrcmpW (lpString1="Data", lpString2="..") returned 1 [0083.228] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.228] GetProcessHeap () returned 0x3a00000 [0083.228] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.228] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*") returned 69 [0083.228] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0083.228] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.228] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.228] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.228] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.228] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.228] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\.") returned 69 [0083.228] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.228] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.228] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.228] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.228] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.228] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.229] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.229] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\..") returned 70 [0083.229] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.229] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.229] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89ba1fb, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.229] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.229] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.229] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.229] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.229] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.229] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.229] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.229] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.229] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf89ba1fb, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf89ba1fb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf89ba1fb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.229] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0083.229] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.229] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\Data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\rtsigs\\data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.230] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.231] CloseHandle (hObject=0x440) returned 1 [0083.231] GetProcessHeap () returned 0x3a00000 [0083.231] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.231] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fafccda, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a8e638, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2fafccda, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Data", cAlternateFileName="")) returned 0 [0083.231] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.231] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0083.231] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\RtSigs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\rtsigs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.232] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.233] CloseHandle (hObject=0x43c) returned 1 [0083.233] GetProcessHeap () returned 0x3a00000 [0083.233] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.233] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2fad6a80, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xc2a35fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xac709f73, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="RtSigs", cAlternateFileName="")) returned 0 [0083.233] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0083.233] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0083.233] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Scans\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\scans\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.249] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.250] CloseHandle (hObject=0x438) returned 1 [0083.250] GetProcessHeap () returned 0x3a00000 [0083.250] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.250] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 1 [0083.250] lstrcmpiW (lpString1="Support", lpString2="Windows") returned -1 [0083.250] lstrcmpiW (lpString1="Support", lpString2="$Recycle.bin") returned 1 [0083.250] lstrcmpiW (lpString1="Support", lpString2="System Volume Information") returned -1 [0083.250] lstrcmpiW (lpString1="Support", lpString2="Program Files") returned 1 [0083.250] lstrcmpiW (lpString1="Support", lpString2="Program Files (x86)") returned 1 [0083.250] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support") returned 57 [0083.250] lstrcmpW (lpString1="Support", lpString2=".") returned 1 [0083.250] lstrcmpW (lpString1="Support", lpString2="..") returned 1 [0083.250] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.250] GetProcessHeap () returned 0x3a00000 [0083.250] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.250] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*") returned 59 [0083.251] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0083.251] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.251] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.251] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.251] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.251] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.251] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\.") returned 59 [0083.251] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.251] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.251] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.251] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.251] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.251] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.251] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.251] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\..") returned 60 [0083.251] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.251] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.251] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a78e87, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a78e87, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.251] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.251] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0083.252] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.252] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.252] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a78e87, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a78e87, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.252] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0083.252] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0083.252] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\Support\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\support\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.253] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.254] CloseHandle (hObject=0x438) returned 1 [0083.254] GetProcessHeap () returned 0x3a00000 [0083.254] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.254] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc0597ac7, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc0597ac7, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Support", cAlternateFileName="")) returned 0 [0083.254] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0083.254] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0083.254] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.255] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.256] CloseHandle (hObject=0x434) returned 1 [0083.256] GetProcessHeap () returned 0x3a00000 [0083.256] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.256] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a90a48, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Defender Advanced Threat Protection", cAlternateFileName="WIF4A9~1")) returned 1 [0083.256] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="Windows") returned 1 [0083.256] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="$Recycle.bin") returned 1 [0083.256] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="System Volume Information") returned 1 [0083.256] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="Program Files") returned 1 [0083.256] lstrcmpiW (lpString1="Windows Defender Advanced Threat Protection", lpString2="Program Files (x86)") returned 1 [0083.256] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection") returned 76 [0083.256] lstrcmpW (lpString1="Windows Defender Advanced Threat Protection", lpString2=".") returned 1 [0083.256] lstrcmpW (lpString1="Windows Defender Advanced Threat Protection", lpString2="..") returned 1 [0083.256] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.256] GetProcessHeap () returned 0x3a00000 [0083.256] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.256] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\*") returned 78 [0083.256] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a90a48, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0083.256] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.256] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.256] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.256] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.256] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.256] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\.") returned 78 [0083.256] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.256] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a90a48, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.257] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.257] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.257] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.257] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.257] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.257] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\..") returned 79 [0083.257] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.257] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.257] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a78e87, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a78e87, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.257] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.257] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.257] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.257] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.257] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.257] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.257] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.257] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.257] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a9166d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cache", cAlternateFileName="")) returned 1 [0083.257] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0083.257] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0083.257] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0083.257] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0083.257] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0083.257] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache") returned 82 [0083.257] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0083.257] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0083.257] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.257] GetProcessHeap () returned 0x3a00000 [0083.257] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.257] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache\\*") returned 84 [0083.257] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Cache\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x65af0c8, ftLastAccessTime.dwLowDateTime=0x3a29908, ftLastAccessTime.dwHighDateTime=0x2020e, ftLastWriteTime.dwLowDateTime=0xffffd459, ftLastWriteTime.dwHighDateTime=0x65af160, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="\x05", cAlternateFileName="叨Φ￿￿扨@￿￿叨Φ\x05")) returned 0xffffffff [0083.258] GetProcessHeap () returned 0x3a00000 [0083.258] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.258] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0083.258] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0083.258] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0083.258] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0083.258] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0083.258] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0083.258] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp") returned 81 [0083.258] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0083.258] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0083.258] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.258] GetProcessHeap () returned 0x3a00000 [0083.258] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.258] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\*") returned 83 [0083.258] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.258] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.258] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.258] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.258] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.258] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.258] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\.") returned 83 [0083.258] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.258] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.258] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.258] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.259] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.259] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.259] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.259] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\..") returned 84 [0083.259] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.259] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.259] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a78e87, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a78e87, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.259] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.259] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.259] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.259] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.259] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.259] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 113 [0083.259] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.259] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.259] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a78e87, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a78e87, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a78e87, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.259] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.259] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 113 [0083.259] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender advanced threat protection\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.260] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.261] CloseHandle (hObject=0x438) returned 1 [0083.261] GetProcessHeap () returned 0x3a00000 [0083.261] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.261] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2a91ebd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6d9d2c8, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 0 [0083.261] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0083.261] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.261] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Defender Advanced Threat Protection\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows defender advanced threat protection\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.262] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.263] CloseHandle (hObject=0x434) returned 1 [0083.263] GetProcessHeap () returned 0x3a00000 [0083.263] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.263] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf8a9f5d4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Live", cAlternateFileName="WINDOW~2")) returned 1 [0083.263] lstrcmpiW (lpString1="Windows Live", lpString2="Windows") returned 1 [0083.263] lstrcmpiW (lpString1="Windows Live", lpString2="$Recycle.bin") returned 1 [0083.263] lstrcmpiW (lpString1="Windows Live", lpString2="System Volume Information") returned 1 [0083.263] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files") returned 1 [0083.263] lstrcmpiW (lpString1="Windows Live", lpString2="Program Files (x86)") returned 1 [0083.263] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live") returned 45 [0083.263] lstrcmpW (lpString1="Windows Live", lpString2=".") returned 1 [0083.263] lstrcmpW (lpString1="Windows Live", lpString2="..") returned 1 [0083.263] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.263] GetProcessHeap () returned 0x3a00000 [0083.263] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.263] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*") returned 47 [0083.263] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf8a9f5d4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0083.263] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.263] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.263] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.264] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.264] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.264] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\.") returned 47 [0083.264] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.264] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf8a9f5d4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.264] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.264] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.264] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.264] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.264] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.264] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\..") returned 48 [0083.264] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.264] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.264] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a9f5d4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a9f5d4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.264] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.264] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.264] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.264] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.264] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.264] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0083.264] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.264] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.264] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a996721, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WLive48x48.png_r00t_{8ew5f6}.ebal", cAlternateFileName="WLIVE4~1.EBA")) returned 1 [0083.264] lstrcmpiW (lpString1="WLive48x48.png_r00t_{8ew5f6}.ebal", lpString2="Windows") returned 1 [0083.264] lstrcmpiW (lpString1="WLive48x48.png_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.264] lstrcmpiW (lpString1="WLive48x48.png_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.264] lstrcmpiW (lpString1="WLive48x48.png_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.264] lstrcmpiW (lpString1="WLive48x48.png_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.264] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\WLive48x48.png_r00t_{8ew5f6}.ebal") returned 79 [0083.264] StrStrIW (lpFirst="WLive48x48.png_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.264] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a996721, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x15b5, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WLive48x48.png_r00t_{8ew5f6}.ebal", cAlternateFileName="WLIVE4~1.EBA")) returned 0 [0083.269] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0083.269] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0083.269] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Live\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows live\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.270] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.271] CloseHandle (hObject=0x434) returned 1 [0083.271] GetProcessHeap () returned 0x3a00000 [0083.271] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.271] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a93496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows NT", cAlternateFileName="WINDOW~3")) returned 1 [0083.271] lstrcmpiW (lpString1="Windows NT", lpString2="Windows") returned 1 [0083.271] lstrcmpiW (lpString1="Windows NT", lpString2="$Recycle.bin") returned 1 [0083.271] lstrcmpiW (lpString1="Windows NT", lpString2="System Volume Information") returned 1 [0083.271] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files") returned 1 [0083.271] lstrcmpiW (lpString1="Windows NT", lpString2="Program Files (x86)") returned 1 [0083.271] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT") returned 43 [0083.271] lstrcmpW (lpString1="Windows NT", lpString2=".") returned 1 [0083.271] lstrcmpW (lpString1="Windows NT", lpString2="..") returned 1 [0083.272] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.272] GetProcessHeap () returned 0x3a00000 [0083.272] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*") returned 45 [0083.272] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a93496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.272] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.272] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.272] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.272] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.272] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\.") returned 45 [0083.272] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.272] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2a93496, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.272] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.272] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.272] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.272] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.272] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\..") returned 46 [0083.272] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.272] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.272] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9217b36, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9217b36, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.272] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.272] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.272] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.272] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.272] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.272] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0083.273] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.273] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.273] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb2396478, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb2396478, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MSFax", cAlternateFileName="")) returned 1 [0083.273] lstrcmpiW (lpString1="MSFax", lpString2="Windows") returned -1 [0083.273] lstrcmpiW (lpString1="MSFax", lpString2="$Recycle.bin") returned 1 [0083.273] lstrcmpiW (lpString1="MSFax", lpString2="System Volume Information") returned -1 [0083.273] lstrcmpiW (lpString1="MSFax", lpString2="Program Files") returned -1 [0083.273] lstrcmpiW (lpString1="MSFax", lpString2="Program Files (x86)") returned -1 [0083.273] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax") returned 49 [0083.273] lstrcmpW (lpString1="MSFax", lpString2=".") returned 1 [0083.273] lstrcmpW (lpString1="MSFax", lpString2="..") returned 1 [0083.273] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.273] GetProcessHeap () returned 0x3a00000 [0083.273] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.273] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*") returned 51 [0083.273] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb2396478, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0083.273] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.273] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.273] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.273] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.273] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.273] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\.") returned 51 [0083.273] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.273] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb2396478, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.273] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.273] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.273] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.273] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.274] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.274] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\..") returned 52 [0083.274] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.274] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.274] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9217b36, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9217b36, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.274] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.274] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.274] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.274] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.274] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.274] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0083.274] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.274] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.274] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ActivityLog", cAlternateFileName="ACTIVI~1")) returned 1 [0083.274] lstrcmpiW (lpString1="ActivityLog", lpString2="Windows") returned -1 [0083.274] lstrcmpiW (lpString1="ActivityLog", lpString2="$Recycle.bin") returned 1 [0083.274] lstrcmpiW (lpString1="ActivityLog", lpString2="System Volume Information") returned -1 [0083.274] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files") returned -1 [0083.274] lstrcmpiW (lpString1="ActivityLog", lpString2="Program Files (x86)") returned -1 [0083.274] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog") returned 61 [0083.274] lstrcmpW (lpString1="ActivityLog", lpString2=".") returned 1 [0083.274] lstrcmpW (lpString1="ActivityLog", lpString2="..") returned 1 [0083.274] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.274] GetProcessHeap () returned 0x3a00000 [0083.274] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.274] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*") returned 63 [0083.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0083.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.275] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.275] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.275] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.275] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\.") returned 63 [0083.275] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.275] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b08c11, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.275] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\..") returned 64 [0083.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.275] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a9f5d4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a9f5d4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.275] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.275] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.275] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.275] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.275] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.275] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0083.275] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.275] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.275] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8a9f5d4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8a9f5d4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8a9f5d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.275] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0083.275] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0083.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\ActivityLog\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\activitylog\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.276] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.277] CloseHandle (hObject=0x43c) returned 1 [0083.277] GetProcessHeap () returned 0x3a00000 [0083.277] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.277] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0960f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Common Coverpages", cAlternateFileName="COMMON~1")) returned 1 [0083.277] lstrcmpiW (lpString1="Common Coverpages", lpString2="Windows") returned -1 [0083.277] lstrcmpiW (lpString1="Common Coverpages", lpString2="$Recycle.bin") returned 1 [0083.277] lstrcmpiW (lpString1="Common Coverpages", lpString2="System Volume Information") returned -1 [0083.277] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files") returned -1 [0083.277] lstrcmpiW (lpString1="Common Coverpages", lpString2="Program Files (x86)") returned -1 [0083.277] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages") returned 67 [0083.278] lstrcmpW (lpString1="Common Coverpages", lpString2=".") returned 1 [0083.278] lstrcmpW (lpString1="Common Coverpages", lpString2="..") returned 1 [0083.278] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.278] GetProcessHeap () returned 0x3a00000 [0083.278] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.278] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*") returned 69 [0083.278] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0960f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8ac520a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0083.278] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.278] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.278] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.278] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.278] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.278] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\.") returned 69 [0083.278] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.278] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0960f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8ac520a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.278] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.278] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.278] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.278] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.278] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.278] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\..") returned 70 [0083.278] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.278] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.278] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8ac520a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8ac520a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8ac520a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.278] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.279] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.279] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.279] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.279] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.279] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.279] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.279] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.279] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0083.279] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0083.279] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0083.279] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0083.279] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0083.279] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0083.279] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US") returned 73 [0083.279] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0083.279] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0083.279] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.279] GetProcessHeap () returned 0x3a00000 [0083.279] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.279] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*") returned 75 [0083.279] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8ac520a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.279] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.279] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.279] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.279] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.279] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.279] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\.") returned 75 [0083.279] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.279] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf8ac520a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.280] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.280] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.280] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.280] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.280] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.280] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\..") returned 76 [0083.280] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.280] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.280] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf8ac520a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf8ac520a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf8ac520a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.280] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.280] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.280] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.280] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.280] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.280] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 105 [0083.280] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.280] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.280] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x28aa, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="confident.cov", cAlternateFileName="")) returned 1 [0083.280] lstrcmpiW (lpString1="confident.cov", lpString2="Windows") returned -1 [0083.280] lstrcmpiW (lpString1="confident.cov", lpString2="$Recycle.bin") returned 1 [0083.280] lstrcmpiW (lpString1="confident.cov", lpString2="System Volume Information") returned -1 [0083.280] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files") returned -1 [0083.280] lstrcmpiW (lpString1="confident.cov", lpString2="Program Files (x86)") returned -1 [0083.280] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov") returned 87 [0083.281] StrStrIW (lpFirst="confident.cov", lpSrch=".ebal") returned 0x0 [0083.281] lstrcmpW (lpString1="confident.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.281] lstrcmpW (lpString1="confident.cov", lpString2="taridd") returned -1 [0083.281] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\confident.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\confident.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.281] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x2a09, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="fyi.cov", cAlternateFileName="")) returned 1 [0083.281] lstrcmpiW (lpString1="fyi.cov", lpString2="Windows") returned -1 [0083.281] lstrcmpiW (lpString1="fyi.cov", lpString2="$Recycle.bin") returned 1 [0083.281] lstrcmpiW (lpString1="fyi.cov", lpString2="System Volume Information") returned -1 [0083.281] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files") returned -1 [0083.281] lstrcmpiW (lpString1="fyi.cov", lpString2="Program Files (x86)") returned -1 [0083.281] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov") returned 81 [0083.281] StrStrIW (lpFirst="fyi.cov", lpSrch=".ebal") returned 0x0 [0083.281] lstrcmpW (lpString1="fyi.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.281] lstrcmpW (lpString1="fyi.cov", lpString2="taridd") returned -1 [0083.281] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.281] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\fyi.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\fyi.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.281] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x3aa0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="generic.cov", cAlternateFileName="")) returned 1 [0083.281] lstrcmpiW (lpString1="generic.cov", lpString2="Windows") returned -1 [0083.281] lstrcmpiW (lpString1="generic.cov", lpString2="$Recycle.bin") returned 1 [0083.281] lstrcmpiW (lpString1="generic.cov", lpString2="System Volume Information") returned -1 [0083.281] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files") returned -1 [0083.281] lstrcmpiW (lpString1="generic.cov", lpString2="Program Files (x86)") returned -1 [0083.282] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov") returned 85 [0083.282] StrStrIW (lpFirst="generic.cov", lpSrch=".ebal") returned 0x0 [0083.282] lstrcmpW (lpString1="generic.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.282] lstrcmpW (lpString1="generic.cov", lpString2="taridd") returned -1 [0083.282] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\generic.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\generic.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.282] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="urgent.cov", cAlternateFileName="")) returned 1 [0083.282] lstrcmpiW (lpString1="urgent.cov", lpString2="Windows") returned -1 [0083.282] lstrcmpiW (lpString1="urgent.cov", lpString2="$Recycle.bin") returned 1 [0083.282] lstrcmpiW (lpString1="urgent.cov", lpString2="System Volume Information") returned 1 [0083.282] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files") returned 1 [0083.282] lstrcmpiW (lpString1="urgent.cov", lpString2="Program Files (x86)") returned 1 [0083.282] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov") returned 84 [0083.282] StrStrIW (lpFirst="urgent.cov", lpSrch=".ebal") returned 0x0 [0083.282] lstrcmpW (lpString1="urgent.cov", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.282] lstrcmpW (lpString1="urgent.cov", lpString2="taridd") returned 1 [0083.282] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\urgent.cov" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\urgent.cov"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.282] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af4c607, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x2886, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="urgent.cov", cAlternateFileName="")) returned 0 [0083.282] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.282] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 105 [0083.282] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.283] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.284] CloseHandle (hObject=0x440) returned 1 [0083.284] GetProcessHeap () returned 0x3a00000 [0083.284] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.284] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd313219, ftCreationTime.dwHighDateTime=0x1d112f1, ftLastAccessTime.dwLowDateTime=0xc2b0a072, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xbd313219, ftLastWriteTime.dwHighDateTime=0x1d112f1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 0 [0083.284] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0083.284] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 99 [0083.284] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Common Coverpages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\common coverpages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.285] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.286] CloseHandle (hObject=0x43c) returned 1 [0083.286] GetProcessHeap () returned 0x3a00000 [0083.286] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.286] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Inbox", cAlternateFileName="")) returned 1 [0083.286] lstrcmpiW (lpString1="Inbox", lpString2="Windows") returned -1 [0083.286] lstrcmpiW (lpString1="Inbox", lpString2="$Recycle.bin") returned 1 [0083.286] lstrcmpiW (lpString1="Inbox", lpString2="System Volume Information") returned -1 [0083.286] lstrcmpiW (lpString1="Inbox", lpString2="Program Files") returned -1 [0083.286] lstrcmpiW (lpString1="Inbox", lpString2="Program Files (x86)") returned -1 [0083.286] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox") returned 55 [0083.286] lstrcmpW (lpString1="Inbox", lpString2=".") returned 1 [0083.286] lstrcmpW (lpString1="Inbox", lpString2="..") returned 1 [0083.286] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.286] GetProcessHeap () returned 0x3a00000 [0083.286] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.286] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*") returned 57 [0083.286] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91cb080, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0083.287] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.287] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.287] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.287] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.287] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.287] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\.") returned 57 [0083.287] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.287] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0ac24, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91cb080, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.287] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.287] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.287] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.287] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.287] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.287] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\..") returned 58 [0083.287] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.287] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.287] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91cb080, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91cb080, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.287] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.287] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0083.287] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.287] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.287] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91cb080, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91cb080, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.287] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0083.288] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0083.288] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Inbox\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\inbox\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.288] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.289] CloseHandle (hObject=0x43c) returned 1 [0083.289] GetProcessHeap () returned 0x3a00000 [0083.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.289] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Queue", cAlternateFileName="")) returned 1 [0083.289] lstrcmpiW (lpString1="Queue", lpString2="Windows") returned -1 [0083.289] lstrcmpiW (lpString1="Queue", lpString2="$Recycle.bin") returned 1 [0083.289] lstrcmpiW (lpString1="Queue", lpString2="System Volume Information") returned -1 [0083.289] lstrcmpiW (lpString1="Queue", lpString2="Program Files") returned 1 [0083.289] lstrcmpiW (lpString1="Queue", lpString2="Program Files (x86)") returned 1 [0083.290] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue") returned 55 [0083.290] lstrcmpW (lpString1="Queue", lpString2=".") returned 1 [0083.290] lstrcmpW (lpString1="Queue", lpString2="..") returned 1 [0083.290] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.290] GetProcessHeap () returned 0x3a00000 [0083.290] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.290] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*") returned 57 [0083.290] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.290] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.290] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.290] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.290] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.290] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.290] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\.") returned 57 [0083.290] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.290] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0b3ba, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.290] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.290] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.290] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.290] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.290] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.290] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\..") returned 58 [0083.290] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.290] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.290] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91f21ce, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91f21ce, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.290] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.290] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.290] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.290] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.291] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.291] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0083.291] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.291] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.291] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91f21ce, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91f21ce, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.291] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.291] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 87 [0083.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.292] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.303] CloseHandle (hObject=0x43c) returned 1 [0083.303] GetProcessHeap () returned 0x3a00000 [0083.303] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.303] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Queue_Migrated", cAlternateFileName="")) returned 1 [0083.303] lstrcmpiW (lpString1="Queue_Migrated", lpString2="Windows") returned -1 [0083.303] lstrcmpiW (lpString1="Queue_Migrated", lpString2="$Recycle.bin") returned 1 [0083.304] lstrcmpiW (lpString1="Queue_Migrated", lpString2="System Volume Information") returned -1 [0083.304] lstrcmpiW (lpString1="Queue_Migrated", lpString2="Program Files") returned 1 [0083.304] lstrcmpiW (lpString1="Queue_Migrated", lpString2="Program Files (x86)") returned 1 [0083.304] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated") returned 64 [0083.304] lstrcmpW (lpString1="Queue_Migrated", lpString2=".") returned 1 [0083.304] lstrcmpW (lpString1="Queue_Migrated", lpString2="..") returned 1 [0083.304] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.304] GetProcessHeap () returned 0x3a00000 [0083.304] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.304] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\*") returned 66 [0083.304] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0083.304] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.304] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.304] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.304] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.304] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.304] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\.") returned 66 [0083.304] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.304] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0bae7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.304] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.304] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.304] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.304] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.304] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.304] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\..") returned 67 [0083.305] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.305] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.305] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91f21ce, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91f21ce, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.305] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.305] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.305] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.305] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.305] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.305] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0083.305] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.305] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.305] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91f21ce, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91f21ce, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.305] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0083.305] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0083.305] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\Queue_Migrated\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\queue_migrated\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.306] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.307] CloseHandle (hObject=0x43c) returned 1 [0083.307] GetProcessHeap () returned 0x3a00000 [0083.307] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.307] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd78854, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SentItems", cAlternateFileName="SENTIT~1")) returned 1 [0083.307] lstrcmpiW (lpString1="SentItems", lpString2="Windows") returned -1 [0083.307] lstrcmpiW (lpString1="SentItems", lpString2="$Recycle.bin") returned 1 [0083.307] lstrcmpiW (lpString1="SentItems", lpString2="System Volume Information") returned -1 [0083.307] lstrcmpiW (lpString1="SentItems", lpString2="Program Files") returned 1 [0083.307] lstrcmpiW (lpString1="SentItems", lpString2="Program Files (x86)") returned 1 [0083.307] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems") returned 59 [0083.307] lstrcmpW (lpString1="SentItems", lpString2=".") returned 1 [0083.307] lstrcmpW (lpString1="SentItems", lpString2="..") returned 1 [0083.307] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.307] GetProcessHeap () returned 0x3a00000 [0083.307] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.307] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*") returned 61 [0083.307] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0083.307] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.307] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.307] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.308] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.308] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.308] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\.") returned 61 [0083.308] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.308] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd78854, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc2b0c408, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf91f21ce, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.308] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.308] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.308] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.308] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.308] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.308] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\..") returned 62 [0083.308] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.308] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.308] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91f21ce, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91f21ce, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.308] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.308] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.308] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.308] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.308] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.308] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0083.308] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.308] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.308] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf91f21ce, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf91f21ce, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.308] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0083.308] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 91 [0083.308] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\SentItems\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\sentitems\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.309] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.310] CloseHandle (hObject=0x43c) returned 1 [0083.310] GetProcessHeap () returned 0x3a00000 [0083.310] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.310] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 1 [0083.310] lstrcmpiW (lpString1="VirtualInbox", lpString2="Windows") returned -1 [0083.310] lstrcmpiW (lpString1="VirtualInbox", lpString2="$Recycle.bin") returned 1 [0083.310] lstrcmpiW (lpString1="VirtualInbox", lpString2="System Volume Information") returned 1 [0083.310] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files") returned 1 [0083.310] lstrcmpiW (lpString1="VirtualInbox", lpString2="Program Files (x86)") returned 1 [0083.310] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox") returned 62 [0083.310] lstrcmpW (lpString1="VirtualInbox", lpString2=".") returned 1 [0083.310] lstrcmpW (lpString1="VirtualInbox", lpString2="..") returned 1 [0083.310] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.310] GetProcessHeap () returned 0x3a00000 [0083.310] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.310] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*") returned 64 [0083.311] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0083.311] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.311] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.311] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.311] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.311] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.311] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\.") returned 64 [0083.311] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.311] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.311] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.311] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.311] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.311] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.311] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.311] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\..") returned 65 [0083.311] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.311] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.311] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9217b36, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9217b36, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.311] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.311] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.311] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.311] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.311] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.311] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0083.331] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.331] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.331] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 1 [0083.331] lstrcmpiW (lpString1="en-US", lpString2="Windows") returned -1 [0083.331] lstrcmpiW (lpString1="en-US", lpString2="$Recycle.bin") returned 1 [0083.335] lstrcmpiW (lpString1="en-US", lpString2="System Volume Information") returned -1 [0083.348] lstrcmpiW (lpString1="en-US", lpString2="Program Files") returned -1 [0083.348] lstrcmpiW (lpString1="en-US", lpString2="Program Files (x86)") returned -1 [0083.348] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US") returned 68 [0083.348] lstrcmpW (lpString1="en-US", lpString2=".") returned 1 [0083.348] lstrcmpW (lpString1="en-US", lpString2="..") returned 1 [0083.348] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.348] GetProcessHeap () returned 0x3a00000 [0083.348] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.348] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*") returned 70 [0083.348] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0083.349] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.349] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.349] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.349] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.349] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.349] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\.") returned 70 [0083.349] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.349] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.349] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.349] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.349] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.349] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.349] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.349] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\..") returned 71 [0083.349] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.349] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.349] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9217b36, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9217b36, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.349] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.349] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.349] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.349] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.349] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.349] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0083.349] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.349] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.349] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af00150, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 1 [0083.349] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Windows") returned -1 [0083.349] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="$Recycle.bin") returned 1 [0083.349] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="System Volume Information") returned 1 [0083.349] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files") returned 1 [0083.349] lstrcmpiW (lpString1="WelcomeFax.tif", lpString2="Program Files (x86)") returned 1 [0083.350] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif") returned 83 [0083.350] StrStrIW (lpFirst="WelcomeFax.tif", lpSrch=".ebal") returned 0x0 [0083.350] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.350] lstrcmpW (lpString1="WelcomeFax.tif", lpString2="taridd") returned 1 [0083.350] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\WelcomeFax.tif" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\welcomefax.tif"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.350] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3af00150, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x7d5f3279, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0x43ba1000, ftLastWriteTime.dwHighDateTime=0x1d283cc, nFileSizeHigh=0x0, nFileSizeLow=0x15dbe, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeFax.tif", cAlternateFileName="")) returned 0 [0083.350] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0083.350] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0083.350] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\en-US\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\en-us\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.351] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.352] CloseHandle (hObject=0x440) returned 1 [0083.352] GetProcessHeap () returned 0x3a00000 [0083.352] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.352] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b2a1d79, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc2b0d815, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="en-US", cAlternateFileName="")) returned 0 [0083.352] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0083.352] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 94 [0083.352] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\VirtualInbox\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\virtualinbox\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.353] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.354] CloseHandle (hObject=0x43c) returned 1 [0083.354] GetProcessHeap () returned 0x3a00000 [0083.354] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.354] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ccc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2a1d79, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VirtualInbox", cAlternateFileName="VIRTUA~1")) returned 0 [0083.354] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0083.354] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0083.354] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSFax\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msfax\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.355] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.355] CloseHandle (hObject=0x438) returned 1 [0083.356] GetProcessHeap () returned 0x3a00000 [0083.356] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.356] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MSScan", cAlternateFileName="")) returned 1 [0083.356] lstrcmpiW (lpString1="MSScan", lpString2="Windows") returned -1 [0083.356] lstrcmpiW (lpString1="MSScan", lpString2="$Recycle.bin") returned 1 [0083.356] lstrcmpiW (lpString1="MSScan", lpString2="System Volume Information") returned -1 [0083.356] lstrcmpiW (lpString1="MSScan", lpString2="Program Files") returned -1 [0083.356] lstrcmpiW (lpString1="MSScan", lpString2="Program Files (x86)") returned -1 [0083.356] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan") returned 50 [0083.356] lstrcmpW (lpString1="MSScan", lpString2=".") returned 1 [0083.356] lstrcmpW (lpString1="MSScan", lpString2="..") returned 1 [0083.356] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.356] GetProcessHeap () returned 0x3a00000 [0083.356] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.356] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*") returned 52 [0083.356] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0083.356] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.356] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.356] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.356] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.356] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.356] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\.") returned 52 [0083.356] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.356] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.356] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.356] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.356] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.356] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.357] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.357] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\..") returned 53 [0083.357] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.357] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.357] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9217b36, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9217b36, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9217b36, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.357] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.357] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.357] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.357] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.357] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.357] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0083.357] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.357] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.357] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d027e99, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9d027e99, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9d04e0f0, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 1 [0083.357] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Windows") returned -1 [0083.357] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="$Recycle.bin") returned 1 [0083.357] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="System Volume Information") returned 1 [0083.357] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files") returned 1 [0083.357] lstrcmpiW (lpString1="WelcomeScan.jpg", lpString2="Program Files (x86)") returned 1 [0083.357] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg") returned 66 [0083.357] StrStrIW (lpFirst="WelcomeScan.jpg", lpSrch=".ebal") returned 0x0 [0083.357] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.357] lstrcmpW (lpString1="WelcomeScan.jpg", lpString2="taridd") returned 1 [0083.357] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.357] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\WelcomeScan.jpg" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\welcomescan.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.357] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9d027e99, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9d027e99, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9d04e0f0, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7e148, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WelcomeScan.jpg", cAlternateFileName="")) returned 0 [0083.357] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0083.357] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0083.358] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\MSScan\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\msscan\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.359] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.359] CloseHandle (hObject=0x438) returned 1 [0083.359] GetProcessHeap () returned 0x3a00000 [0083.359] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.359] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0e356, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a996721, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="MSScan", cAlternateFileName="")) returned 0 [0083.360] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.360] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0083.360] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows NT\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows nt\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.360] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.361] CloseHandle (hObject=0x434) returned 1 [0083.361] GetProcessHeap () returned 0x3a00000 [0083.361] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.361] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ef6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Security Health", cAlternateFileName="WINDOW~4")) returned 1 [0083.361] lstrcmpiW (lpString1="Windows Security Health", lpString2="Windows") returned 1 [0083.361] lstrcmpiW (lpString1="Windows Security Health", lpString2="$Recycle.bin") returned 1 [0083.361] lstrcmpiW (lpString1="Windows Security Health", lpString2="System Volume Information") returned 1 [0083.361] lstrcmpiW (lpString1="Windows Security Health", lpString2="Program Files") returned 1 [0083.361] lstrcmpiW (lpString1="Windows Security Health", lpString2="Program Files (x86)") returned 1 [0083.361] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health") returned 56 [0083.362] lstrcmpW (lpString1="Windows Security Health", lpString2=".") returned 1 [0083.362] lstrcmpW (lpString1="Windows Security Health", lpString2="..") returned 1 [0083.362] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.362] GetProcessHeap () returned 0x3a00000 [0083.362] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.362] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\*") returned 58 [0083.362] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ef6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf988d850, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0083.362] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.362] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.362] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.362] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.362] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.362] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\.") returned 58 [0083.362] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.362] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0ef6b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf988d850, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.362] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.362] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.362] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.362] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.362] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.362] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\..") returned 59 [0083.362] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.362] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.362] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf985a952, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf985a952, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.362] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.362] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.362] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.362] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.362] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.362] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0083.363] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.363] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.363] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Health Advisor", cAlternateFileName="HEALTH~1")) returned 1 [0083.363] lstrcmpiW (lpString1="Health Advisor", lpString2="Windows") returned -1 [0083.363] lstrcmpiW (lpString1="Health Advisor", lpString2="$Recycle.bin") returned 1 [0083.363] lstrcmpiW (lpString1="Health Advisor", lpString2="System Volume Information") returned -1 [0083.363] lstrcmpiW (lpString1="Health Advisor", lpString2="Program Files") returned -1 [0083.363] lstrcmpiW (lpString1="Health Advisor", lpString2="Program Files (x86)") returned -1 [0083.363] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor") returned 71 [0083.363] lstrcmpW (lpString1="Health Advisor", lpString2=".") returned 1 [0083.363] lstrcmpW (lpString1="Health Advisor", lpString2="..") returned 1 [0083.363] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.363] GetProcessHeap () returned 0x3a00000 [0083.363] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.363] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor\\*") returned 73 [0083.363] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.363] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.363] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.363] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.363] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.363] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.363] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor\\.") returned 73 [0083.363] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.363] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.363] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.363] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.363] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.363] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.364] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.364] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor\\..") returned 74 [0083.364] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.364] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.364] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2b0fb9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.364] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.364] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 103 [0083.364] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Health Advisor\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows security health\\health advisor\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.364] GetProcessHeap () returned 0x3a00000 [0083.364] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.364] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf983361b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf983361b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0083.364] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0083.364] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0083.364] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0083.364] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0083.364] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0083.364] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs") returned 61 [0083.364] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0083.364] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0083.364] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.364] GetProcessHeap () returned 0x3a00000 [0083.364] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.364] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\*") returned 63 [0083.364] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf983361b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf985a952, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.365] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.365] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.365] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.365] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.365] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.365] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\.") returned 63 [0083.365] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.365] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf983361b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf985a952, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.365] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.365] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.365] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.365] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.365] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.365] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\..") returned 64 [0083.365] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.365] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.365] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf985a952, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf985a952, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf985a952, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.365] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.365] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.365] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.365] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.365] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.365] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0083.365] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.365] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.365] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7bbd978f, ftCreationTime.dwHighDateTime=0x1d38c3f, ftLastAccessTime.dwLowDateTime=0x7bbd978f, ftLastAccessTime.dwHighDateTime=0x1d38c3f, ftLastWriteTime.dwLowDateTime=0xf923d79a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-01~1.EBA")) returned 1 [0083.365] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.365] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.365] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.365] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.365] lstrcmpiW (lpString1="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.366] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.366] StrStrIW (lpFirst="SHS-01132018-082401-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.366] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x29ac15be, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x29ac15be, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xf9453848, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-01~2.EBA")) returned 1 [0083.366] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.366] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.366] StrStrIW (lpFirst="SHS-01132018-085021-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.366] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb863810c, ftCreationTime.dwHighDateTime=0x1d4ae7b, ftLastAccessTime.dwLowDateTime=0xb863810c, ftLastAccessTime.dwHighDateTime=0x1d4ae7b, ftLastWriteTime.dwLowDateTime=0xf9479a3f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-01~3.EBA")) returned 1 [0083.366] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.366] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.366] StrStrIW (lpFirst="SHS-01172019-164549-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.366] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf94c6396, ftCreationTime.dwHighDateTime=0x1d39f5a, ftLastAccessTime.dwLowDateTime=0xf94c6396, ftLastAccessTime.dwHighDateTime=0x1d39f5a, ftLastWriteTime.dwLowDateTime=0xf9479a3f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-02~1.EBA")) returned 1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.366] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.366] StrStrIW (lpFirst="SHS-02062018-155840-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.366] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb28f34a3, ftCreationTime.dwHighDateTime=0x1d39f5c, ftLastAccessTime.dwLowDateTime=0xb28f34a3, ftLastAccessTime.dwHighDateTime=0x1d39f5c, ftLastWriteTime.dwLowDateTime=0xf9479a3f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-02~2.EBA")) returned 1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.366] lstrcmpiW (lpString1="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.366] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.367] StrStrIW (lpFirst="SHS-02062018-161100-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.367] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xee7ecabd, ftCreationTime.dwHighDateTime=0x1d39f5e, ftLastAccessTime.dwLowDateTime=0xee7ecabd, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xf9479a3f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-02~3.EBA")) returned 1 [0083.367] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.367] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.367] StrStrIW (lpFirst="SHS-02062018-162700-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.367] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7a075c31, ftCreationTime.dwHighDateTime=0x1d3aafb, ftLastAccessTime.dwLowDateTime=0x7a075c31, ftLastAccessTime.dwHighDateTime=0x1d3aafb, ftLastWriteTime.dwLowDateTime=0xf949fda0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-02~4.EBA")) returned 1 [0083.367] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.367] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.367] StrStrIW (lpFirst="SHS-02212018-110518-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.367] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x19a4d06c, ftCreationTime.dwHighDateTime=0x1d4d5d0, ftLastAccessTime.dwLowDateTime=0x19a4d06c, ftLastAccessTime.dwHighDateTime=0x1d4d5d0, ftLastWriteTime.dwLowDateTime=0xf949fda0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-03~1.EBA")) returned 1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.367] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.367] StrStrIW (lpFirst="SHS-03082019-175806-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.367] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xcadfed41, ftCreationTime.dwHighDateTime=0x1d4d5d2, ftLastAccessTime.dwLowDateTime=0xcadfed41, ftLastAccessTime.dwHighDateTime=0x1d4d5d2, ftLastWriteTime.dwLowDateTime=0xf94c6071, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-03~2.EBA")) returned 1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.367] lstrcmpiW (lpString1="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.367] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.368] StrStrIW (lpFirst="SHS-03082019-181722-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.368] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xb32cf2c, ftCreationTime.dwHighDateTime=0x1d4d600, ftLastAccessTime.dwLowDateTime=0xb32cf2c, ftLastAccessTime.dwHighDateTime=0x1d4d600, ftLastWriteTime.dwLowDateTime=0xb32cf2c, ftLastWriteTime.dwHighDateTime=0x1d4d600, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SHS-03~3.BIN")) returned 1 [0083.368] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0083.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-03082019-234117-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 130 [0083.368] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6e95e484, ftCreationTime.dwHighDateTime=0x1d41dc3, ftLastAccessTime.dwLowDateTime=0x6e95e484, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xf9538770, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-07~1.EBA")) returned 1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.368] StrStrIW (lpFirst="SHS-07172018-134351-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.368] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc3f8b81, ftCreationTime.dwHighDateTime=0x1d41dc5, ftLastAccessTime.dwLowDateTime=0xc3f8b81, ftLastAccessTime.dwHighDateTime=0x1d41dc5, ftLastWriteTime.dwLowDateTime=0xf9538770, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-07~2.EBA")) returned 1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.368] StrStrIW (lpFirst="SHS-07172018-135525-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.368] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x88c78932, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x88c78932, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0xf955e973, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-09~1.EBA")) returned 1 [0083.368] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.368] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.368] lstrcmpiW (lpString1="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.368] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.369] StrStrIW (lpFirst="SHS-09062017-205414-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.369] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9095a9c2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9095a9c2, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xf955e973, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-09~2.EBA")) returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.369] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.369] StrStrIW (lpFirst="SHS-09062017-210137-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.369] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x64211155, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0x64211155, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xf955e973, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-09~3.EBA")) returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.369] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.369] StrStrIW (lpFirst="SHS-09072017-103625-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.369] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x65faa03, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x65faa03, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0xf9584b75, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-09~4.EBA")) returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.369] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.369] StrStrIW (lpFirst="SHS-09072017-114522-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.369] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x98d63d64, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0x98d63d64, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xf9584b75, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SH7F87~1.EBA")) returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.369] lstrcmpiW (lpString1="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.370] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.370] StrStrIW (lpFirst="SHS-09072017-132231-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.370] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xd5f7bb1, ftCreationTime.dwHighDateTime=0x1d327ed, ftLastAccessTime.dwLowDateTime=0xd5f7bb1, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0xd5f7bb1, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", cAlternateFileName="SH7EFA~1.BIN")) returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Windows") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="$Recycle.bin") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="System Volume Information") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin", lpString2="Program Files (x86)") returned 1 [0083.370] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09072017-172200-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin") returned 130 [0083.370] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8361892b, ftCreationTime.dwHighDateTime=0x1d336c5, ftLastAccessTime.dwLowDateTime=0x8361892b, ftLastAccessTime.dwHighDateTime=0x1d336c5, ftLastWriteTime.dwLowDateTime=0xf9584b75, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SH8795~1.EBA")) returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.370] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.370] StrStrIW (lpFirst="SHS-09262017-144646-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.370] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x291e9ee7, ftCreationTime.dwHighDateTime=0x1d336e0, ftLastAccessTime.dwLowDateTime=0x291e9ee7, ftLastAccessTime.dwHighDateTime=0x1d336e0, ftLastWriteTime.dwLowDateTime=0xf9728624, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SH67F6~1.EBA")) returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.370] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.370] StrStrIW (lpFirst="SHS-09262017-175731-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.370] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa53a1f04, ftCreationTime.dwHighDateTime=0x1d461f2, ftLastAccessTime.dwLowDateTime=0xa53a1f04, ftLastAccessTime.dwHighDateTime=0x1d461f2, ftLastWriteTime.dwLowDateTime=0xf974e737, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-10~1.EBA")) returned 1 [0083.370] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.370] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.370] lstrcmpiW (lpString1="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.370] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.370] StrStrIW (lpFirst="SHS-10122018-081308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.371] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x24b95208, ftCreationTime.dwHighDateTime=0x1d461fa, ftLastAccessTime.dwLowDateTime=0x24b95208, ftLastAccessTime.dwHighDateTime=0x1d461fa, ftLastWriteTime.dwLowDateTime=0xf979ad94, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-10~2.EBA")) returned 1 [0083.371] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.371] StrStrIW (lpFirst="SHS-10122018-090648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.371] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb8d5846d, ftCreationTime.dwHighDateTime=0x1d34734, ftLastAccessTime.dwLowDateTime=0xb8d5846d, ftLastAccessTime.dwHighDateTime=0x1d34734, ftLastWriteTime.dwLowDateTime=0xf979ad94, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-10~3.EBA")) returned 1 [0083.371] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.371] StrStrIW (lpFirst="SHS-10172017-124308-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.371] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4e427524, ftCreationTime.dwHighDateTime=0x1d47c27, ftLastAccessTime.dwLowDateTime=0x4e427524, ftLastAccessTime.dwHighDateTime=0x1d47c27, ftLastWriteTime.dwLowDateTime=0xf97c0eb2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-11~1.EBA")) returned 1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.371] StrStrIW (lpFirst="SHS-11142018-153535-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.371] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x41355b6d, ftCreationTime.dwHighDateTime=0x1d47c31, ftLastAccessTime.dwLowDateTime=0x41355b6d, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xf97c0eb2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-11~2.EBA")) returned 1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.371] lstrcmpiW (lpString1="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.371] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.372] StrStrIW (lpFirst="SHS-11142018-164648-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.372] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc44ebf9e, ftCreationTime.dwHighDateTime=0x1d47c33, ftLastAccessTime.dwLowDateTime=0xc44ebf9e, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf97c0eb2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-11~3.EBA")) returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.372] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.372] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.372] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.372] StrStrIW (lpFirst="SHS-11142018-170447-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.372] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x444f8b5f, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0x444f8b5f, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0xf97c0eb2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SHS-11~4.EBA")) returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.372] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.372] StrStrIW (lpFirst="SHS-11152017-120955-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.372] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69870cf2, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0x69870cf2, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xf983361b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SH4B35~1.EBA")) returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.372] lstrcmpiW (lpString1="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.372] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal") returned 149 [0083.372] StrStrIW (lpFirst="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.372] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x69870cf2, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0x69870cf2, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xf983361b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SHS-11152017-121807-3-1-15063.0.amd64fre.rs2_release.170317-1834.bin_r00t_{8ew5f6}.ebal", cAlternateFileName="SH4B35~1.EBA")) returned 0 [0083.372] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.372] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0083.372] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows security health\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.373] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.374] CloseHandle (hObject=0x438) returned 1 [0083.374] GetProcessHeap () returned 0x3a00000 [0083.374] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.374] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xf983361b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf983361b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 0 [0083.375] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0083.375] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0083.375] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\Windows Security Health\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\windows security health\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.375] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.376] CloseHandle (hObject=0x434) returned 1 [0083.376] GetProcessHeap () returned 0x3a00000 [0083.376] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.376] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbef9a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WinMSIPC", cAlternateFileName="")) returned 1 [0083.376] lstrcmpiW (lpString1="WinMSIPC", lpString2="Windows") returned 1 [0083.376] lstrcmpiW (lpString1="WinMSIPC", lpString2="$Recycle.bin") returned 1 [0083.376] lstrcmpiW (lpString1="WinMSIPC", lpString2="System Volume Information") returned 1 [0083.377] lstrcmpiW (lpString1="WinMSIPC", lpString2="Program Files") returned 1 [0083.377] lstrcmpiW (lpString1="WinMSIPC", lpString2="Program Files (x86)") returned 1 [0083.377] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC") returned 41 [0083.377] lstrcmpW (lpString1="WinMSIPC", lpString2=".") returned 1 [0083.377] lstrcmpW (lpString1="WinMSIPC", lpString2="..") returned 1 [0083.377] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.377] GetProcessHeap () returned 0x3a00000 [0083.377] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.377] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*") returned 43 [0083.377] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbef9a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0083.377] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.377] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.377] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.377] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.377] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.377] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\.") returned 43 [0083.377] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.377] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbef9a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.377] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.377] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.377] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.377] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.377] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.377] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\..") returned 44 [0083.377] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.377] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.377] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf98a741a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf98a741a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.377] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.377] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.377] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.377] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.378] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.378] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0083.378] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.378] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.378] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 1 [0083.378] lstrcmpiW (lpString1="Server", lpString2="Windows") returned -1 [0083.378] lstrcmpiW (lpString1="Server", lpString2="$Recycle.bin") returned 1 [0083.378] lstrcmpiW (lpString1="Server", lpString2="System Volume Information") returned -1 [0083.378] lstrcmpiW (lpString1="Server", lpString2="Program Files") returned 1 [0083.378] lstrcmpiW (lpString1="Server", lpString2="Program Files (x86)") returned 1 [0083.378] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server") returned 48 [0083.378] lstrcmpW (lpString1="Server", lpString2=".") returned 1 [0083.378] lstrcmpW (lpString1="Server", lpString2="..") returned 1 [0083.378] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.378] GetProcessHeap () returned 0x3a00000 [0083.378] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.378] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*") returned 50 [0083.378] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.378] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.378] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.378] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.378] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.378] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.378] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\.") returned 50 [0083.378] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.378] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.378] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.378] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.378] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\." (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.379] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.379] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.379] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.379] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.379] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.379] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.379] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\..") returned 51 [0083.379] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.379] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.379] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.379] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.379] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.379] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.379] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\.." (normalized: "c:\\users\\all users\\microsoft\\winmsipc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.379] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf98a741a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf98a741a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.379] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.379] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.379] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.379] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.379] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.379] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0083.379] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.379] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.379] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf98a741a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf98a741a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98a741a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.379] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.380] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0083.380] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\Server\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\server\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.380] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.381] CloseHandle (hObject=0x438) returned 1 [0083.381] GetProcessHeap () returned 0x3a00000 [0083.381] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.381] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cbfa22, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Server", cAlternateFileName="")) returned 0 [0083.381] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0083.381] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0083.381] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WinMSIPC\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\winmsipc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.382] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.389] CloseHandle (hObject=0x434) returned 1 [0083.389] GetProcessHeap () returned 0x3a00000 [0083.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.389] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WwanSvc", cAlternateFileName="")) returned 1 [0083.389] lstrcmpiW (lpString1="WwanSvc", lpString2="Windows") returned 1 [0083.389] lstrcmpiW (lpString1="WwanSvc", lpString2="$Recycle.bin") returned 1 [0083.389] lstrcmpiW (lpString1="WwanSvc", lpString2="System Volume Information") returned 1 [0083.389] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files") returned 1 [0083.389] lstrcmpiW (lpString1="WwanSvc", lpString2="Program Files (x86)") returned 1 [0083.389] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc") returned 40 [0083.389] lstrcmpW (lpString1="WwanSvc", lpString2=".") returned 1 [0083.389] lstrcmpW (lpString1="WwanSvc", lpString2="..") returned 1 [0083.389] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.389] GetProcessHeap () returned 0x3a00000 [0083.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.389] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*") returned 42 [0083.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.389] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.389] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.390] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.390] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.390] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\.") returned 42 [0083.390] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.390] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.390] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.390] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.390] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.390] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.390] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\..") returned 43 [0083.390] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.390] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.390] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.390] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.390] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.390] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\.." (normalized: "c:\\users\\all users\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.390] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf98cc013, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf98cc013, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98cc013, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.391] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.391] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.391] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.391] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.391] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.391] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0083.391] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.391] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.391] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DMProfiles", cAlternateFileName="DMPROF~1")) returned 1 [0083.391] lstrcmpiW (lpString1="DMProfiles", lpString2="Windows") returned -1 [0083.391] lstrcmpiW (lpString1="DMProfiles", lpString2="$Recycle.bin") returned 1 [0083.391] lstrcmpiW (lpString1="DMProfiles", lpString2="System Volume Information") returned -1 [0083.391] lstrcmpiW (lpString1="DMProfiles", lpString2="Program Files") returned -1 [0083.391] lstrcmpiW (lpString1="DMProfiles", lpString2="Program Files (x86)") returned -1 [0083.391] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles") returned 51 [0083.391] lstrcmpW (lpString1="DMProfiles", lpString2=".") returned 1 [0083.391] lstrcmpW (lpString1="DMProfiles", lpString2="..") returned 1 [0083.391] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.391] GetProcessHeap () returned 0x3a00000 [0083.391] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.391] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*") returned 53 [0083.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.391] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.391] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.391] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.391] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.391] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.391] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\.") returned 53 [0083.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.392] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.392] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.392] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.392] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.392] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.392] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.392] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.392] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.392] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.392] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.392] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\..") returned 54 [0083.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.392] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.392] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.392] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.392] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\.." (normalized: "c:\\users\\all users\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.392] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc0928, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.392] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.392] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0083.392] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\DMProfiles\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\dmprofiles\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.393] GetProcessHeap () returned 0x3a00000 [0083.393] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.393] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Profiles", cAlternateFileName="")) returned 1 [0083.393] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0083.393] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0083.393] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0083.393] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0083.393] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0083.393] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles") returned 49 [0083.393] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0083.393] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0083.393] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.393] GetProcessHeap () returned 0x3a00000 [0083.393] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.393] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*") returned 51 [0083.393] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.393] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.393] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.393] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.393] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.393] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.393] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\.") returned 51 [0083.393] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.393] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.393] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.393] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.393] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\." (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.394] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.394] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.394] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.394] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.394] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.394] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.394] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\..") returned 52 [0083.394] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.394] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.394] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.394] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.394] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.394] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\.." (normalized: "c:\\users\\all users\\microsoft\\wwansvc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.394] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.394] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.394] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 81 [0083.394] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\Profiles\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\profiles\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.394] GetProcessHeap () returned 0x3a00000 [0083.394] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.394] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc1154, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Profiles", cAlternateFileName="")) returned 0 [0083.394] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.394] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 72 [0083.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\WwanSvc\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\wwansvc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.395] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.396] CloseHandle (hObject=0x434) returned 1 [0083.396] GetProcessHeap () returned 0x3a00000 [0083.396] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.396] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc2cc002d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d079d0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WwanSvc", cAlternateFileName="")) returned 0 [0083.396] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0083.396] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0083.397] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.397] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.398] CloseHandle (hObject=0x430) returned 1 [0083.398] GetProcessHeap () returned 0x3a00000 [0083.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.398] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0083.398] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="Windows") returned -1 [0083.398] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="$Recycle.bin") returned 1 [0083.398] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="System Volume Information") returned -1 [0083.398] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="Program Files") returned -1 [0083.398] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="Program Files (x86)") returned -1 [0083.398] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive") returned 41 [0083.399] lstrcmpW (lpString1="Microsoft OneDrive", lpString2=".") returned 1 [0083.399] lstrcmpW (lpString1="Microsoft OneDrive", lpString2="..") returned 1 [0083.399] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.399] GetProcessHeap () returned 0x3a00000 [0083.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.399] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*") returned 43 [0083.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.399] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\.") returned 43 [0083.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.399] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.399] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\..") returned 44 [0083.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.399] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf99648ed, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf99648ed, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.399] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.399] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.399] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.399] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.399] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.400] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0083.400] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.400] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.400] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf98f242a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98f242a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="setup", cAlternateFileName="")) returned 1 [0083.400] lstrcmpiW (lpString1="setup", lpString2="Windows") returned -1 [0083.400] lstrcmpiW (lpString1="setup", lpString2="$Recycle.bin") returned 1 [0083.400] lstrcmpiW (lpString1="setup", lpString2="System Volume Information") returned -1 [0083.400] lstrcmpiW (lpString1="setup", lpString2="Program Files") returned 1 [0083.400] lstrcmpiW (lpString1="setup", lpString2="Program Files (x86)") returned 1 [0083.400] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup") returned 47 [0083.400] lstrcmpW (lpString1="setup", lpString2=".") returned 1 [0083.400] lstrcmpW (lpString1="setup", lpString2="..") returned 1 [0083.400] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.400] GetProcessHeap () returned 0x3a00000 [0083.400] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.400] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*") returned 49 [0083.400] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf98f242a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.400] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.400] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.400] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.400] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.400] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.400] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\.") returned 49 [0083.400] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.400] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf98f242a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.400] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.400] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.400] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.401] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.401] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.401] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\..") returned 50 [0083.401] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.401] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf99648ed, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf99648ed, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.401] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.401] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.401] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.401] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.401] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.401] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0083.401] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.401] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.401] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xf98f242a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="refcount.ini_r00t_{8ew5f6}.ebal", cAlternateFileName="REFCOU~1.EBA")) returned 1 [0083.401] lstrcmpiW (lpString1="refcount.ini_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.401] lstrcmpiW (lpString1="refcount.ini_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.401] lstrcmpiW (lpString1="refcount.ini_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.401] lstrcmpiW (lpString1="refcount.ini_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.401] lstrcmpiW (lpString1="refcount.ini_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.401] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\refcount.ini_r00t_{8ew5f6}.ebal") returned 79 [0083.401] StrStrIW (lpFirst="refcount.ini_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.401] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xf98f242a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="refcount.ini_r00t_{8ew5f6}.ebal", cAlternateFileName="REFCOU~1.EBA")) returned 0 [0083.401] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.401] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0083.401] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\setup\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft onedrive\\setup\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.402] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.403] CloseHandle (hObject=0x434) returned 1 [0083.403] GetProcessHeap () returned 0x3a00000 [0083.403] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf98f242a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf98f242a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="setup", cAlternateFileName="")) returned 0 [0083.403] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.403] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 73 [0083.403] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Microsoft OneDrive\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\microsoft onedrive\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.404] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.405] CloseHandle (hObject=0x430) returned 1 [0083.405] GetProcessHeap () returned 0x3a00000 [0083.405] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Oracle", cAlternateFileName="")) returned 1 [0083.405] lstrcmpiW (lpString1="Oracle", lpString2="Windows") returned -1 [0083.405] lstrcmpiW (lpString1="Oracle", lpString2="$Recycle.bin") returned 1 [0083.405] lstrcmpiW (lpString1="Oracle", lpString2="System Volume Information") returned -1 [0083.405] lstrcmpiW (lpString1="Oracle", lpString2="Program Files") returned -1 [0083.405] lstrcmpiW (lpString1="Oracle", lpString2="Program Files (x86)") returned -1 [0083.405] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle") returned 29 [0083.405] lstrcmpW (lpString1="Oracle", lpString2=".") returned 1 [0083.405] lstrcmpW (lpString1="Oracle", lpString2="..") returned 1 [0083.405] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Oracle", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.405] GetProcessHeap () returned 0x3a00000 [0083.405] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.406] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\*") returned 31 [0083.406] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.406] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.406] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.406] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.406] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.406] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.406] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\.") returned 31 [0083.406] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.406] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.406] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.406] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.406] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.406] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.406] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.406] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\..") returned 32 [0083.406] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.406] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.406] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9a4970e, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9a4970e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.406] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.406] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.406] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.406] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.406] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.406] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 61 [0083.406] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.406] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.406] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Java", cAlternateFileName="")) returned 1 [0083.406] lstrcmpiW (lpString1="Java", lpString2="Windows") returned -1 [0083.407] lstrcmpiW (lpString1="Java", lpString2="$Recycle.bin") returned 1 [0083.407] lstrcmpiW (lpString1="Java", lpString2="System Volume Information") returned -1 [0083.407] lstrcmpiW (lpString1="Java", lpString2="Program Files") returned -1 [0083.407] lstrcmpiW (lpString1="Java", lpString2="Program Files (x86)") returned -1 [0083.407] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java") returned 34 [0083.407] lstrcmpW (lpString1="Java", lpString2=".") returned 1 [0083.407] lstrcmpW (lpString1="Java", lpString2="..") returned 1 [0083.407] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.407] GetProcessHeap () returned 0x3a00000 [0083.407] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*") returned 36 [0083.407] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0083.407] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.407] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.407] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.407] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.407] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.") returned 36 [0083.407] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.407] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.407] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.407] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.407] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.407] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.407] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.407] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\..") returned 37 [0083.407] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.407] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.407] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9a4970e, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9a4970e, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.408] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.408] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0083.408] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.408] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.408] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf99648ed, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".oracle_jre_usage", cAlternateFileName="ORACLE~1")) returned 1 [0083.408] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="Windows") returned -1 [0083.408] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="$Recycle.bin") returned 1 [0083.408] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="System Volume Information") returned -1 [0083.408] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="Program Files") returned -1 [0083.408] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="Program Files (x86)") returned -1 [0083.408] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage") returned 52 [0083.408] lstrcmpW (lpString1=".oracle_jre_usage", lpString2=".") returned 1 [0083.408] lstrcmpW (lpString1=".oracle_jre_usage", lpString2="..") returned 1 [0083.408] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.408] GetProcessHeap () returned 0x3a00000 [0083.408] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.408] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*") returned 54 [0083.408] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf99648ed, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.408] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.408] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.408] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.408] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.408] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.408] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\.") returned 54 [0083.408] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.408] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf99648ed, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.409] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.409] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.409] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.409] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.409] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.409] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\..") returned 55 [0083.409] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.409] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.409] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf99648ed, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf99648ed, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf998aadf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.409] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.409] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.409] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.409] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.409] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.409] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0083.409] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.409] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.409] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3b7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", cAlternateFileName="17DFC2~1.EBA")) returned 1 [0083.409] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.409] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.409] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.409] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.409] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.409] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal") returned 98 [0083.409] StrStrIW (lpFirst="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.409] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf99648ed, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3b7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="17dfc292991c7c46.timestamp_r00t_{8ew5f6}.ebal", cAlternateFileName="17DFC2~1.EBA")) returned 0 [0083.409] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.409] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 84 [0083.409] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.410] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.411] CloseHandle (hObject=0x438) returned 1 [0083.411] GetProcessHeap () returned 0x3a00000 [0083.411] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.411] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf998aadf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf998aadf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 1 [0083.411] lstrcmpiW (lpString1="installcache_x64", lpString2="Windows") returned -1 [0083.411] lstrcmpiW (lpString1="installcache_x64", lpString2="$Recycle.bin") returned 1 [0083.411] lstrcmpiW (lpString1="installcache_x64", lpString2="System Volume Information") returned -1 [0083.411] lstrcmpiW (lpString1="installcache_x64", lpString2="Program Files") returned -1 [0083.411] lstrcmpiW (lpString1="installcache_x64", lpString2="Program Files (x86)") returned -1 [0083.411] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64") returned 51 [0083.411] lstrcmpW (lpString1="installcache_x64", lpString2=".") returned 1 [0083.411] lstrcmpW (lpString1="installcache_x64", lpString2="..") returned 1 [0083.411] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.412] GetProcessHeap () returned 0x3a00000 [0083.412] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.412] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*") returned 53 [0083.412] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf998aadf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99b0e2d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.412] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.412] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.412] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.412] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.412] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.412] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\.") returned 53 [0083.412] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.412] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf998aadf, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99b0e2d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.412] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.412] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.412] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.412] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.412] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.412] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\..") returned 54 [0083.412] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.412] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.412] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf99b0e2d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf99b0e2d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf99b0e2d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.412] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.412] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.412] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.412] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.412] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.412] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0083.412] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.412] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.413] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf998aadf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4eba7f9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="baseimagefam8_r00t_{8ew5f6}.ebal", cAlternateFileName="BASEIM~1.EBA")) returned 1 [0083.413] lstrcmpiW (lpString1="baseimagefam8_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.413] lstrcmpiW (lpString1="baseimagefam8_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.413] lstrcmpiW (lpString1="baseimagefam8_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.413] lstrcmpiW (lpString1="baseimagefam8_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.413] lstrcmpiW (lpString1="baseimagefam8_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.413] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8_r00t_{8ew5f6}.ebal") returned 84 [0083.413] StrStrIW (lpFirst="baseimagefam8_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.413] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf998aadf, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4eba7f9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="baseimagefam8_r00t_{8ew5f6}.ebal", cAlternateFileName="BASEIM~1.EBA")) returned 0 [0083.413] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.413] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 83 [0083.413] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.414] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.415] CloseHandle (hObject=0x438) returned 1 [0083.415] GetProcessHeap () returned 0x3a00000 [0083.415] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="javapath", cAlternateFileName="")) returned 1 [0083.415] lstrcmpiW (lpString1="javapath", lpString2="Windows") returned -1 [0083.415] lstrcmpiW (lpString1="javapath", lpString2="$Recycle.bin") returned 1 [0083.415] lstrcmpiW (lpString1="javapath", lpString2="System Volume Information") returned -1 [0083.415] lstrcmpiW (lpString1="javapath", lpString2="Program Files") returned -1 [0083.415] lstrcmpiW (lpString1="javapath", lpString2="Program Files (x86)") returned -1 [0083.415] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath") returned 43 [0083.415] lstrcmpW (lpString1="javapath", lpString2=".") returned 1 [0083.415] lstrcmpW (lpString1="javapath", lpString2="..") returned 1 [0083.415] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.415] GetProcessHeap () returned 0x3a00000 [0083.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.415] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\*") returned 45 [0083.415] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0083.415] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.415] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.415] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.415] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.415] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.415] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\.") returned 45 [0083.415] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.415] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.416] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.416] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.416] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.416] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.416] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.416] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\..") returned 46 [0083.416] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.416] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.416] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9a23503, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a4970e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.416] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.416] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0083.416] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.416] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.416] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf99b0e2d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x32bc4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="java.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAEX~1.EBA")) returned 1 [0083.416] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.416] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.416] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.416] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.416] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.416] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\java.exe_r00t_{8ew5f6}.ebal") returned 71 [0083.416] StrStrIW (lpFirst="java.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.416] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x32bc4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaw.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWE~1.EBA")) returned 1 [0083.416] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.416] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.416] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.416] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.416] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.416] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\javaw.exe_r00t_{8ew5f6}.ebal") returned 72 [0083.417] StrStrIW (lpFirst="javaw.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.417] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e3c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWS~1.EBA")) returned 1 [0083.417] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.417] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.417] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.417] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.417] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.417] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\javaws.exe_r00t_{8ew5f6}.ebal") returned 73 [0083.417] StrStrIW (lpFirst="javaws.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.417] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e3c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWS~1.EBA")) returned 0 [0083.417] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0083.417] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0083.417] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\oracle\\java\\javapath\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.418] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.419] CloseHandle (hObject=0x438) returned 1 [0083.419] GetProcessHeap () returned 0x3a00000 [0083.419] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 1 [0083.419] lstrcmpiW (lpString1="javapath_target_474984", lpString2="Windows") returned -1 [0083.419] lstrcmpiW (lpString1="javapath_target_474984", lpString2="$Recycle.bin") returned 1 [0083.419] lstrcmpiW (lpString1="javapath_target_474984", lpString2="System Volume Information") returned -1 [0083.419] lstrcmpiW (lpString1="javapath_target_474984", lpString2="Program Files") returned -1 [0083.419] lstrcmpiW (lpString1="javapath_target_474984", lpString2="Program Files (x86)") returned -1 [0083.419] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984") returned 57 [0083.419] lstrcmpW (lpString1="javapath_target_474984", lpString2=".") returned 1 [0083.419] lstrcmpW (lpString1="javapath_target_474984", lpString2="..") returned 1 [0083.419] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.419] GetProcessHeap () returned 0x3a00000 [0083.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.419] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\*") returned 59 [0083.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0083.419] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.419] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.419] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.419] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.419] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.419] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\.") returned 59 [0083.419] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.419] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.420] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.420] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.420] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.420] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.420] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.420] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\..") returned 60 [0083.420] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.420] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.420] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf9a23503, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfb7a492f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.420] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.420] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.420] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.420] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.420] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.420] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0083.420] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.420] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.420] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf99b0e2d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x32bc4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="java.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAEX~1.EBA")) returned 1 [0083.420] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.420] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.420] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.420] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.420] lstrcmpiW (lpString1="java.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.420] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\java.exe_r00t_{8ew5f6}.ebal") returned 85 [0083.420] StrStrIW (lpFirst="java.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.420] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x32bc4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaw.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWE~1.EBA")) returned 1 [0083.420] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.420] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.420] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.420] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.420] lstrcmpiW (lpString1="javaw.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.420] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\javaw.exe_r00t_{8ew5f6}.ebal") returned 86 [0083.421] StrStrIW (lpFirst="javaw.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.421] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e3c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWS~1.EBA")) returned 1 [0083.421] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.421] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.421] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.421] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.421] lstrcmpiW (lpString1="javaws.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.434] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\javaws.exe_r00t_{8ew5f6}.ebal") returned 87 [0083.434] StrStrIW (lpFirst="javaws.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.434] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4e3c4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="javaws.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="JAVAWS~1.EBA")) returned 0 [0083.434] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0083.434] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 89 [0083.434] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\oracle\\java\\javapath_target_474984\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.435] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.436] CloseHandle (hObject=0x438) returned 1 [0083.436] GetProcessHeap () returned 0x3a00000 [0083.436] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.436] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xf9a23503, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9a23503, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 0 [0083.436] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0083.436] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0083.436] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\Java\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\oracle\\java\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.437] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.438] CloseHandle (hObject=0x434) returned 1 [0083.438] GetProcessHeap () returned 0x3a00000 [0083.438] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.438] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Java", cAlternateFileName="")) returned 0 [0083.438] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.438] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Oracle\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 61 [0083.438] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Oracle\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\oracle\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.439] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.440] CloseHandle (hObject=0x430) returned 1 [0083.440] GetProcessHeap () returned 0x3a00000 [0083.440] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.440] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0083.440] lstrcmpiW (lpString1="Package Cache", lpString2="Windows") returned -1 [0083.440] lstrcmpiW (lpString1="Package Cache", lpString2="$Recycle.bin") returned 1 [0083.440] lstrcmpiW (lpString1="Package Cache", lpString2="System Volume Information") returned -1 [0083.440] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files") returned -1 [0083.440] lstrcmpiW (lpString1="Package Cache", lpString2="Program Files (x86)") returned -1 [0083.440] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache") returned 36 [0083.440] lstrcmpW (lpString1="Package Cache", lpString2=".") returned 1 [0083.440] lstrcmpW (lpString1="Package Cache", lpString2="..") returned 1 [0083.440] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.440] GetProcessHeap () returned 0x3a00000 [0083.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.440] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\*") returned 38 [0083.440] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.440] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.440] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.440] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.440] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.440] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.440] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\.") returned 38 [0083.440] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.440] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.441] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.441] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.441] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.441] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.441] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.441] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\..") returned 39 [0083.441] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.441] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.441] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfa170816, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.441] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.441] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.441] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.441] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.441] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.441] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0083.441] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.441] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.441] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0083.441] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Windows") returned -1 [0083.441] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0083.441] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="System Volume Information") returned -1 [0083.441] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files") returned -1 [0083.441] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0083.441] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005") returned 86 [0083.441] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0083.441] lstrcmpW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0083.441] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.441] GetProcessHeap () returned 0x3a00000 [0083.441] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.441] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*") returned 88 [0083.441] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0083.442] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.442] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.442] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.442] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\.") returned 88 [0083.442] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.442] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.442] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.442] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.442] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.442] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\..") returned 89 [0083.442] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.442] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.442] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b549e9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.442] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.442] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.442] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.442] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.442] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.442] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.442] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.442] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.442] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.442] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.442] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.442] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.442] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages") returned 95 [0083.443] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.443] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.443] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.443] GetProcessHeap () returned 0x3a00000 [0083.443] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.443] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*") returned 97 [0083.443] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0083.443] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.443] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.443] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.443] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.443] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.443] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\.") returned 97 [0083.443] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.443] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.443] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.443] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.443] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.443] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.443] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.443] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\..") returned 98 [0083.443] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.443] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.443] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b549e9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.443] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.443] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.443] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.443] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.443] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.443] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.444] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.444] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.444] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0083.444] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0083.444] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0083.444] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0083.444] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0083.444] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0083.444] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86") returned 116 [0083.444] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0083.444] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0083.444] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.444] GetProcessHeap () returned 0x3a00000 [0083.444] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.444] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*") returned 118 [0083.444] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0083.444] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.444] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.444] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.444] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.444] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.444] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\.") returned 118 [0083.444] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.444] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.444] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.444] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.444] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.444] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.445] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.445] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\..") returned 119 [0083.445] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.445] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.445] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b549e9, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.445] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.445] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.445] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.445] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.445] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.445] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 148 [0083.445] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.445] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.445] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0xf9a6f965, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xf3a42, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.445] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.445] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.445] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.445] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.445] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.445] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 144 [0083.445] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.445] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.445] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.445] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.445] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.445] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.445] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.445] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal") returned 161 [0083.445] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.445] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.445] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0083.446] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 148 [0083.446] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\vcruntimeminimum_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.446] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.447] CloseHandle (hObject=0x43c) returned 1 [0083.447] GetProcessHeap () returned 0x3a00000 [0083.447] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.447] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b549e9, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0083.447] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0083.448] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.448] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.449] CloseHandle (hObject=0x438) returned 1 [0083.449] GetProcessHeap () returned 0x3a00000 [0083.449] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.449] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.449] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0083.449] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.450] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{13a4ee12-23ea-3371-91ee-efb36ddfff3e}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.450] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.451] CloseHandle (hObject=0x434) returned 1 [0083.451] GetProcessHeap () returned 0x3a00000 [0083.451] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.451] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b7ab97, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b7ab97, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0083.451] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Windows") returned -1 [0083.451] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$Recycle.bin") returned 1 [0083.451] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="System Volume Information") returned -1 [0083.451] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files") returned -1 [0083.451] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="Program Files (x86)") returned -1 [0083.451] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}") returned 75 [0083.452] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0083.452] lstrcmpW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0083.452] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.452] GetProcessHeap () returned 0x3a00000 [0083.452] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.452] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*") returned 77 [0083.452] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b7ab97, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b7ab97, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.452] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.452] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.452] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.452] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.452] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.452] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\.") returned 77 [0083.453] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.453] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9b7ab97, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b7ab97, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.453] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.453] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.453] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.453] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.453] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.453] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\..") returned 78 [0083.453] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.453] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.453] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9b7ab97, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9b7ab97, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9b7ab97, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.453] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.453] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.453] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.453] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.453] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9b549e9, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5f6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm_r00t_{8ew5f6}.ebal", cAlternateFileName="STATER~1.EBA")) returned 1 [0083.453] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.453] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.453] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.453] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.453] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.453] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm_r00t_{8ew5f6}.ebal") returned 104 [0083.453] StrStrIW (lpFirst="state.rsm_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.453] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9b7ab97, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6f7ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 1 [0083.453] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.453] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.453] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.453] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.453] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.454] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal") returned 111 [0083.454] StrStrIW (lpFirst="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.454] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9b7ab97, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6f7ac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 0 [0083.454] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.454] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.454] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.455] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.455] CloseHandle (hObject=0x434) returned 1 [0083.455] GetProcessHeap () returned 0x3a00000 [0083.455] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.455] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0083.455] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Windows") returned -1 [0083.456] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0083.456] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="System Volume Information") returned -1 [0083.456] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files") returned -1 [0083.456] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0083.456] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030") returned 86 [0083.456] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0083.456] lstrcmpW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0083.456] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.456] GetProcessHeap () returned 0x3a00000 [0083.456] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.456] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*") returned 88 [0083.456] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9bed06b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.456] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.456] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.456] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.456] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.456] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.456] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\.") returned 88 [0083.456] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.456] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9bed06b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.456] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.456] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.456] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.456] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.456] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.456] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\..") returned 89 [0083.456] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.456] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.456] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9bed06b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9bed06b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bed06b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.457] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.457] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.457] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.457] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.457] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.457] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.457] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.457] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.457] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.457] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.457] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.457] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.457] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.457] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.457] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages") returned 95 [0083.457] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.457] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.457] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.457] GetProcessHeap () returned 0x3a00000 [0083.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.457] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*") returned 97 [0083.457] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0083.457] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.457] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.457] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.457] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.457] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.457] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\.") returned 97 [0083.457] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.458] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.458] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.458] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.458] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.458] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\..") returned 98 [0083.458] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.458] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.458] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9bc7106, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9bc7106, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bed06b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.458] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.458] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.458] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.458] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.458] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.458] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.458] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9bc7106, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0083.458] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0083.458] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0083.458] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0083.458] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0083.458] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0083.458] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64") returned 121 [0083.458] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0083.458] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0083.458] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.458] GetProcessHeap () returned 0x3a00000 [0083.458] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.458] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*") returned 123 [0083.458] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9bc7106, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0083.459] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.459] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.459] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.459] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.459] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.459] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\.") returned 123 [0083.459] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.459] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9bc7106, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.459] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.459] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.459] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.459] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.459] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.459] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\..") returned 124 [0083.459] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.459] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.459] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9bc7106, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9bc7106, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.459] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.459] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.459] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.459] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.459] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.459] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 153 [0083.459] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.459] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.459] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb69f0b00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xb69f0b00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xf9ba0d9f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5884a8, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.459] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.459] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.460] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.460] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.460] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.460] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 149 [0083.460] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.460] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.460] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.460] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.460] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.460] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.460] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.460] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal") returned 169 [0083.460] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.460] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.460] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0083.460] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 153 [0083.460] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\vcruntimeadditional_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.461] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.462] CloseHandle (hObject=0x43c) returned 1 [0083.462] GetProcessHeap () returned 0x3a00000 [0083.462] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.462] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9bc7106, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9bc7106, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0083.462] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0083.462] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.462] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.463] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.464] CloseHandle (hObject=0x438) returned 1 [0083.464] GetProcessHeap () returned 0x3a00000 [0083.464] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.464] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.464] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.464] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.464] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{37b8f9c7-03fb-3253-8781-2517c99d7c00}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.465] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.465] CloseHandle (hObject=0x434) returned 1 [0083.465] GetProcessHeap () returned 0x3a00000 [0083.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.465] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c1327a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c1327a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0083.466] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Windows") returned -1 [0083.466] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$Recycle.bin") returned 1 [0083.466] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="System Volume Information") returned -1 [0083.466] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files") returned -1 [0083.466] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="Program Files (x86)") returned -1 [0083.466] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}") returned 75 [0083.466] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0083.466] lstrcmpW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0083.466] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.466] GetProcessHeap () returned 0x3a00000 [0083.466] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.466] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*") returned 77 [0083.466] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c1327a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c1327a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.466] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.466] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.466] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.466] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.466] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.466] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\.") returned 77 [0083.466] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.466] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c1327a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c1327a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.466] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.466] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.466] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.466] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.466] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.466] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\..") returned 78 [0083.466] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.467] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.467] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9c1327a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9c1327a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c1327a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.467] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.467] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.467] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.467] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.467] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.467] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.467] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.467] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.467] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40b2b5b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd40b2b5b, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9bed06b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x602, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm_r00t_{8ew5f6}.ebal", cAlternateFileName="STATER~1.EBA")) returned 1 [0083.467] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.467] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.467] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.467] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.467] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.467] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm_r00t_{8ew5f6}.ebal") returned 104 [0083.467] StrStrIW (lpFirst="state.rsm_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.467] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9c1327a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7142c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 1 [0083.467] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.467] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.467] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.467] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.467] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.467] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal") returned 111 [0083.467] StrStrIW (lpFirst="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.467] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9c1327a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7142c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 0 [0083.467] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.467] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.467] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.470] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.471] CloseHandle (hObject=0x434) returned 1 [0083.471] GetProcessHeap () returned 0x3a00000 [0083.471] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0083.471] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Windows") returned -1 [0083.471] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0083.472] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="System Volume Information") returned -1 [0083.472] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files") returned -1 [0083.472] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0083.472] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017") returned 87 [0083.472] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0083.472] lstrcmpW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0083.472] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.472] GetProcessHeap () returned 0x3a00000 [0083.472] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.472] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*") returned 89 [0083.472] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9cabbe6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0083.472] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.472] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.472] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.472] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.472] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.472] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\.") returned 89 [0083.472] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.472] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9cabbe6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.472] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.472] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.472] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.472] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.472] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.472] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\..") returned 90 [0083.472] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.472] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.472] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9cabbe6, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9cabbe6, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cabbe6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.472] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.472] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.473] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.473] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.473] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.473] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.473] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.473] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.473] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.473] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.473] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.473] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.473] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.473] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.473] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages") returned 96 [0083.473] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.473] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.473] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.473] GetProcessHeap () returned 0x3a00000 [0083.473] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.473] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*") returned 98 [0083.473] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0083.473] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.473] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.473] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.473] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.473] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.473] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\.") returned 98 [0083.473] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.473] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.473] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.473] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.474] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.474] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.474] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\..") returned 99 [0083.474] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.474] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.474] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9c87d4f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9c87d4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cabbe6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.474] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.474] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.474] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.474] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c87d4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0083.474] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0083.474] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0083.474] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0083.474] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0083.474] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0083.474] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86") returned 117 [0083.474] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0083.474] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0083.474] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.474] GetProcessHeap () returned 0x3a00000 [0083.474] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.474] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*") returned 119 [0083.474] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c87d4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.474] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.474] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.475] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.475] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.475] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\.") returned 119 [0083.475] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.475] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c87d4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.475] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.475] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.475] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.475] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.475] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\..") returned 120 [0083.475] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.475] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.475] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9c87d4f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9c87d4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.475] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.475] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.475] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.475] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.475] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 149 [0083.475] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.475] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.475] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf81cb00, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xdf81cb00, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xf9c39ac2, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x13be3f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.475] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.475] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.475] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.475] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.475] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.475] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 145 [0083.475] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.475] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x24384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.476] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.476] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.476] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.476] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.476] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.476] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal") returned 162 [0083.476] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.476] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x24384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.476] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.476] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 149 [0083.476] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\vcruntimeminimum_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.477] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.477] CloseHandle (hObject=0x43c) returned 1 [0083.478] GetProcessHeap () returned 0x3a00000 [0083.478] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9c87d4f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9c87d4f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0083.478] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0083.478] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.478] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.479] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.479] CloseHandle (hObject=0x438) returned 1 [0083.479] GetProcessHeap () returned 0x3a00000 [0083.480] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.480] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0083.480] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.480] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{582ea838-9199-3518-a05c-db09462f68ec}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.481] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.481] CloseHandle (hObject=0x434) returned 1 [0083.481] GetProcessHeap () returned 0x3a00000 [0083.481] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0083.481] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Windows") returned -1 [0083.481] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0083.481] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="System Volume Information") returned -1 [0083.482] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files") returned -1 [0083.482] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0083.482] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017") returned 87 [0083.482] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0083.482] lstrcmpW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0083.482] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.482] GetProcessHeap () returned 0x3a00000 [0083.482] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.482] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*") returned 89 [0083.482] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9cf8098, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0083.482] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.482] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.482] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.482] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.482] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.482] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\.") returned 89 [0083.482] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.482] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9cf8098, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.482] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.482] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.482] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.482] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.482] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.482] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\..") returned 90 [0083.482] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.482] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.482] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9cf8098, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9cf8098, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cf8098, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.482] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.482] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.483] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.483] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.483] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.483] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.483] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.483] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.483] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.483] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.483] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.483] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.483] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.483] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.483] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages") returned 96 [0083.483] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.483] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.483] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.483] GetProcessHeap () returned 0x3a00000 [0083.483] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.483] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*") returned 98 [0083.483] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.483] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.483] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.483] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.483] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.483] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.483] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\.") returned 98 [0083.483] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.483] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.484] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.484] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.484] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.484] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.484] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.484] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\..") returned 99 [0083.484] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.484] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.484] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9cd1ecb, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9cd1ecb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.484] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.484] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.484] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.484] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.484] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.484] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.484] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.484] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.484] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9cd1ecb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0083.484] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0083.484] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0083.484] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0083.484] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0083.484] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0083.484] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86") returned 120 [0083.484] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0083.484] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0083.484] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.484] GetProcessHeap () returned 0x3a00000 [0083.484] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.484] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*") returned 122 [0083.484] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9cd1ecb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0083.485] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.485] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.485] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.485] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.485] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.485] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\.") returned 122 [0083.485] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.485] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9cd1ecb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.485] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.485] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.485] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.485] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.485] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.485] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\..") returned 123 [0083.485] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.485] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.485] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9cd1ecb, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9cd1ecb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.485] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.485] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 152 [0083.485] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.485] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.485] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xf9cabbe6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4f6d22, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.485] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.485] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.485] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.485] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.485] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.485] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 148 [0083.486] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.486] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.486] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.486] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.486] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.486] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.486] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.486] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal") returned 168 [0083.486] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.486] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.486] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0083.486] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 152 [0083.486] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\vcruntimeadditional_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.487] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.488] CloseHandle (hObject=0x43c) returned 1 [0083.488] GetProcessHeap () returned 0x3a00000 [0083.488] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.488] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9cd1ecb, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9cd1ecb, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0083.488] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.488] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.488] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.489] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.489] CloseHandle (hObject=0x438) returned 1 [0083.489] GetProcessHeap () returned 0x3a00000 [0083.490] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.490] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.490] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0083.490] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.490] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{68306422-7c57-373f-8860-d26ce4ba2a15}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.491] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.491] CloseHandle (hObject=0x434) returned 1 [0083.492] GetProcessHeap () returned 0x3a00000 [0083.492] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.492] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0083.492] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Windows") returned -1 [0083.492] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0083.492] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="System Volume Information") returned -1 [0083.492] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files") returned -1 [0083.492] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0083.492] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017") returned 87 [0083.492] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0083.492] lstrcmpW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0083.492] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.492] GetProcessHeap () returned 0x3a00000 [0083.492] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.492] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*") returned 89 [0083.492] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.492] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.492] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.492] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.492] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.492] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.492] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\.") returned 89 [0083.492] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.492] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.492] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.492] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.493] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.493] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.493] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.493] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\..") returned 90 [0083.493] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.493] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.493] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d1e308, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.493] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.493] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.493] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.493] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.493] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.493] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.493] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.493] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.493] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.493] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.493] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.493] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.493] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.493] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.493] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages") returned 96 [0083.493] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.493] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.493] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.493] GetProcessHeap () returned 0x3a00000 [0083.493] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.493] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*") returned 98 [0083.493] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.493] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.493] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.494] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.494] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.494] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.494] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\.") returned 98 [0083.494] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.494] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.494] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.494] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.494] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.494] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.494] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.494] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\..") returned 99 [0083.494] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.494] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.494] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d1e308, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.494] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.494] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.494] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.494] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.494] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.494] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.494] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.494] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.494] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0083.494] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0083.494] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0083.494] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0083.494] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0083.494] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0083.494] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64") returned 119 [0083.494] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0083.494] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0083.494] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.494] GetProcessHeap () returned 0x3a00000 [0083.495] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.495] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*") returned 121 [0083.495] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0083.495] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.495] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.495] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.495] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.495] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.495] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\.") returned 121 [0083.495] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.495] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.495] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.495] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.495] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.495] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.495] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.495] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\..") returned 122 [0083.495] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.495] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.495] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d1e308, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.495] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.495] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.495] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.495] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.495] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.495] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 151 [0083.495] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.496] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.496] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xf9cf8098, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1655db, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.496] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.496] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.496] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.496] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.496] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.496] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 147 [0083.496] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.496] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x24384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.496] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.496] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.496] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.496] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.496] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.496] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal") returned 164 [0083.496] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.496] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x24384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.496] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0083.496] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 151 [0083.496] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\vcruntimeminimum_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.497] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.498] CloseHandle (hObject=0x43c) returned 1 [0083.498] GetProcessHeap () returned 0x3a00000 [0083.498] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.498] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d1e308, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d1e308, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0083.498] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.498] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.498] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.499] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.500] CloseHandle (hObject=0x438) returned 1 [0083.500] GetProcessHeap () returned 0x3a00000 [0083.500] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.500] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.500] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.500] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.500] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{8d4f7a6d-6b81-3dc8-9c21-6008e4866727}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.501] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.502] CloseHandle (hObject=0x434) returned 1 [0083.502] GetProcessHeap () returned 0x3a00000 [0083.502] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.502] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0083.502] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Windows") returned -1 [0083.502] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0083.502] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="System Volume Information") returned -1 [0083.502] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files") returned -1 [0083.502] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0083.502] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005") returned 86 [0083.502] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0083.502] lstrcmpW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0083.502] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.502] GetProcessHeap () returned 0x3a00000 [0083.502] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.502] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*") returned 88 [0083.502] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0083.502] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.503] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.503] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.503] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.503] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.503] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\.") returned 88 [0083.503] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.503] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.503] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.503] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.503] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.503] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.503] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.503] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\..") returned 89 [0083.503] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.503] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.503] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d909fd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.503] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.503] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.503] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.503] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.503] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.503] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.503] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.503] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.503] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.503] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.503] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.503] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.503] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.503] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.503] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages") returned 95 [0083.503] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.504] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.504] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.504] GetProcessHeap () returned 0x3a00000 [0083.504] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.504] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*") returned 97 [0083.504] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0083.504] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.504] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.504] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.504] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.504] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.504] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\.") returned 97 [0083.504] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.504] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.504] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.504] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.504] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.504] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.504] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.504] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\..") returned 98 [0083.504] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.504] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.504] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d909fd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.504] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.504] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.504] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.504] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.504] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.504] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.505] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.505] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.505] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0083.505] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0083.505] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0083.505] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0083.505] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0083.505] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0083.505] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64") returned 121 [0083.505] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0083.505] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0083.505] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.505] GetProcessHeap () returned 0x3a00000 [0083.505] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.505] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*") returned 123 [0083.505] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.505] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.505] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.505] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.505] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.505] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.505] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\.") returned 123 [0083.505] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.505] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.505] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.505] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.505] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.505] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.505] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.505] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\..") returned 124 [0083.506] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.506] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.506] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9d909fd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.506] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.506] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.506] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.506] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.506] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.506] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 153 [0083.506] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.506] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.506] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8abe5b00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x8abe5b00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0xf9d445d8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5548a4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.506] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.506] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.506] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.506] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.506] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.506] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 149 [0083.506] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.506] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.506] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.506] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.506] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.506] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.506] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.506] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal") returned 169 [0083.506] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.506] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.506] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.506] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 153 [0083.506] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\vcruntimeadditional_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.507] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.508] CloseHandle (hObject=0x43c) returned 1 [0083.508] GetProcessHeap () returned 0x3a00000 [0083.508] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.508] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9d909fd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9d909fd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0083.508] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0083.508] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.508] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.509] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.510] CloseHandle (hObject=0x438) returned 1 [0083.510] GetProcessHeap () returned 0x3a00000 [0083.510] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.510] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.510] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0083.510] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.510] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{929fbd26-9020-399b-9a7a-751d61f0b942}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.511] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.512] CloseHandle (hObject=0x434) returned 1 [0083.512] GetProcessHeap () returned 0x3a00000 [0083.512] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.512] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0083.512] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Windows") returned -1 [0083.512] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0083.512] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="System Volume Information") returned -1 [0083.512] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files") returned -1 [0083.512] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0083.512] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005") returned 86 [0083.512] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0083.512] lstrcmpW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0083.512] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.512] GetProcessHeap () returned 0x3a00000 [0083.512] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.512] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*") returned 88 [0083.512] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0083.512] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.512] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.512] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.513] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.513] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.513] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\.") returned 88 [0083.513] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.513] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.513] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.513] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.513] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.513] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.513] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.513] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\..") returned 89 [0083.513] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.513] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.513] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9db6c6a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.513] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.513] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.513] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.513] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.513] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.513] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.513] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.513] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.513] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.513] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.513] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.513] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.513] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.513] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.513] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages") returned 95 [0083.513] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.513] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.513] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.513] GetProcessHeap () returned 0x3a00000 [0083.513] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.514] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*") returned 97 [0083.514] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0083.514] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.514] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.514] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.514] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.514] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.514] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\.") returned 97 [0083.514] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.514] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.514] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.514] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.514] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.514] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.514] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.514] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\..") returned 98 [0083.514] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.514] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.514] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9db6c6a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.514] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.514] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.514] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.514] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.514] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.514] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.514] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.514] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.514] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0083.531] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0083.531] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0083.531] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0083.531] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0083.531] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0083.531] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64") returned 118 [0083.531] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0083.532] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0083.532] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.532] GetProcessHeap () returned 0x3a00000 [0083.532] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.532] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*") returned 120 [0083.532] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.532] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.532] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.532] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.532] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.532] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.532] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\.") returned 120 [0083.532] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.532] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.532] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.532] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.532] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.532] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.532] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.532] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\..") returned 121 [0083.532] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.532] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.532] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9db6c6a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.532] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.532] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.532] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.532] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.533] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.533] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 150 [0083.533] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.533] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.533] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898d2e00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x898d2e00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xfcc8e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.533] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.533] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.533] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.533] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.533] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.533] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 146 [0083.533] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.533] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.533] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.533] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.533] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.533] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.533] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.533] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal") returned 163 [0083.533] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.533] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.533] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.533] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 150 [0083.533] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\vcruntimeminimum_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.534] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.535] CloseHandle (hObject=0x43c) returned 1 [0083.535] GetProcessHeap () returned 0x3a00000 [0083.535] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9db6c6a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9db6c6a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0083.535] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0083.535] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.535] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.536] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.537] CloseHandle (hObject=0x438) returned 1 [0083.537] GetProcessHeap () returned 0x3a00000 [0083.537] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.537] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0083.537] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.537] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{a749d8e6-b613-3be3-8f5f-045c84eba29b}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.538] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.539] CloseHandle (hObject=0x434) returned 1 [0083.539] GetProcessHeap () returned 0x3a00000 [0083.539] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.539] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0083.539] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Windows") returned -1 [0083.539] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0083.539] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="System Volume Information") returned -1 [0083.539] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files") returned -1 [0083.539] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0083.539] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030") returned 86 [0083.539] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0083.539] lstrcmpW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0083.539] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.539] GetProcessHeap () returned 0x3a00000 [0083.539] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.539] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*") returned 88 [0083.539] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e29390, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0083.539] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.540] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.540] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.540] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.540] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.540] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\.") returned 88 [0083.540] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.540] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e29390, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.540] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.540] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.540] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.540] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.540] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.540] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\..") returned 89 [0083.540] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.540] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.540] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e29390, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9e29390, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e29390, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.540] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.540] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.540] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.540] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.540] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.540] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.540] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.540] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.540] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.540] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.540] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.540] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.540] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.540] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.540] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages") returned 95 [0083.540] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.540] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.541] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.541] GetProcessHeap () returned 0x3a00000 [0083.541] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.541] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*") returned 97 [0083.541] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0083.541] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.541] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.541] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.541] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.541] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.541] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\.") returned 97 [0083.541] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.541] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.541] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.541] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.541] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.541] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.541] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.541] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\..") returned 98 [0083.541] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.541] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.541] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e04f53, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9e04f53, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.541] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.541] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.541] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.541] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.541] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.541] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.541] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.542] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.542] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e04f53, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0083.542] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0083.542] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0083.542] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0083.542] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0083.542] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0083.542] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86") returned 119 [0083.542] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0083.542] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0083.542] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.542] GetProcessHeap () returned 0x3a00000 [0083.542] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.542] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*") returned 121 [0083.542] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e04f53, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.542] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.542] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.542] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.542] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.542] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.542] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\.") returned 121 [0083.542] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.542] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e04f53, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.542] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.542] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.542] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.542] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.542] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.542] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\..") returned 122 [0083.543] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.543] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.543] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e04f53, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9e04f53, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.543] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.543] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.543] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.543] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.543] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.543] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 151 [0083.543] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.543] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.543] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d1a600, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x98d1a600, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xf9ddcef5, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4ea79c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.543] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.543] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.543] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.543] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.543] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.543] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 147 [0083.543] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.543] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.543] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.543] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.543] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.543] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.543] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.543] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal") returned 167 [0083.543] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.543] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.543] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.543] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 151 [0083.544] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\vcruntimeadditional_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.544] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.545] CloseHandle (hObject=0x43c) returned 1 [0083.545] GetProcessHeap () returned 0x3a00000 [0083.545] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.545] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e04f53, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e04f53, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0083.545] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0083.545] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.545] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.546] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.547] CloseHandle (hObject=0x438) returned 1 [0083.547] GetProcessHeap () returned 0x3a00000 [0083.547] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.547] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.547] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0083.547] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.547] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{b175520c-86a2-35a7-8619-86dc379688b9}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.548] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.549] CloseHandle (hObject=0x434) returned 1 [0083.549] GetProcessHeap () returned 0x3a00000 [0083.549] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.549] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0083.549] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Windows") returned -1 [0083.549] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0083.549] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="System Volume Information") returned -1 [0083.549] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files") returned -1 [0083.549] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0083.549] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030") returned 86 [0083.549] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0083.549] lstrcmpW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0083.549] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.549] GetProcessHeap () returned 0x3a00000 [0083.549] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.549] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*") returned 88 [0083.549] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0083.549] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.549] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.550] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.550] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.550] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.550] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\.") returned 88 [0083.550] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.550] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.550] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.550] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.550] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.550] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.550] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.550] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\..") returned 89 [0083.550] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.550] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.550] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e4f5cc, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.550] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.550] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.550] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.550] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.550] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.550] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.550] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.550] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.550] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.550] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.550] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.550] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.550] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.550] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.550] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages") returned 95 [0083.550] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.550] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.550] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.550] GetProcessHeap () returned 0x3a00000 [0083.551] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.551] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*") returned 97 [0083.551] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0083.551] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.551] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.551] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.551] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.551] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.551] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\.") returned 97 [0083.551] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.551] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.551] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.551] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.551] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.551] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.551] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.551] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\..") returned 98 [0083.551] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.551] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.551] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e4f5cc, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.551] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.551] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.551] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.551] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.551] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.551] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.551] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.551] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.551] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0083.552] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Windows") returned -1 [0083.552] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$Recycle.bin") returned 1 [0083.552] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="System Volume Information") returned 1 [0083.552] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files") returned 1 [0083.552] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="Program Files (x86)") returned 1 [0083.552] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86") returned 116 [0083.552] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0083.552] lstrcmpW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0083.552] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.552] GetProcessHeap () returned 0x3a00000 [0083.552] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*") returned 118 [0083.552] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0083.552] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.552] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.552] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.552] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.552] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\.") returned 118 [0083.552] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.552] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.552] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.552] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.552] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.552] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.552] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.552] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\..") returned 119 [0083.552] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.552] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.553] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9e4f5cc, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.553] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.553] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.553] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.553] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.553] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 148 [0083.553] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.553] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.553] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966f4c00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x966f4c00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xf9e29390, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc8d35, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.553] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.553] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.553] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.553] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.553] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 144 [0083.553] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.553] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.553] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.553] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.553] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.553] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.553] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal") returned 161 [0083.553] StrStrIW (lpFirst="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.553] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.553] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0083.553] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 148 [0083.553] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\vcruntimeminimum_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.554] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.555] CloseHandle (hObject=0x43c) returned 1 [0083.555] GetProcessHeap () returned 0x3a00000 [0083.555] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.555] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9e4f5cc, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9e4f5cc, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0083.555] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0083.555] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.555] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.556] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.557] CloseHandle (hObject=0x438) returned 1 [0083.557] GetProcessHeap () returned 0x3a00000 [0083.557] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.557] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.557] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0083.557] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.557] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{bd95a8cd-1d9f-35ad-981a-3e7925026ebb}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.558] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.559] CloseHandle (hObject=0x434) returned 1 [0083.559] GetProcessHeap () returned 0x3a00000 [0083.559] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.559] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f0ee12, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f0ee12, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0083.559] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Windows") returned -1 [0083.559] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$Recycle.bin") returned 1 [0083.559] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="System Volume Information") returned -1 [0083.559] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files") returned -1 [0083.559] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="Program Files (x86)") returned -1 [0083.559] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}") returned 75 [0083.559] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0083.559] lstrcmpW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0083.559] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.559] GetProcessHeap () returned 0x3a00000 [0083.559] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.559] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*") returned 77 [0083.559] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f0ee12, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f0ee12, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.559] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.559] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.559] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.559] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.559] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.559] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\.") returned 77 [0083.559] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.560] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f0ee12, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f0ee12, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.560] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.560] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.560] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.560] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.560] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.560] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\..") returned 78 [0083.560] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.560] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.560] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f0ee12, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9f0ee12, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f0ee12, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.560] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.560] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.560] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.560] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.560] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.560] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.560] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.560] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.560] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9e75c24, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5f6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm_r00t_{8ew5f6}.ebal", cAlternateFileName="STATER~1.EBA")) returned 1 [0083.560] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.560] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.560] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.560] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.560] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.560] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm_r00t_{8ew5f6}.ebal") returned 104 [0083.560] StrStrIW (lpFirst="state.rsm_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.560] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9f0ee12, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6f71c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 1 [0083.560] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.560] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.560] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.560] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.560] lstrcmpiW (lpString1="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.560] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe_r00t_{8ew5f6}.ebal") returned 111 [0083.561] StrStrIW (lpFirst="vcredist_x64.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.561] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9f0ee12, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x6f71c, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x64.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 0 [0083.561] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.561] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.561] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.562] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.563] CloseHandle (hObject=0x434) returned 1 [0083.563] GetProcessHeap () returned 0x3a00000 [0083.563] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.563] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0083.563] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Windows") returned -1 [0083.563] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$Recycle.bin") returned 1 [0083.563] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="System Volume Information") returned -1 [0083.563] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files") returned -1 [0083.563] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="Program Files (x86)") returned -1 [0083.563] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030") returned 86 [0083.563] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0083.563] lstrcmpW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0083.563] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.563] GetProcessHeap () returned 0x3a00000 [0083.563] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.563] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*") returned 88 [0083.563] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9f5a641, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0083.563] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.563] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.563] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.563] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.564] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.564] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\.") returned 88 [0083.564] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.564] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9f5a641, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.564] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.564] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.564] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.564] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.564] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.564] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\..") returned 89 [0083.564] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.564] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.564] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f5a641, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9f5a641, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f5a641, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.564] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.564] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.564] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.564] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.564] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.564] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.564] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.564] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.564] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.564] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.564] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages") returned 95 [0083.564] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.564] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.564] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.564] GetProcessHeap () returned 0x3a00000 [0083.564] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.564] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*") returned 97 [0083.565] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.565] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.565] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.565] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.565] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.565] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\.") returned 97 [0083.565] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.565] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.565] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.565] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.565] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.565] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.565] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\..") returned 98 [0083.565] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.565] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.565] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f343c4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9f343c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f5a641, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.565] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.565] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.565] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.565] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.565] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.565] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.565] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.565] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.565] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f343c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0083.565] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Windows") returned -1 [0083.565] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$Recycle.bin") returned 1 [0083.565] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="System Volume Information") returned 1 [0083.566] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files") returned 1 [0083.566] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="Program Files (x86)") returned 1 [0083.566] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64") returned 118 [0083.566] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0083.566] lstrcmpW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0083.566] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.566] GetProcessHeap () returned 0x3a00000 [0083.566] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*") returned 120 [0083.566] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f343c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.566] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.566] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.566] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.566] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.566] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\.") returned 120 [0083.566] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.566] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f343c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.566] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.566] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.566] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.566] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.566] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.566] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\..") returned 121 [0083.566] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.566] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.566] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9f343c4, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9f343c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.566] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.567] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.567] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 150 [0083.567] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.567] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.567] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4bd6800, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xa4bd6800, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xc5ea9, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.567] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.567] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.567] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.567] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.567] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.567] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 146 [0083.567] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.567] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.567] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.567] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.567] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.567] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.567] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.567] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal") returned 163 [0083.567] StrStrIW (lpFirst="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.567] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x25384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeMinimum_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.567] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.567] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 150 [0083.567] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\vcruntimeminimum_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.568] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.569] CloseHandle (hObject=0x43c) returned 1 [0083.569] GetProcessHeap () returned 0x3a00000 [0083.569] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.569] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9f343c4, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9f343c4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0083.569] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.569] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.569] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.570] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.574] CloseHandle (hObject=0x438) returned 1 [0083.574] GetProcessHeap () returned 0x3a00000 [0083.574] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.574] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.574] FindClose (in: hFindFile=0x3a38638 | out: hFindFile=0x3a38638) returned 1 [0083.574] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.574] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{cf2bea3c-26ea-32f8-aa9b-331f7e34ba97}v11.0.61030\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.575] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.576] CloseHandle (hObject=0x434) returned 1 [0083.576] GetProcessHeap () returned 0x3a00000 [0083.576] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.576] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0083.576] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Windows") returned -1 [0083.576] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$Recycle.bin") returned 1 [0083.576] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="System Volume Information") returned -1 [0083.576] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files") returned -1 [0083.576] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="Program Files (x86)") returned -1 [0083.576] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017") returned 87 [0083.576] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0083.576] lstrcmpW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0083.576] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.576] GetProcessHeap () returned 0x3a00000 [0083.576] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.576] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*") returned 89 [0083.576] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.576] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.576] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.576] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.577] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.577] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.577] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\.") returned 89 [0083.577] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.577] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.577] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.577] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.577] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.577] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.577] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.577] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\..") returned 90 [0083.577] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.577] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.579] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9fcce2b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.579] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.579] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.579] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.579] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.579] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.579] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.579] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.579] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.579] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.579] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.579] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.579] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.579] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.579] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.579] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages") returned 96 [0083.579] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.579] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.579] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.579] GetProcessHeap () returned 0x3a00000 [0083.580] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.580] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*") returned 98 [0083.580] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.580] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.580] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.580] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.580] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.580] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.580] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\.") returned 98 [0083.580] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.580] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.580] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.580] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.580] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.580] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.580] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.580] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\..") returned 99 [0083.580] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.580] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.580] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9fcce2b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.580] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.580] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.580] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.580] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.580] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.580] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.580] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.580] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.580] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0083.581] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Windows") returned -1 [0083.581] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$Recycle.bin") returned 1 [0083.581] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="System Volume Information") returned 1 [0083.581] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files") returned 1 [0083.581] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="Program Files (x86)") returned 1 [0083.581] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64") returned 122 [0083.581] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0083.581] lstrcmpW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0083.581] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.581] GetProcessHeap () returned 0x3a00000 [0083.581] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.581] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*") returned 124 [0083.581] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.581] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.581] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.581] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.581] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.581] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.581] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\.") returned 124 [0083.581] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.581] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.581] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.581] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.581] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.581] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.581] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.581] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\..") returned 125 [0083.581] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.581] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.581] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9fcce2b, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.582] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.582] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.582] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.582] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.582] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.582] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 154 [0083.582] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.582] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.582] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90b3300, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe90b3300, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xf9fa6b92, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x59c169, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.582] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.582] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.582] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.582] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.582] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.582] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\cab1.cab_r00t_{8ew5f6}.ebal") returned 150 [0083.582] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.582] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.582] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.582] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.582] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.582] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.582] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.582] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal") returned 170 [0083.582] StrStrIW (lpFirst="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.582] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x64.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.582] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.582] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 154 [0083.582] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\vcruntimeadditional_amd64\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.583] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.584] CloseHandle (hObject=0x43c) returned 1 [0083.584] GetProcessHeap () returned 0x3a00000 [0083.584] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.584] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9fcce2b, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0083.584] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.584] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 128 [0083.584] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.585] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.586] CloseHandle (hObject=0x438) returned 1 [0083.586] GetProcessHeap () returned 0x3a00000 [0083.586] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.586] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.586] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.586] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 119 [0083.586] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{e512788e-c50b-3858-a4b9-73ad5f3f9e93}v14.10.25017\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.587] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.588] CloseHandle (hObject=0x434) returned 1 [0083.588] GetProcessHeap () returned 0x3a00000 [0083.588] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9ff51cd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xf9ff51cd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0083.588] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Windows") returned -1 [0083.588] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$Recycle.bin") returned 1 [0083.588] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="System Volume Information") returned -1 [0083.588] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files") returned -1 [0083.588] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="Program Files (x86)") returned -1 [0083.588] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}") returned 75 [0083.588] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0083.588] lstrcmpW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0083.588] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.588] GetProcessHeap () returned 0x3a00000 [0083.588] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.588] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*") returned 77 [0083.588] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9ff51cd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa01923d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0083.588] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.588] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.588] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.589] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.589] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.589] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\.") returned 77 [0083.589] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.589] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xf9ff51cd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa01923d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.589] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.589] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.589] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.589] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.589] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.589] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\..") returned 78 [0083.589] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.589] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.589] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa01923d, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa01923d, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa01923d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.589] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.589] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.589] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.589] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.589] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.589] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.589] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.589] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.589] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9fcce2b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x672, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm_r00t_{8ew5f6}.ebal", cAlternateFileName="STATER~1.EBA")) returned 1 [0083.589] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.589] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.589] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.589] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.589] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.589] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm_r00t_{8ew5f6}.ebal") returned 104 [0083.589] StrStrIW (lpFirst="state.rsm_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.589] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9ff51cd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xbf1bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RED~1.EBA")) returned 1 [0083.589] lstrcmpiW (lpString1="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.589] lstrcmpiW (lpString1="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.590] lstrcmpiW (lpString1="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.590] lstrcmpiW (lpString1="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.590] lstrcmpiW (lpString1="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.590] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\VC_redist.x64.exe_r00t_{8ew5f6}.ebal") returned 112 [0083.590] StrStrIW (lpFirst="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.590] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xf9ff51cd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xbf1bc, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x64.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RED~1.EBA")) returned 0 [0083.590] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0083.590] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.590] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.591] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.591] CloseHandle (hObject=0x434) returned 1 [0083.591] GetProcessHeap () returned 0x3a00000 [0083.591] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.592] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa0fdfbd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0083.592] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Windows") returned -1 [0083.592] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$Recycle.bin") returned 1 [0083.592] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="System Volume Information") returned -1 [0083.592] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files") returned -1 [0083.592] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="Program Files (x86)") returned -1 [0083.592] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}") returned 75 [0083.592] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0083.592] lstrcmpW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0083.592] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.592] GetProcessHeap () returned 0x3a00000 [0083.592] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.592] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*") returned 77 [0083.592] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa0fdfbd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0083.592] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.592] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.592] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.592] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.592] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.592] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\.") returned 77 [0083.592] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.592] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa0fdfbd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.592] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.592] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.592] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.592] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.592] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.593] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\..") returned 78 [0083.593] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.593] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.593] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa0fdfbd, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa0fdfbd, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.593] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.593] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.593] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.593] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.593] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.593] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.593] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.593] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.593] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa01923d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x602, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm_r00t_{8ew5f6}.ebal", cAlternateFileName="STATER~1.EBA")) returned 1 [0083.593] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.593] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.593] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.593] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.593] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.593] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm_r00t_{8ew5f6}.ebal") returned 104 [0083.593] StrStrIW (lpFirst="state.rsm_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.593] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x71404, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 1 [0083.593] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.593] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.593] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.593] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.593] lstrcmpiW (lpString1="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.593] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\vcredist_x86.exe_r00t_{8ew5f6}.ebal") returned 111 [0083.593] StrStrIW (lpFirst="vcredist_x86.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.593] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x71404, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcredist_x86.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VCREDI~1.EBA")) returned 0 [0083.593] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0083.593] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.594] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.594] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.595] CloseHandle (hObject=0x434) returned 1 [0083.595] GetProcessHeap () returned 0x3a00000 [0083.595] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.595] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa12486a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa12486a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0083.595] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Windows") returned -1 [0083.595] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$Recycle.bin") returned 1 [0083.596] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="System Volume Information") returned -1 [0083.596] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files") returned -1 [0083.596] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="Program Files (x86)") returned -1 [0083.596] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}") returned 75 [0083.596] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0083.596] lstrcmpW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0083.596] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.596] GetProcessHeap () returned 0x3a00000 [0083.596] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.596] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*") returned 77 [0083.596] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa12486a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa14a578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0083.596] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.596] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.596] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.596] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.596] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.596] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\.") returned 77 [0083.596] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.596] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa12486a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa14a578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.596] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.596] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.596] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.596] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.596] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.596] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\..") returned 78 [0083.596] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.596] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.596] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa14a578, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa14a578, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa14a578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.596] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.597] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.597] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.597] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.597] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.597] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.597] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.597] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.597] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa0fdfbd, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x672, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="state.rsm_r00t_{8ew5f6}.ebal", cAlternateFileName="STATER~1.EBA")) returned 1 [0083.597] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.597] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.597] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.597] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.597] lstrcmpiW (lpString1="state.rsm_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.597] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm_r00t_{8ew5f6}.ebal") returned 104 [0083.597] StrStrIW (lpFirst="state.rsm_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.597] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa12486a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xbf1b4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RED~1.EBA")) returned 1 [0083.597] lstrcmpiW (lpString1="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.597] lstrcmpiW (lpString1="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.597] lstrcmpiW (lpString1="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.597] lstrcmpiW (lpString1="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.597] lstrcmpiW (lpString1="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.597] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\VC_redist.x86.exe_r00t_{8ew5f6}.ebal") returned 112 [0083.597] StrStrIW (lpFirst="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.597] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xfa12486a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xbf1b4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="VC_redist.x86.exe_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RED~1.EBA")) returned 0 [0083.597] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0083.597] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 107 [0083.597] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.598] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.599] CloseHandle (hObject=0x434) returned 1 [0083.599] GetProcessHeap () returned 0x3a00000 [0083.599] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0083.599] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Windows") returned -1 [0083.599] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$Recycle.bin") returned 1 [0083.599] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="System Volume Information") returned -1 [0083.599] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files") returned -1 [0083.599] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="Program Files (x86)") returned -1 [0083.599] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005") returned 86 [0083.599] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0083.599] lstrcmpW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0083.599] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.599] GetProcessHeap () returned 0x3a00000 [0083.599] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.599] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*") returned 88 [0083.599] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0083.600] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.600] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.600] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.600] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.600] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.600] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\.") returned 88 [0083.600] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.600] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.600] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.600] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.600] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.600] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.600] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.600] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\..") returned 89 [0083.600] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.600] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.600] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa170816, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.600] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.600] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.600] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.600] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.600] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.600] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.600] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.600] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.600] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 1 [0083.600] lstrcmpiW (lpString1="packages", lpString2="Windows") returned -1 [0083.600] lstrcmpiW (lpString1="packages", lpString2="$Recycle.bin") returned 1 [0083.600] lstrcmpiW (lpString1="packages", lpString2="System Volume Information") returned -1 [0083.601] lstrcmpiW (lpString1="packages", lpString2="Program Files") returned -1 [0083.601] lstrcmpiW (lpString1="packages", lpString2="Program Files (x86)") returned -1 [0083.601] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages") returned 95 [0083.601] lstrcmpW (lpString1="packages", lpString2=".") returned 1 [0083.601] lstrcmpW (lpString1="packages", lpString2="..") returned 1 [0083.601] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.601] GetProcessHeap () returned 0x3a00000 [0083.601] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.601] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*") returned 97 [0083.601] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.601] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.601] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.601] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.601] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.601] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.601] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\.") returned 97 [0083.601] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.601] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.601] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.601] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.601] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.601] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.601] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.601] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\..") returned 98 [0083.601] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.601] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.601] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa170816, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.601] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.601] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.602] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.602] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.602] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.602] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.602] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.602] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.602] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0083.602] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Windows") returned -1 [0083.602] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$Recycle.bin") returned 1 [0083.602] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="System Volume Information") returned 1 [0083.602] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files") returned 1 [0083.602] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="Program Files (x86)") returned 1 [0083.602] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86") returned 119 [0083.602] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0083.602] lstrcmpW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0083.602] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.602] GetProcessHeap () returned 0x3a00000 [0083.602] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.602] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*") returned 121 [0083.602] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0083.602] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.602] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.602] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.602] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.602] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.602] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\.") returned 121 [0083.602] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.602] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.602] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.603] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.603] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.603] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\..") returned 122 [0083.603] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.603] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.603] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa170816, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.603] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.603] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.603] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.603] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 151 [0083.603] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.603] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.603] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6151ff00, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x6151ff00, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0xfa14a578, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4b48a4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="cab1.cab_r00t_{8ew5f6}.ebal", cAlternateFileName="CAB1CA~1.EBA")) returned 1 [0083.603] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.603] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.603] lstrcmpiW (lpString1="cab1.cab_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.603] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\cab1.cab_r00t_{8ew5f6}.ebal") returned 147 [0083.603] StrStrIW (lpFirst="cab1.cab_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.603] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 1 [0083.603] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.603] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.603] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.603] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.603] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.603] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal") returned 167 [0083.603] StrStrIW (lpFirst="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.603] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x23384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vc_runtimeAdditional_x86.msi_r00t_{8ew5f6}.ebal", cAlternateFileName="VC_RUN~1.EBA")) returned 0 [0083.604] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0083.604] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 151 [0083.604] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\vcruntimeadditional_x86\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.604] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.605] CloseHandle (hObject=0x43c) returned 1 [0083.605] GetProcessHeap () returned 0x3a00000 [0083.605] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xfa170816, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa170816, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0083.605] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.605] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 127 [0083.605] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\packages\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.606] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.607] CloseHandle (hObject=0x438) returned 1 [0083.607] GetProcessHeap () returned 0x3a00000 [0083.607] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.607] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="packages", cAlternateFileName="")) returned 0 [0083.607] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0083.607] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 118 [0083.607] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\{f8cfeb22-a2e7-3971-9eda-4b11edefc185}v12.0.21005\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.608] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.609] CloseHandle (hObject=0x434) returned 1 [0083.609] GetProcessHeap () returned 0x3a00000 [0083.609] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.609] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0083.609] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.609] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Package Cache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0083.609] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\Package Cache\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\package cache\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.610] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.611] CloseHandle (hObject=0x430) returned 1 [0083.611] GetProcessHeap () returned 0x3a00000 [0083.611] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0083.611] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="Windows") returned -1 [0083.611] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="$Recycle.bin") returned 1 [0083.611] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="System Volume Information") returned -1 [0083.611] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="Program Files") returned 1 [0083.611] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="Program Files (x86)") returned 1 [0083.611] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft") returned 50 [0083.611] lstrcmpW (lpString1="regid.1991-06.com.microsoft", lpString2=".") returned 1 [0083.611] lstrcmpW (lpString1="regid.1991-06.com.microsoft", lpString2="..") returned 1 [0083.611] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.611] GetProcessHeap () returned 0x3a00000 [0083.611] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.611] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*") returned 52 [0083.611] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0083.611] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.611] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.611] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.611] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.611] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.611] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\.") returned 52 [0083.612] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.612] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.612] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.612] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.612] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\." (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.612] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.612] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.612] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.612] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.612] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.612] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.612] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\..") returned 53 [0083.612] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.612] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.612] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.612] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.612] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.612] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.612] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\.." (normalized: "c:\\users\\all users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.612] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa2556c0, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.612] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.612] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.612] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.612] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.612] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.612] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0083.613] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.613] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.613] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x4af5600b, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xfa196bc4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7b4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", cAlternateFileName="REGID1~1.EBA")) returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.613] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal") returned 152 [0083.613] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.613] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbfefc00, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0xda9f4a95, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa20915e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7b0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", cAlternateFileName="REGID1~2.EBA")) returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.613] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal") returned 148 [0083.613] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.613] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x53fba98c, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x7b3, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", cAlternateFileName="REGID1~3.EBA")) returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.613] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal") returned 151 [0083.613] StrStrIW (lpFirst="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.613] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", cAlternateFileName="REGID1~4.EBA")) returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.613] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.613] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal") returned 120 [0083.614] StrStrIW (lpFirst="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.614] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x769, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag_r00t_{8ew5f6}.ebal", cAlternateFileName="REGID1~4.EBA")) returned 0 [0083.614] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0083.614] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0083.614] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\regid.1991-06.com.microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.614] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.615] CloseHandle (hObject=0x430) returned 1 [0083.615] GetProcessHeap () returned 0x3a00000 [0083.615] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0083.615] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="Windows") returned -1 [0083.615] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="$Recycle.bin") returned 1 [0083.615] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="System Volume Information") returned -1 [0083.616] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="Program Files") returned 1 [0083.616] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="Program Files (x86)") returned 1 [0083.616] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution") returned 43 [0083.616] lstrcmpW (lpString1="SoftwareDistribution", lpString2=".") returned 1 [0083.616] lstrcmpW (lpString1="SoftwareDistribution", lpString2="..") returned 1 [0083.616] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.616] GetProcessHeap () returned 0x3a00000 [0083.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.616] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*") returned 45 [0083.616] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.616] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.616] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.616] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.616] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.616] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.616] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\.") returned 45 [0083.616] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.616] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.616] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.616] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.616] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.616] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.616] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.616] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\..") returned 46 [0083.616] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.616] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.616] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa2556c0, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.616] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.617] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.617] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.617] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.617] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.617] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0083.617] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.617] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.617] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa2556c0, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.617] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.617] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0083.617] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\SoftwareDistribution\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\softwaredistribution\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.618] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.618] CloseHandle (hObject=0x430) returned 1 [0083.618] GetProcessHeap () returned 0x3a00000 [0083.618] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.619] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0083.619] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0083.619] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0083.619] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0083.619] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0083.619] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0083.619] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Start Menu") returned 33 [0083.619] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0083.619] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0083.619] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Start Menu", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.619] GetProcessHeap () returned 0x3a00000 [0083.619] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.619] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Start Menu\\*") returned 35 [0083.619] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Start Menu\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa2556c0, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="--?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.619] GetProcessHeap () returned 0x3a00000 [0083.619] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.619] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0083.619] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0083.619] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0083.619] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0083.619] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0083.619] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0083.619] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Templates") returned 32 [0083.619] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0083.619] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0083.619] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\Templates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.619] GetProcessHeap () returned 0x3a00000 [0083.620] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.620] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\Templates\\*") returned 34 [0083.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\Templates\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa2556c0, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa2556c0, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa2556c0, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="--?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.620] GetProcessHeap () returned 0x3a00000 [0083.620] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.620] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0083.620] lstrcmpiW (lpString1="USOPrivate", lpString2="Windows") returned -1 [0083.620] lstrcmpiW (lpString1="USOPrivate", lpString2="$Recycle.bin") returned 1 [0083.620] lstrcmpiW (lpString1="USOPrivate", lpString2="System Volume Information") returned 1 [0083.620] lstrcmpiW (lpString1="USOPrivate", lpString2="Program Files") returned 1 [0083.620] lstrcmpiW (lpString1="USOPrivate", lpString2="Program Files (x86)") returned 1 [0083.620] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate") returned 33 [0083.620] lstrcmpW (lpString1="USOPrivate", lpString2=".") returned 1 [0083.620] lstrcmpW (lpString1="USOPrivate", lpString2="..") returned 1 [0083.620] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.620] GetProcessHeap () returned 0x3a00000 [0083.620] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.620] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*") returned 35 [0083.620] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.620] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.620] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.620] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.620] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.620] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.620] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\.") returned 35 [0083.620] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.620] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.621] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.621] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.621] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.621] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.621] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.621] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\..") returned 36 [0083.621] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.621] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.621] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa27c88a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa27c88a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.621] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.621] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.621] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.621] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.621] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.621] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 65 [0083.621] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.621] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.621] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa27c88a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0083.621] lstrcmpiW (lpString1="UpdateStore", lpString2="Windows") returned -1 [0083.621] lstrcmpiW (lpString1="UpdateStore", lpString2="$Recycle.bin") returned 1 [0083.621] lstrcmpiW (lpString1="UpdateStore", lpString2="System Volume Information") returned 1 [0083.621] lstrcmpiW (lpString1="UpdateStore", lpString2="Program Files") returned 1 [0083.621] lstrcmpiW (lpString1="UpdateStore", lpString2="Program Files (x86)") returned 1 [0083.621] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore") returned 45 [0083.621] lstrcmpW (lpString1="UpdateStore", lpString2=".") returned 1 [0083.621] lstrcmpW (lpString1="UpdateStore", lpString2="..") returned 1 [0083.621] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.621] GetProcessHeap () returned 0x3a00000 [0083.621] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.621] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*") returned 47 [0083.621] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa27c88a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0083.622] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.622] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.622] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.622] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.622] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.622] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\.") returned 47 [0083.622] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.622] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa27c88a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.622] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.622] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.622] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.622] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.622] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.622] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\..") returned 48 [0083.622] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.622] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.622] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa27c88a, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa27c88a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.622] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.622] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.622] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.622] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.622] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.622] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0083.622] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.622] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.622] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc9086d4, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xdc9086d4, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x39e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~1.EBA")) returned 1 [0083.622] lstrcmpiW (lpString1="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.622] lstrcmpiW (lpString1="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.622] lstrcmpiW (lpString1="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.622] lstrcmpiW (lpString1="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.623] lstrcmpiW (lpString1="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.623] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml_r00t_{8ew5f6}.ebal") returned 83 [0083.623] StrStrIW (lpFirst="UpdateCspStore.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.623] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x241e602, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xedf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~2.EBA")) returned 1 [0083.623] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.623] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.623] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.623] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.623] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.623] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal") returned 116 [0083.623] StrStrIW (lpFirst="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.623] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x241e602, ftLastAccessTime.dwHighDateTime=0x1d47c36, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0xedf, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~2.EBA")) returned 0 [0083.623] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0083.623] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0083.623] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\UpdateStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.635] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.636] CloseHandle (hObject=0x434) returned 1 [0083.636] GetProcessHeap () returned 0x3a00000 [0083.636] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.636] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa27c88a, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa27c88a, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0 [0083.636] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.636] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOPrivate\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 65 [0083.636] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOPrivate\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\usoprivate\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.637] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.638] CloseHandle (hObject=0x430) returned 1 [0083.638] GetProcessHeap () returned 0x3a00000 [0083.638] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.638] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0083.638] lstrcmpiW (lpString1="USOShared", lpString2="Windows") returned -1 [0083.638] lstrcmpiW (lpString1="USOShared", lpString2="$Recycle.bin") returned 1 [0083.638] lstrcmpiW (lpString1="USOShared", lpString2="System Volume Information") returned 1 [0083.638] lstrcmpiW (lpString1="USOShared", lpString2="Program Files") returned 1 [0083.638] lstrcmpiW (lpString1="USOShared", lpString2="Program Files (x86)") returned 1 [0083.638] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared") returned 32 [0083.638] lstrcmpW (lpString1="USOShared", lpString2=".") returned 1 [0083.638] lstrcmpW (lpString1="USOShared", lpString2="..") returned 1 [0083.638] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\USOShared", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.638] GetProcessHeap () returned 0x3a00000 [0083.638] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.638] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\*") returned 34 [0083.638] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.639] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.639] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.639] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.639] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.639] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.639] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\.") returned 34 [0083.639] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.639] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.639] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.639] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.639] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.639] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.639] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.639] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\..") returned 35 [0083.639] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.639] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.639] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfa635282, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.639] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.639] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0083.639] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.639] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.639] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 1 [0083.639] lstrcmpiW (lpString1="Logs", lpString2="Windows") returned -1 [0083.639] lstrcmpiW (lpString1="Logs", lpString2="$Recycle.bin") returned 1 [0083.640] lstrcmpiW (lpString1="Logs", lpString2="System Volume Information") returned -1 [0083.640] lstrcmpiW (lpString1="Logs", lpString2="Program Files") returned -1 [0083.640] lstrcmpiW (lpString1="Logs", lpString2="Program Files (x86)") returned -1 [0083.640] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs") returned 37 [0083.640] lstrcmpW (lpString1="Logs", lpString2=".") returned 1 [0083.640] lstrcmpW (lpString1="Logs", lpString2="..") returned 1 [0083.640] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.640] GetProcessHeap () returned 0x3a00000 [0083.640] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.640] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*") returned 39 [0083.640] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.640] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.640] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.640] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.640] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.640] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.640] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\.") returned 39 [0083.640] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.640] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.640] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.641] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.641] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.641] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.641] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.641] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\..") returned 40 [0083.641] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.641] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.641] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfa635282, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.641] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.641] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.641] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.641] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.641] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.641] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0083.641] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.641] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.641] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x58d51fd9, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0xfa2c7fb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOTIFI~1.EBA")) returned 1 [0083.641] lstrcmpiW (lpString1="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.641] lstrcmpiW (lpString1="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.641] lstrcmpiW (lpString1="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.641] lstrcmpiW (lpString1="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.641] lstrcmpiW (lpString1="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.641] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl_r00t_{8ew5f6}.ebal") returned 79 [0083.641] StrStrIW (lpFirst="NotificationUx.001.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.641] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7cf76e0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xfa2c7fb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOTIFI~2.EBA")) returned 1 [0083.641] lstrcmpiW (lpString1="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.641] lstrcmpiW (lpString1="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.641] lstrcmpiW (lpString1="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.641] lstrcmpiW (lpString1="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.641] lstrcmpiW (lpString1="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.641] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl_r00t_{8ew5f6}.ebal") returned 79 [0083.641] StrStrIW (lpFirst="NotificationUx.002.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.641] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2d822f20, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xfa2c7fb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOTIFI~3.EBA")) returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.642] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.642] StrStrIW (lpFirst="NotificationUxBroker.001.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.642] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfe554d51, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0xfa2c7fb8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOTIFI~4.EBA")) returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.642] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.642] StrStrIW (lpFirst="NotificationUxBroker.002.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.642] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfdf01be1, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfa316633, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOC789~1.EBA")) returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.642] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.642] StrStrIW (lpFirst="NotificationUxBroker.003.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.642] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x588b3c6a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0xfa33a3d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO4537~1.EBA")) returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.642] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.642] StrStrIW (lpFirst="NotificationUxBroker.004.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.642] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xb4b94410, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0xfa33a3d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOA32E~1.EBA")) returned 1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.642] lstrcmpiW (lpString1="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.643] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.643] StrStrIW (lpFirst="NotificationUxBroker.005.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.643] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x86d6bb14, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0xfa33a3d4, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO21DB~1.EBA")) returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.643] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.643] StrStrIW (lpFirst="NotificationUxBroker.006.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.643] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe7f77c60, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xfa38686e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO804D~1.EBA")) returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.643] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.643] StrStrIW (lpFirst="NotificationUxBroker.007.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.643] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe1017621, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfa38686e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO7D0D~1.EBA")) returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.643] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.643] StrStrIW (lpFirst="NotificationUxBroker.008.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.643] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2fb7ebe4, ftLastAccessTime.dwHighDateTime=0x1d327d1, ftLastWriteTime.dwLowDateTime=0xfa3acbc8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOFABA~1.EBA")) returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.643] lstrcmpiW (lpString1="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.644] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.644] StrStrIW (lpFirst="NotificationUxBroker.009.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.644] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xd855139b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xfa3acbc8, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO314B~1.EBA")) returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.644] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.644] StrStrIW (lpFirst="NotificationUxBroker.010.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.644] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x1ff683d6, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0xfa3d2cae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO70DD~1.EBA")) returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.644] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.644] StrStrIW (lpFirst="NotificationUxBroker.011.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.644] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x46e2de3d, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0xfa3d2cae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO8D7C~1.EBA")) returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.644] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.644] StrStrIW (lpFirst="NotificationUxBroker.012.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.644] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x235d058f, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0xfa3d2cae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO0B2A~1.EBA")) returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.644] lstrcmpiW (lpString1="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.645] StrStrIW (lpFirst="NotificationUxBroker.013.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.645] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x8f69453d, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0xfa3d2cae, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOA6EE~1.EBA")) returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.645] StrStrIW (lpFirst="NotificationUxBroker.014.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.645] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7fb3688d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xfa3f8f11, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO576B~1.EBA")) returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.645] StrStrIW (lpFirst="NotificationUxBroker.015.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.645] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xcb502d29, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xfa445464, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NOCA4A~1.EBA")) returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.645] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.645] StrStrIW (lpFirst="NotificationUxBroker.016.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.645] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7b53cfc, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xfa445464, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="NO3300~1.EBA")) returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned -1 [0083.645] lstrcmpiW (lpString1="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned -1 [0083.646] lstrcmpiW (lpString1="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned -1 [0083.646] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal") returned 85 [0083.646] StrStrIW (lpFirst="NotificationUxBroker.017.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xeebb90da, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xeebb90da, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="Windows") returned -1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="$Recycle.bin") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="System Volume Information") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="Program Files") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="Program Files (x86)") returned 1 [0083.646] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl") returned 72 [0083.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xde371631, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xfa46b671, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~1.EBA")) returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.646] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.646] StrStrIW (lpFirst="UpdateSessionOrchestration.002.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2a522d7b, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xfa46b671, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~2.EBA")) returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.646] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.646] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.646] StrStrIW (lpFirst="UpdateSessionOrchestration.003.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.646] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2cbb43aa, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0xfa46b671, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~3.EBA")) returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.647] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.647] StrStrIW (lpFirst="UpdateSessionOrchestration.004.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.647] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x60de6047, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xfa491908, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPDATE~4.EBA")) returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.647] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.647] StrStrIW (lpFirst="UpdateSessionOrchestration.005.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.647] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa72ae253, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xfa491908, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP3E18~1.EBA")) returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.647] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.647] StrStrIW (lpFirst="UpdateSessionOrchestration.006.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.647] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x5ca8efbc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xfa4b7ae6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP73F0~1.EBA")) returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.647] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.647] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.647] StrStrIW (lpFirst="UpdateSessionOrchestration.007.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.647] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4346f4fe, ftLastAccessTime.dwHighDateTime=0x1d41dc4, ftLastWriteTime.dwLowDateTime=0xfa4b7ae6, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP1ABC~1.EBA")) returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.648] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.648] StrStrIW (lpFirst="UpdateSessionOrchestration.008.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.648] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x745a10f, ftLastAccessTime.dwHighDateTime=0x1d3aafc, ftLastWriteTime.dwLowDateTime=0xfa4de28b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPB613~1.EBA")) returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.648] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.648] StrStrIW (lpFirst="UpdateSessionOrchestration.009.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.648] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd59be406, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xfa4de28b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP4E87~1.EBA")) returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.648] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.648] StrStrIW (lpFirst="UpdateSessionOrchestration.010.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.648] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x198319d2, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xfa4de28b, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP6381~1.EBA")) returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.648] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.648] StrStrIW (lpFirst="UpdateSessionOrchestration.011.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.648] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1c505b8c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xfa50402f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP9AC8~1.EBA")) returned 1 [0083.648] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.649] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.649] StrStrIW (lpFirst="UpdateSessionOrchestration.012.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.649] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdaf93ab4, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xfa50402f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP1876~1.EBA")) returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.649] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.649] StrStrIW (lpFirst="UpdateSessionOrchestration.013.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.649] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1977635c, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xfa52a233, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP766D~1.EBA")) returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.649] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.649] StrStrIW (lpFirst="UpdateSessionOrchestration.014.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.649] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfc820227, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0xfa55047e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPF31B~1.EBA")) returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.649] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.649] StrStrIW (lpFirst="UpdateSessionOrchestration.015.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.649] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfd9caf15, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfa57670e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x1384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPBDFD~1.EBA")) returned 1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.650] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.650] StrStrIW (lpFirst="UpdateSessionOrchestration.016.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.650] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xda210f79, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xfa57670e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x5384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP405C~1.EBA")) returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.650] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.650] StrStrIW (lpFirst="UpdateSessionOrchestration.017.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.650] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe0798fd2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xfa57670e, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPCDF9~1.EBA")) returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.650] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.650] StrStrIW (lpFirst="UpdateSessionOrchestration.018.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.650] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd7a24386, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xfa59c9ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPE31F~1.EBA")) returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.650] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.650] StrStrIW (lpFirst="UpdateSessionOrchestration.019.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.650] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1fc4717b, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0xfa59c9ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPAD8E~1.EBA")) returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.651] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.651] StrStrIW (lpFirst="UpdateSessionOrchestration.020.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.651] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x22cb9437, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0xfa59c9ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP50CB~1.EBA")) returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.651] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.651] StrStrIW (lpFirst="UpdateSessionOrchestration.021.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.651] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8f4581c2, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0xfa59c9ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP515D~1.EBA")) returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.651] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.651] StrStrIW (lpFirst="UpdateSessionOrchestration.022.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.651] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7f83b96b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0xfa59c9ab, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPD3AF~1.EBA")) returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.651] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.651] StrStrIW (lpFirst="UpdateSessionOrchestration.023.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.651] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcae2810e, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xfa5e8e21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP2AAA~1.EBA")) returned 1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.651] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.652] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.652] StrStrIW (lpFirst="UpdateSessionOrchestration.024.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.652] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcd491119, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xfa5e8e21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPF70B~1.EBA")) returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.652] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.652] StrStrIW (lpFirst="UpdateSessionOrchestration.025.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.652] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb30910b4, ftLastAccessTime.dwHighDateTime=0x1d3278b, ftLastWriteTime.dwLowDateTime=0xfa5e8e21, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x4384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP064F~1.EBA")) returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.652] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.652] StrStrIW (lpFirst="UpdateSessionOrchestration.026.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.652] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbda7099b, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xfa60f04d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP83FC~1.EBA")) returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files (x86)") returned 1 [0083.652] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.652] StrStrIW (lpFirst="UpdateSessionOrchestration.027.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.652] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa972a1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xfa60f04d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP2E1C~1.EBA")) returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal", lpString2="Windows") returned -1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal", lpString2="$Recycle.bin") returned 1 [0083.652] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal", lpString2="System Volume Information") returned 1 [0083.653] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal", lpString2="Program Files") returned 1 [0083.653] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal") returned 91 [0083.653] StrStrIW (lpFirst="UpdateSessionOrchestration.028.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.653] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x8243765a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0xfa60f04d, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x2384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateUx.001.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UP389E~1.EBA")) returned 1 [0083.653] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl_r00t_{8ew5f6}.ebal") returned 73 [0083.653] StrStrIW (lpFirst="UpdateUx.001.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.653] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateUx.002.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPE917~1.EBA")) returned 1 [0083.653] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl_r00t_{8ew5f6}.ebal") returned 73 [0083.653] StrStrIW (lpFirst="UpdateUx.002.etl_r00t_{8ew5f6}.ebal", lpSrch=".ebal") returned=".ebal" [0083.653] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3384, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UpdateUx.002.etl_r00t_{8ew5f6}.ebal", cAlternateFileName="UPE917~1.EBA")) returned 0 [0083.653] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.653] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0083.653] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\Logs\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\usoshared\\logs\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.654] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.655] CloseHandle (hObject=0x434) returned 1 [0083.655] GetProcessHeap () returned 0x3a00000 [0083.655] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.655] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Logs", cAlternateFileName="")) returned 0 [0083.655] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.655] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\USOShared\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0083.655] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\USOShared\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\usoshared\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.656] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.657] CloseHandle (hObject=0x430) returned 1 [0083.657] GetProcessHeap () returned 0x3a00000 [0083.657] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.657] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0083.657] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="Windows") returned 1 [0083.657] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="$Recycle.bin") returned 1 [0083.657] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="System Volume Information") returned 1 [0083.657] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="Program Files") returned 1 [0083.657] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="Program Files (x86)") returned 1 [0083.657] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices") returned 48 [0083.657] lstrcmpW (lpString1="WindowsHolographicDevices", lpString2=".") returned 1 [0083.657] lstrcmpW (lpString1="WindowsHolographicDevices", lpString2="..") returned 1 [0083.657] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.657] GetProcessHeap () returned 0x3a00000 [0083.657] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.657] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\*") returned 50 [0083.657] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa65b44f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.657] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.657] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.657] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.657] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.657] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.657] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\.") returned 50 [0083.657] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.657] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa65b44f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.658] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.658] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.658] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.658] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.658] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.658] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\..") returned 51 [0083.658] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.658] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.658] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa65b44f, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa65b44f, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa65b44f, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.658] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.658] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.658] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.658] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.658] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.658] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0083.658] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.658] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.658] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 1 [0083.658] lstrcmpiW (lpString1="SpatialStore", lpString2="Windows") returned -1 [0083.658] lstrcmpiW (lpString1="SpatialStore", lpString2="$Recycle.bin") returned 1 [0083.658] lstrcmpiW (lpString1="SpatialStore", lpString2="System Volume Information") returned -1 [0083.658] lstrcmpiW (lpString1="SpatialStore", lpString2="Program Files") returned 1 [0083.658] lstrcmpiW (lpString1="SpatialStore", lpString2="Program Files (x86)") returned 1 [0083.658] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore") returned 61 [0083.658] lstrcmpW (lpString1="SpatialStore", lpString2=".") returned 1 [0083.658] lstrcmpW (lpString1="SpatialStore", lpString2="..") returned 1 [0083.658] lstrcmpW (lpString1="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.658] GetProcessHeap () returned 0x3a00000 [0083.658] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.658] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\*") returned 63 [0083.658] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a380f8 [0083.659] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.659] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.659] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\.") returned 63 [0083.659] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.659] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.659] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.659] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.659] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\..") returned 64 [0083.659] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.659] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.659] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa635282, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 1 [0083.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Windows") returned -1 [0083.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="$Recycle.bin") returned 1 [0083.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="System Volume Information") returned -1 [0083.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files") returned -1 [0083.659] lstrcmpiW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="Program Files (x86)") returned -1 [0083.659] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0083.659] StrStrIW (lpFirst="---==%$$$OPEN_ME_UP$$$==---.txt", lpSrch=".ebal") returned 0x0 [0083.659] lstrcmpW (lpString1="---==%$$$OPEN_ME_UP$$$==---.txt", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 0 [0083.659] FindNextFileW (in: hFindFile=0x3a380f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfa635282, ftCreationTime.dwHighDateTime=0x1d5c439, ftLastAccessTime.dwLowDateTime=0xfa635282, ftLastAccessTime.dwHighDateTime=0x1d5c439, ftLastWriteTime.dwLowDateTime=0xfa635282, ftLastWriteTime.dwHighDateTime=0x1d5c439, nFileSizeHigh=0x0, nFileSizeLow=0x3a6, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="---==%$$$OPEN_ME_UP$$$==---.txt", cAlternateFileName="---__%~1.TXT")) returned 0 [0083.659] FindClose (in: hFindFile=0x3a380f8 | out: hFindFile=0x3a380f8) returned 1 [0083.659] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 93 [0083.659] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\windowsholographicdevices\\spatialstore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.660] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.661] CloseHandle (hObject=0x434) returned 1 [0083.661] GetProcessHeap () returned 0x3a00000 [0083.661] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.661] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 0 [0083.661] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.661] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0083.661] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\WindowsHolographicDevices\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\windowsholographicdevices\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.662] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.663] CloseHandle (hObject=0x430) returned 1 [0083.663] GetProcessHeap () returned 0x3a00000 [0083.663] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.663] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0083.663] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0083.663] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\All Users\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 54 [0083.663] CreateFileW (lpFileName="\\\\?\\C:\\Users\\All Users\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\all users\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0083.664] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0083.665] CloseHandle (hObject=0x42c) returned 1 [0083.665] GetProcessHeap () returned 0x3a00000 [0083.665] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0083.665] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x8000000, cFileName="Default", cAlternateFileName="")) returned 1 [0083.665] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0083.665] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0083.665] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0083.665] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0083.665] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0083.665] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default") returned 20 [0083.665] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0083.665] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0083.665] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.665] GetProcessHeap () returned 0x3a00000 [0083.665] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a46b28 [0083.665] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\*") returned 22 [0083.665] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0083.665] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.665] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.665] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.665] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.665] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.665] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\.") returned 22 [0083.665] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.665] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.666] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.666] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.666] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.666] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\." (normalized: "c:\\users\\default\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.666] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.666] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.666] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.666] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.667] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.667] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.667] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\..") returned 23 [0083.667] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.667] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.667] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.667] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.667] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.667] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.667] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\.." (normalized: "c:\\users"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.667] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AppData", cAlternateFileName="")) returned 1 [0083.667] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0083.667] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0083.667] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0083.667] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0083.667] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0083.667] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData") returned 28 [0083.667] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0083.667] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0083.667] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.667] GetProcessHeap () returned 0x3a00000 [0083.667] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.667] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\*") returned 30 [0083.667] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0083.667] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.667] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.668] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.668] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.668] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.668] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\.") returned 30 [0083.668] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.668] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.668] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.668] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.668] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\." (normalized: "c:\\users\\default\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.668] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.668] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.668] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.668] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.668] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.668] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.668] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\..") returned 31 [0083.668] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.668] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.668] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.668] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.668] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.668] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.668] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.668] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Local", cAlternateFileName="")) returned 1 [0083.668] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0083.668] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0083.668] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0083.668] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0083.669] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0083.669] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local") returned 34 [0083.669] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0083.669] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0083.669] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.669] GetProcessHeap () returned 0x3a00000 [0083.669] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.669] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*") returned 36 [0083.669] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0083.669] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.669] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.669] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.669] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.669] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.669] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\.") returned 36 [0083.669] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.669] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.669] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.669] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.669] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.669] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.669] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.669] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\..") returned 37 [0083.669] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.669] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.669] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0083.669] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0083.669] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0083.669] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0083.669] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0083.670] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0083.670] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data") returned 51 [0083.670] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0083.670] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0083.670] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.670] GetProcessHeap () returned 0x3a00000 [0083.670] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.670] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*") returned 53 [0083.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Application Data\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ff, ftLastWriteTime.dwLowDateTime=0xffffd459, ftLastWriteTime.dwHighDateTime=0x201, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ٚ?", cAlternateFileName="叨Φ￿￿扨@￿￿叨Φ\x05")) returned 0xffffffff [0083.670] GetProcessHeap () returned 0x3a00000 [0083.670] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.670] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="History", cAlternateFileName="")) returned 1 [0083.670] lstrcmpiW (lpString1="History", lpString2="Windows") returned -1 [0083.670] lstrcmpiW (lpString1="History", lpString2="$Recycle.bin") returned 1 [0083.670] lstrcmpiW (lpString1="History", lpString2="System Volume Information") returned -1 [0083.670] lstrcmpiW (lpString1="History", lpString2="Program Files") returned -1 [0083.670] lstrcmpiW (lpString1="History", lpString2="Program Files (x86)") returned -1 [0083.670] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History") returned 42 [0083.670] lstrcmpW (lpString1="History", lpString2=".") returned 1 [0083.670] lstrcmpW (lpString1="History", lpString2="..") returned 1 [0083.670] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.670] GetProcessHeap () returned 0x3a00000 [0083.670] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.670] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*") returned 44 [0083.670] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\History\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ff, ftLastWriteTime.dwLowDateTime=0xffffd459, ftLastWriteTime.dwHighDateTime=0x201, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ٚ?", cAlternateFileName="叨Φ￿￿扨@￿￿叨Φ\x05")) returned 0xffffffff [0083.670] GetProcessHeap () returned 0x3a00000 [0083.670] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.670] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0083.670] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0083.671] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0083.671] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0083.671] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0083.671] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0083.671] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft") returned 44 [0083.671] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0083.671] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0083.677] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.677] GetProcessHeap () returned 0x3a00000 [0083.677] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.677] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*") returned 46 [0083.677] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38878 [0083.677] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.677] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.677] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.677] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.677] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.677] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\.") returned 46 [0083.677] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.678] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3af063e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.678] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.678] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.678] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.678] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.678] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.678] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\..") returned 47 [0083.678] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.678] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.678] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa27e7c13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa27e7c13, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="InputPersonalization", cAlternateFileName="INPUTP~1")) returned 1 [0083.678] lstrcmpiW (lpString1="InputPersonalization", lpString2="Windows") returned -1 [0083.678] lstrcmpiW (lpString1="InputPersonalization", lpString2="$Recycle.bin") returned 1 [0083.678] lstrcmpiW (lpString1="InputPersonalization", lpString2="System Volume Information") returned -1 [0083.678] lstrcmpiW (lpString1="InputPersonalization", lpString2="Program Files") returned -1 [0083.678] lstrcmpiW (lpString1="InputPersonalization", lpString2="Program Files (x86)") returned -1 [0083.678] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization") returned 65 [0083.678] lstrcmpW (lpString1="InputPersonalization", lpString2=".") returned 1 [0083.678] lstrcmpW (lpString1="InputPersonalization", lpString2="..") returned 1 [0083.678] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.678] GetProcessHeap () returned 0x3a00000 [0083.678] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*") returned 67 [0083.678] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa27e7c13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa27e7c13, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0083.678] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.678] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.678] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.678] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.678] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.678] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\.") returned 67 [0083.679] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.679] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa27e7c13, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa27e7c13, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.679] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.679] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.679] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.679] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.679] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\..") returned 68 [0083.679] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.679] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.679] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 1 [0083.679] lstrcmpiW (lpString1="TrainedDataStore", lpString2="Windows") returned -1 [0083.679] lstrcmpiW (lpString1="TrainedDataStore", lpString2="$Recycle.bin") returned 1 [0083.679] lstrcmpiW (lpString1="TrainedDataStore", lpString2="System Volume Information") returned 1 [0083.679] lstrcmpiW (lpString1="TrainedDataStore", lpString2="Program Files") returned 1 [0083.679] lstrcmpiW (lpString1="TrainedDataStore", lpString2="Program Files (x86)") returned 1 [0083.679] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore") returned 82 [0083.679] lstrcmpW (lpString1="TrainedDataStore", lpString2=".") returned 1 [0083.679] lstrcmpW (lpString1="TrainedDataStore", lpString2="..") returned 1 [0083.679] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.679] GetProcessHeap () returned 0x3a00000 [0083.679] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.679] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*") returned 84 [0083.679] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0083.681] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.681] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.681] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.681] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.681] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.681] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\.") returned 84 [0083.681] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.681] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.681] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.681] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.681] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.681] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.681] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.681] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\..") returned 85 [0083.681] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.681] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.681] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.681] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0083.681] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 114 [0083.681] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\traineddatastore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.682] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.683] CloseHandle (hObject=0x440) returned 1 [0083.683] GetProcessHeap () returned 0x3a00000 [0083.683] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.683] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5fc49d4, ftCreationTime.dwHighDateTime=0x1d1a04d, ftLastAccessTime.dwLowDateTime=0xc3b53c8a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5fc49d4, ftLastWriteTime.dwHighDateTime=0x1d1a04d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="TrainedDataStore", cAlternateFileName="TRAINE~1")) returned 0 [0083.683] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0083.683] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0083.683] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\InputPersonalization\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\inputpersonalization\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.684] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.685] CloseHandle (hObject=0x43c) returned 1 [0083.685] GetProcessHeap () returned 0x3a00000 [0083.685] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.685] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0083.685] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0083.685] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c89cf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a9e2bf1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0083.685] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Windows") returned 1 [0083.685] lstrcmpiW (lpString1="Windows Sidebar", lpString2="$Recycle.bin") returned 1 [0083.685] lstrcmpiW (lpString1="Windows Sidebar", lpString2="System Volume Information") returned 1 [0083.685] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files") returned 1 [0083.685] lstrcmpiW (lpString1="Windows Sidebar", lpString2="Program Files (x86)") returned 1 [0083.685] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar") returned 60 [0083.685] lstrcmpW (lpString1="Windows Sidebar", lpString2=".") returned 1 [0083.685] lstrcmpW (lpString1="Windows Sidebar", lpString2="..") returned 1 [0083.685] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.685] GetProcessHeap () returned 0x3a00000 [0083.685] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.685] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*") returned 62 [0083.685] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c89cf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a9e2bf1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0083.686] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.686] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.686] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.686] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.686] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.686] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\.") returned 62 [0083.686] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.686] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c89cf2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a9e2bf1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.686] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.686] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.686] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.686] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.686] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.686] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\..") returned 63 [0083.686] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.686] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.686] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0083.686] lstrcmpiW (lpString1="Gadgets", lpString2="Windows") returned -1 [0083.686] lstrcmpiW (lpString1="Gadgets", lpString2="$Recycle.bin") returned 1 [0083.686] lstrcmpiW (lpString1="Gadgets", lpString2="System Volume Information") returned -1 [0083.686] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files") returned -1 [0083.687] lstrcmpiW (lpString1="Gadgets", lpString2="Program Files (x86)") returned -1 [0083.687] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets") returned 68 [0083.687] lstrcmpW (lpString1="Gadgets", lpString2=".") returned 1 [0083.687] lstrcmpW (lpString1="Gadgets", lpString2="..") returned 1 [0083.687] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.687] GetProcessHeap () returned 0x3a00000 [0083.687] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.687] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*") returned 70 [0083.687] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0083.687] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.687] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.687] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.687] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.687] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.687] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\.") returned 70 [0083.687] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.687] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.687] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.687] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.687] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.687] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.687] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.687] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\..") returned 71 [0083.687] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.687] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.687] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8a984, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.687] FindClose (in: hFindFile=0x3a38578 | out: hFindFile=0x3a38578) returned 1 [0083.688] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 100 [0083.688] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\Gadgets\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\gadgets\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.688] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.689] CloseHandle (hObject=0x440) returned 1 [0083.689] GetProcessHeap () returned 0x3a00000 [0083.689] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.689] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a9e2bf1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f90064, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f90064, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.ini", cAlternateFileName="")) returned 1 [0083.689] lstrcmpiW (lpString1="settings.ini", lpString2="Windows") returned -1 [0083.689] lstrcmpiW (lpString1="settings.ini", lpString2="$Recycle.bin") returned 1 [0083.689] lstrcmpiW (lpString1="settings.ini", lpString2="System Volume Information") returned -1 [0083.689] lstrcmpiW (lpString1="settings.ini", lpString2="Program Files") returned 1 [0083.689] lstrcmpiW (lpString1="settings.ini", lpString2="Program Files (x86)") returned 1 [0083.689] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini") returned 73 [0083.689] StrStrIW (lpFirst="settings.ini", lpSrch=".ebal") returned 0x0 [0083.690] lstrcmpW (lpString1="settings.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.690] lstrcmpW (lpString1="settings.ini", lpString2="taridd") returned -1 [0083.690] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.690] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.693] GetTickCount () returned 0x115538b [0083.693] GetTickCount () returned 0x115538b [0083.693] GetTickCount () returned 0x115538b [0083.693] GetTickCount () returned 0x115538b [0083.693] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0083.693] GetProcessHeap () returned 0x3a00000 [0083.693] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0083.693] ReadFile (in: hFile=0x440, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aedc4*=0x50, lpOverlapped=0x0) returned 1 [0083.694] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffffb0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.694] WriteFile (in: hFile=0x440, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aedc4*=0x50, lpOverlapped=0x0) returned 1 [0083.695] GetProcessHeap () returned 0x3a00000 [0083.695] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0083.695] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.695] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0083.698] WriteFile (in: hFile=0x440, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0083.698] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0083.698] CloseHandle (hObject=0x440) returned 1 [0083.698] GetProcessHeap () returned 0x3a00000 [0083.698] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.698] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini_r00t_{8ew5f6}.ebal") returned 92 [0083.698] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\settings.ini_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\settings.ini_r00t_{8ew5f6}.ebal")) returned 1 [0083.699] GetProcessHeap () returned 0x3a00000 [0083.699] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.699] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a9e2bf1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f90064, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f90064, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.ini", cAlternateFileName="")) returned 0 [0083.699] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0083.699] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0083.699] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\Windows Sidebar\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windows sidebar\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.699] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.700] CloseHandle (hObject=0x43c) returned 1 [0083.700] GetProcessHeap () returned 0x3a00000 [0083.700] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.700] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsApps", cAlternateFileName="WINDOW~2")) returned 1 [0083.700] lstrcmpiW (lpString1="WindowsApps", lpString2="Windows") returned 1 [0083.700] lstrcmpiW (lpString1="WindowsApps", lpString2="$Recycle.bin") returned 1 [0083.700] lstrcmpiW (lpString1="WindowsApps", lpString2="System Volume Information") returned 1 [0083.700] lstrcmpiW (lpString1="WindowsApps", lpString2="Program Files") returned 1 [0083.700] lstrcmpiW (lpString1="WindowsApps", lpString2="Program Files (x86)") returned 1 [0083.700] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps") returned 56 [0083.700] lstrcmpW (lpString1="WindowsApps", lpString2=".") returned 1 [0083.700] lstrcmpW (lpString1="WindowsApps", lpString2="..") returned 1 [0083.700] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.700] GetProcessHeap () returned 0x3a00000 [0083.700] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.700] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\*") returned 58 [0083.700] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0083.701] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.701] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.701] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.701] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.701] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.701] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.") returned 58 [0083.701] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.701] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.701] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.701] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.701] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.701] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\." (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windowsapps\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.701] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.701] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.701] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.701] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.701] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.701] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.701] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\..") returned 59 [0083.701] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.701] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.701] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.701] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.701] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.701] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\.." (normalized: "c:\\users\\default\\appdata\\local\\microsoft"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.702] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.702] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0083.702] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0083.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\WindowsApps\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\windowsapps\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.702] GetProcessHeap () returned 0x3a00000 [0083.702] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.702] FindNextFileW (in: hFindFile=0x3a38878, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8af60, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="WindowsApps", cAlternateFileName="WINDOW~2")) returned 0 [0083.702] FindClose (in: hFindFile=0x3a38878 | out: hFindFile=0x3a38878) returned 1 [0083.702] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0083.702] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.705] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.706] CloseHandle (hObject=0x438) returned 1 [0083.706] GetProcessHeap () returned 0x3a00000 [0083.706] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.707] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0083.707] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0083.707] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0083.707] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0083.707] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0083.707] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0083.707] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp") returned 39 [0083.707] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0083.707] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0083.707] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.707] GetProcessHeap () returned 0x3a00000 [0083.707] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.707] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*") returned 41 [0083.707] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384f8 [0083.707] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.707] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.707] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.707] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.707] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.707] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\.") returned 41 [0083.707] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.707] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.707] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.707] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.707] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.707] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.707] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.707] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\..") returned 42 [0083.708] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.708] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.708] FindNextFileW (in: hFindFile=0x3a384f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.708] FindClose (in: hFindFile=0x3a384f8 | out: hFindFile=0x3a384f8) returned 1 [0083.708] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0083.708] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.708] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.709] CloseHandle (hObject=0x438) returned 1 [0083.709] GetProcessHeap () returned 0x3a00000 [0083.709] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.709] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0083.709] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Windows") returned -1 [0083.709] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="$Recycle.bin") returned 1 [0083.709] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="System Volume Information") returned 1 [0083.709] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files") returned 1 [0083.709] lstrcmpiW (lpString1="Temporary Internet Files", lpString2="Program Files (x86)") returned 1 [0083.709] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files") returned 59 [0083.709] lstrcmpW (lpString1="Temporary Internet Files", lpString2=".") returned 1 [0083.709] lstrcmpW (lpString1="Temporary Internet Files", lpString2="..") returned 1 [0083.709] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.709] GetProcessHeap () returned 0x3a00000 [0083.709] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.709] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*") returned 61 [0083.709] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8b6f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="叨Φ￿￿扨@￿￿叨Φ\x05")) returned 0xffffffff [0083.710] GetProcessHeap () returned 0x3a00000 [0083.710] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.710] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 0 [0083.710] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0083.710] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Local\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 66 [0083.710] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Local\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\local\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.714] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.715] CloseHandle (hObject=0x434) returned 1 [0083.715] GetProcessHeap () returned 0x3a00000 [0083.715] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.715] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Roaming", cAlternateFileName="")) returned 1 [0083.715] lstrcmpiW (lpString1="Roaming", lpString2="Windows") returned -1 [0083.715] lstrcmpiW (lpString1="Roaming", lpString2="$Recycle.bin") returned 1 [0083.715] lstrcmpiW (lpString1="Roaming", lpString2="System Volume Information") returned -1 [0083.715] lstrcmpiW (lpString1="Roaming", lpString2="Program Files") returned 1 [0083.715] lstrcmpiW (lpString1="Roaming", lpString2="Program Files (x86)") returned 1 [0083.715] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming") returned 36 [0083.715] lstrcmpW (lpString1="Roaming", lpString2=".") returned 1 [0083.715] lstrcmpW (lpString1="Roaming", lpString2="..") returned 1 [0083.715] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.715] GetProcessHeap () returned 0x3a00000 [0083.715] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.715] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*") returned 38 [0083.715] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0083.717] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.717] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.717] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.717] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.717] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.718] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\.") returned 38 [0083.718] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.718] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.718] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.718] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.718] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.718] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.718] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.718] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\..") returned 39 [0083.718] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.718] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.718] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0083.718] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0083.718] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0083.718] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0083.718] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0083.718] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0083.718] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft") returned 46 [0083.718] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0083.718] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0083.718] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.718] GetProcessHeap () returned 0x3a00000 [0083.718] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2de50 [0083.718] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*") returned 48 [0083.718] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387f8 [0083.719] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.719] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.719] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.719] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.719] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.719] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.") returned 48 [0083.719] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.719] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.719] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.719] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.719] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.719] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.719] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.719] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.719] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.719] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.719] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.719] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\..") returned 49 [0083.719] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.719] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.719] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.719] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.719] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.719] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.719] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\.." (normalized: "c:\\users\\default\\appdata\\roaming"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.719] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3c8d333, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0083.720] lstrcmpiW (lpString1="Internet Explorer", lpString2="Windows") returned -1 [0083.720] lstrcmpiW (lpString1="Internet Explorer", lpString2="$Recycle.bin") returned 1 [0083.720] lstrcmpiW (lpString1="Internet Explorer", lpString2="System Volume Information") returned -1 [0083.720] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files") returned -1 [0083.720] lstrcmpiW (lpString1="Internet Explorer", lpString2="Program Files (x86)") returned -1 [0083.720] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned 64 [0083.720] lstrcmpW (lpString1="Internet Explorer", lpString2=".") returned 1 [0083.720] lstrcmpW (lpString1="Internet Explorer", lpString2="..") returned 1 [0083.720] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.720] GetProcessHeap () returned 0x3a00000 [0083.720] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.720] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned 66 [0083.720] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3c8d333, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0083.720] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.720] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.720] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.720] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.720] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.720] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\.") returned 66 [0083.720] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.720] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3c8d333, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.720] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.720] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.720] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.720] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.720] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.720] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\..") returned 67 [0083.720] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.721] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.721] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0083.721] lstrcmpiW (lpString1="Quick Launch", lpString2="Windows") returned -1 [0083.721] lstrcmpiW (lpString1="Quick Launch", lpString2="$Recycle.bin") returned 1 [0083.721] lstrcmpiW (lpString1="Quick Launch", lpString2="System Volume Information") returned -1 [0083.721] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files") returned 1 [0083.721] lstrcmpiW (lpString1="Quick Launch", lpString2="Program Files (x86)") returned 1 [0083.721] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned 77 [0083.721] lstrcmpW (lpString1="Quick Launch", lpString2=".") returned 1 [0083.721] lstrcmpW (lpString1="Quick Launch", lpString2="..") returned 1 [0083.721] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.721] GetProcessHeap () returned 0x3a00000 [0083.721] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.721] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned 79 [0083.721] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0083.721] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.721] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.721] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.721] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.721] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.721] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.") returned 79 [0083.721] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.721] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.721] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.721] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.721] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.721] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.722] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.722] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.722] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.722] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.722] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.722] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.722] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\..") returned 80 [0083.722] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.722] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.722] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.722] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.722] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.722] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\.." (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.722] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21f770e1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc8e8141c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc8e8141c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x94, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0083.722] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0083.722] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0083.722] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0083.722] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0083.722] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0083.722] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini") returned 89 [0083.722] StrStrIW (lpFirst="desktop.ini", lpSrch=".ebal") returned 0x0 [0083.722] lstrcmpW (lpString1="desktop.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.722] lstrcmpW (lpString1="desktop.ini", lpString2="taridd") returned -1 [0083.722] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.722] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.791] GetTickCount () returned 0x11553e9 [0083.791] GetTickCount () returned 0x11553e9 [0083.791] GetTickCount () returned 0x11553e9 [0083.791] GetTickCount () returned 0x11553e9 [0083.791] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0083.791] GetProcessHeap () returned 0x3a00000 [0083.791] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0083.791] ReadFile (in: hFile=0x44c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aeb3c*=0x94, lpOverlapped=0x0) returned 1 [0083.796] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffff6c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.796] WriteFile (in: hFile=0x44c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x94, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aeb3c*=0x94, lpOverlapped=0x0) returned 1 [0083.797] GetProcessHeap () returned 0x3a00000 [0083.797] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0083.797] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.797] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0083.798] WriteFile (in: hFile=0x44c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0083.798] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0083.798] CloseHandle (hObject=0x44c) returned 1 [0083.798] GetProcessHeap () returned 0x3a00000 [0083.798] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.798] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini_r00t_{8ew5f6}.ebal") returned 108 [0083.798] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\desktop.ini_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\desktop.ini_r00t_{8ew5f6}.ebal")) returned 1 [0083.799] GetProcessHeap () returned 0x3a00000 [0083.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.799] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d67afb, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x61d67afb, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x61d67afb, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x160, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Shows Desktop.lnk", cAlternateFileName="")) returned 1 [0083.799] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Windows") returned -1 [0083.799] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="$Recycle.bin") returned 1 [0083.799] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="System Volume Information") returned -1 [0083.799] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files") returned 1 [0083.799] lstrcmpiW (lpString1="Shows Desktop.lnk", lpString2="Program Files (x86)") returned 1 [0083.799] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk") returned 95 [0083.799] StrStrIW (lpFirst="Shows Desktop.lnk", lpSrch=".ebal") returned 0x0 [0083.799] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.799] lstrcmpW (lpString1="Shows Desktop.lnk", lpString2="taridd") returned -1 [0083.799] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.799] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.800] GetTickCount () returned 0x11553f8 [0083.800] GetTickCount () returned 0x11553f8 [0083.800] GetTickCount () returned 0x11553f8 [0083.800] GetTickCount () returned 0x11553f8 [0083.800] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0083.800] GetProcessHeap () returned 0x3a00000 [0083.800] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0083.800] ReadFile (in: hFile=0x44c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aeb3c*=0x160, lpOverlapped=0x0) returned 1 [0083.801] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xfffffea0, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.801] WriteFile (in: hFile=0x44c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aeb3c*=0x160, lpOverlapped=0x0) returned 1 [0083.801] GetProcessHeap () returned 0x3a00000 [0083.801] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0083.801] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.802] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0083.802] WriteFile (in: hFile=0x44c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0083.802] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0083.802] CloseHandle (hObject=0x44c) returned 1 [0083.802] GetProcessHeap () returned 0x3a00000 [0083.802] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.802] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk_r00t_{8ew5f6}.ebal") returned 114 [0083.802] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Shows Desktop.lnk_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\shows desktop.lnk_r00t_{8ew5f6}.ebal")) returned 1 [0083.803] GetProcessHeap () returned 0x3a00000 [0083.803] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.803] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d8dd66, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x61d8dd66, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 1 [0083.803] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Windows") returned -1 [0083.803] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="$Recycle.bin") returned 1 [0083.803] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="System Volume Information") returned 1 [0083.803] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files") returned 1 [0083.803] lstrcmpiW (lpString1="Window Switcher.lnk", lpString2="Program Files (x86)") returned 1 [0083.803] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk") returned 97 [0083.803] StrStrIW (lpFirst="Window Switcher.lnk", lpSrch=".ebal") returned 0x0 [0083.803] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.803] lstrcmpW (lpString1="Window Switcher.lnk", lpString2="taridd") returned 1 [0083.803] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.803] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.804] GetTickCount () returned 0x11553f8 [0083.804] GetTickCount () returned 0x11553f8 [0083.804] GetTickCount () returned 0x11553f8 [0083.804] GetTickCount () returned 0x11553f8 [0083.804] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0083.804] GetProcessHeap () returned 0x3a00000 [0083.804] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a732a8 [0083.804] ReadFile (in: hFile=0x44c, lpBuffer=0x3a732a8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesRead=0x65aeb3c*=0x14e, lpOverlapped=0x0) returned 1 [0083.805] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xfffffeb2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.805] WriteFile (in: hFile=0x44c, lpBuffer=0x3a732a8*, nNumberOfBytesToWrite=0x14e, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a732a8*, lpNumberOfBytesWritten=0x65aeb3c*=0x14e, lpOverlapped=0x0) returned 1 [0083.805] GetProcessHeap () returned 0x3a00000 [0083.805] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732a8 | out: hHeap=0x3a00000) returned 1 [0083.805] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.805] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0083.806] WriteFile (in: hFile=0x44c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0083.806] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0083.806] CloseHandle (hObject=0x44c) returned 1 [0083.806] GetProcessHeap () returned 0x3a00000 [0083.806] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.806] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk_r00t_{8ew5f6}.ebal") returned 116 [0083.806] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk"), lpNewFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\Window Switcher.lnk_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\window switcher.lnk_r00t_{8ew5f6}.ebal")) returned 1 [0083.807] GetProcessHeap () returned 0x3a00000 [0083.807] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.807] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x61d8dd66, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x61d8dd66, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x61d8dd66, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x14e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Window Switcher.lnk", cAlternateFileName="")) returned 0 [0083.807] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0083.809] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 109 [0083.809] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\quick launch\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.810] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.811] CloseHandle (hObject=0x440) returned 1 [0083.811] GetProcessHeap () returned 0x3a00000 [0083.811] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.812] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ce02fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xf6600cb, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0083.812] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0083.812] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0083.812] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Internet Explorer\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\internet explorer\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.812] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.813] CloseHandle (hObject=0x43c) returned 1 [0083.813] GetProcessHeap () returned 0x3a00000 [0083.813] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.813] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Network", cAlternateFileName="")) returned 1 [0083.813] lstrcmpiW (lpString1="Network", lpString2="Windows") returned -1 [0083.813] lstrcmpiW (lpString1="Network", lpString2="$Recycle.bin") returned 1 [0083.813] lstrcmpiW (lpString1="Network", lpString2="System Volume Information") returned -1 [0083.813] lstrcmpiW (lpString1="Network", lpString2="Program Files") returned -1 [0083.813] lstrcmpiW (lpString1="Network", lpString2="Program Files (x86)") returned -1 [0083.813] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network") returned 54 [0083.813] lstrcmpW (lpString1="Network", lpString2=".") returned 1 [0083.813] lstrcmpW (lpString1="Network", lpString2="..") returned 1 [0083.813] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.813] GetProcessHeap () returned 0x3a00000 [0083.813] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e258 [0083.813] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\*") returned 56 [0083.813] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.814] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.814] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.814] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.814] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.814] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.814] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\.") returned 56 [0083.814] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.814] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.814] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.814] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.814] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.814] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.814] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.814] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\..") returned 57 [0083.814] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.814] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.814] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0083.814] lstrcmpiW (lpString1="Connections", lpString2="Windows") returned -1 [0083.814] lstrcmpiW (lpString1="Connections", lpString2="$Recycle.bin") returned 1 [0083.814] lstrcmpiW (lpString1="Connections", lpString2="System Volume Information") returned -1 [0083.815] lstrcmpiW (lpString1="Connections", lpString2="Program Files") returned -1 [0083.815] lstrcmpiW (lpString1="Connections", lpString2="Program Files (x86)") returned -1 [0083.815] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned 66 [0083.815] lstrcmpW (lpString1="Connections", lpString2=".") returned 1 [0083.815] lstrcmpW (lpString1="Connections", lpString2="..") returned 1 [0083.815] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.815] GetProcessHeap () returned 0x3a00000 [0083.815] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a2e660 [0083.815] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned 68 [0083.815] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0083.815] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.815] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.815] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.815] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.815] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.815] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\.") returned 68 [0083.815] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.815] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.815] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.815] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.815] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.815] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.815] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.815] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\..") returned 69 [0083.815] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.815] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.815] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cm", cAlternateFileName="")) returned 1 [0083.815] lstrcmpiW (lpString1="Cm", lpString2="Windows") returned -1 [0083.815] lstrcmpiW (lpString1="Cm", lpString2="$Recycle.bin") returned 1 [0083.815] lstrcmpiW (lpString1="Cm", lpString2="System Volume Information") returned -1 [0083.816] lstrcmpiW (lpString1="Cm", lpString2="Program Files") returned -1 [0083.816] lstrcmpiW (lpString1="Cm", lpString2="Program Files (x86)") returned -1 [0083.816] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm") returned 69 [0083.816] lstrcmpW (lpString1="Cm", lpString2=".") returned 1 [0083.816] lstrcmpW (lpString1="Cm", lpString2="..") returned 1 [0083.816] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.816] GetProcessHeap () returned 0x3a00000 [0083.816] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.816] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\*") returned 71 [0083.816] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386f8 [0083.816] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.816] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.816] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.816] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.816] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.816] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\.") returned 71 [0083.816] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.816] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.816] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.816] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.816] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.816] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.816] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.816] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\..") returned 72 [0083.816] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.816] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.816] FindNextFileW (in: hFindFile=0x3a386f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.816] FindClose (in: hFindFile=0x3a386f8 | out: hFindFile=0x3a386f8) returned 1 [0083.816] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 101 [0083.817] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Cm\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\cm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.817] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.818] CloseHandle (hObject=0x44c) returned 1 [0083.818] GetProcessHeap () returned 0x3a00000 [0083.818] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.818] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="_hiddencm", cAlternateFileName="_HIDDE~1")) returned 1 [0083.818] lstrcmpiW (lpString1="_hiddencm", lpString2="Windows") returned -1 [0083.818] lstrcmpiW (lpString1="_hiddencm", lpString2="$Recycle.bin") returned 1 [0083.818] lstrcmpiW (lpString1="_hiddencm", lpString2="System Volume Information") returned -1 [0083.818] lstrcmpiW (lpString1="_hiddencm", lpString2="Program Files") returned -1 [0083.818] lstrcmpiW (lpString1="_hiddencm", lpString2="Program Files (x86)") returned -1 [0083.818] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm") returned 76 [0083.818] lstrcmpW (lpString1="_hiddencm", lpString2=".") returned 1 [0083.819] lstrcmpW (lpString1="_hiddencm", lpString2="..") returned 1 [0083.819] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.819] GetProcessHeap () returned 0x3a00000 [0083.819] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a6a268 [0083.819] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\*") returned 78 [0083.819] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0083.819] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.819] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.819] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.819] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.819] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.819] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\.") returned 78 [0083.819] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.819] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.819] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.819] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.819] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.819] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.819] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.819] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\..") returned 79 [0083.819] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.819] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.819] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.819] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0083.819] wnsprintfW (in: pszDest=0x3a6a268, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 108 [0083.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\_hiddencm\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\_hiddencm\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0083.820] WriteFile (in: hFile=0x44c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.821] CloseHandle (hObject=0x44c) returned 1 [0083.821] GetProcessHeap () returned 0x3a00000 [0083.821] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a6a268 | out: hHeap=0x3a00000) returned 1 [0083.821] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="_hiddencm", cAlternateFileName="_HIDDE~1")) returned 0 [0083.821] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0083.821] wnsprintfW (in: pszDest=0x3a2e660, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0083.821] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\Connections\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\connections\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0083.821] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0083.822] CloseHandle (hObject=0x440) returned 1 [0083.822] GetProcessHeap () returned 0x3a00000 [0083.822] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e660 | out: hHeap=0x3a00000) returned 1 [0083.822] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa2bc7808, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0083.822] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.822] wnsprintfW (in: pszDest=0x3a2e258, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0083.822] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Network\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\network\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0083.823] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.824] CloseHandle (hObject=0x43c) returned 1 [0083.824] GetProcessHeap () returned 0x3a00000 [0083.824] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2e258 | out: hHeap=0x3a00000) returned 1 [0083.824] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2c416743, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x2c416743, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0083.824] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0083.824] FindNextFileW (in: hFindFile=0x3a387f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x2c416743, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x2c416743, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 0 [0083.824] FindClose (in: hFindFile=0x3a387f8 | out: hFindFile=0x3a387f8) returned 1 [0083.824] wnsprintfW (in: pszDest=0x3a2de50, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 78 [0083.824] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0083.826] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0083.826] CloseHandle (hObject=0x438) returned 1 [0083.826] GetProcessHeap () returned 0x3a00000 [0083.826] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a2de50 | out: hHeap=0x3a00000) returned 1 [0083.827] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa2bc7808, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xa2bc7808, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0083.827] FindClose (in: hFindFile=0x3a385f8 | out: hFindFile=0x3a385f8) returned 1 [0083.827] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 68 [0083.827] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\Roaming\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\roaming\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0083.828] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0083.829] CloseHandle (hObject=0x434) returned 1 [0083.829] GetProcessHeap () returned 0x3a00000 [0083.829] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.829] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Roaming", cAlternateFileName="")) returned 0 [0083.829] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0083.829] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\AppData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0083.830] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\AppData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\appdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.830] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.831] CloseHandle (hObject=0x430) returned 1 [0083.831] GetProcessHeap () returned 0x3a00000 [0083.831] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.831] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0083.831] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0083.831] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0083.831] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0083.831] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0083.831] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0083.831] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data") returned 37 [0083.831] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0083.831] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0083.831] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Application Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.831] GetProcessHeap () returned 0x3a00000 [0083.831] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.831] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Application Data\\*") returned 39 [0083.831] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Application Data\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Ro?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.831] GetProcessHeap () returned 0x3a00000 [0083.831] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.831] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Cookies", cAlternateFileName="")) returned 1 [0083.831] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0083.831] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0083.832] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0083.832] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0083.832] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0083.832] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies") returned 28 [0083.832] lstrcmpW (lpString1="Cookies", lpString2=".") returned 1 [0083.832] lstrcmpW (lpString1="Cookies", lpString2="..") returned 1 [0083.832] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Cookies", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.832] GetProcessHeap () returned 0x3a00000 [0083.832] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.832] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Cookies\\*") returned 30 [0083.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Cookies\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3c8c01f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Ro?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.832] GetProcessHeap () returned 0x3a00000 [0083.832] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.832] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Desktop", cAlternateFileName="")) returned 1 [0083.832] lstrcmpiW (lpString1="Desktop", lpString2="Windows") returned -1 [0083.832] lstrcmpiW (lpString1="Desktop", lpString2="$Recycle.bin") returned 1 [0083.832] lstrcmpiW (lpString1="Desktop", lpString2="System Volume Information") returned -1 [0083.832] lstrcmpiW (lpString1="Desktop", lpString2="Program Files") returned -1 [0083.832] lstrcmpiW (lpString1="Desktop", lpString2="Program Files (x86)") returned -1 [0083.832] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop") returned 28 [0083.832] lstrcmpW (lpString1="Desktop", lpString2=".") returned 1 [0083.832] lstrcmpW (lpString1="Desktop", lpString2="..") returned 1 [0083.832] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Desktop", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.832] GetProcessHeap () returned 0x3a00000 [0083.832] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.832] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\*") returned 30 [0083.832] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0083.832] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.832] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.833] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.833] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.833] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.833] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\.") returned 30 [0083.833] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.833] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.833] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.833] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.833] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Desktop\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\." (normalized: "c:\\users\\default\\desktop\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.833] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.833] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.833] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.833] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.833] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.833] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.833] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\..") returned 31 [0083.833] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.833] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.833] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.833] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.833] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.833] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Desktop\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.833] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.833] FindClose (in: hFindFile=0x3a38178 | out: hFindFile=0x3a38178) returned 1 [0083.833] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Desktop\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 60 [0083.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Desktop\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\desktop\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.834] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.835] CloseHandle (hObject=0x430) returned 1 [0083.835] GetProcessHeap () returned 0x3a00000 [0083.835] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.835] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0083.835] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0083.835] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0083.835] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0083.835] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0083.835] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0083.835] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents") returned 30 [0083.835] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0083.835] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0083.835] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Documents", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.835] GetProcessHeap () returned 0x3a00000 [0083.835] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.835] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\*") returned 32 [0083.835] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0083.864] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.864] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.864] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.864] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.864] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.864] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\.") returned 32 [0083.864] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.864] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.864] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.864] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.864] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Documents\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.864] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\." (normalized: "c:\\users\\default\\documents\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.864] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.864] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.864] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.864] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.864] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.864] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.864] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\..") returned 33 [0083.864] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.865] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.865] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.865] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.865] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.865] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Documents\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.865] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.865] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0083.865] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0083.865] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0083.865] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0083.865] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0083.865] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0083.865] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music") returned 39 [0083.865] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0083.865] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0083.865] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Music", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.865] GetProcessHeap () returned 0x3a00000 [0083.865] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.865] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*") returned 41 [0083.865] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Music\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="俠Φ￿￿扨@￿￿俠Φ\x05")) returned 0xffffffff [0083.867] GetProcessHeap () returned 0x3a00000 [0083.867] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.867] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0083.867] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0083.867] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0083.867] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0083.867] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0083.867] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0083.867] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures") returned 42 [0083.867] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0083.867] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0083.867] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.867] GetProcessHeap () returned 0x3a00000 [0083.867] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.867] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*") returned 44 [0083.867] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Pictures\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="俠Φ￿￿扨@￿￿俠Φ\x05")) returned 0xffffffff [0083.867] GetProcessHeap () returned 0x3a00000 [0083.867] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.867] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0083.867] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0083.867] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0083.867] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0083.867] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0083.867] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0083.868] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos") returned 40 [0083.868] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0083.868] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0083.868] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Documents\\My Videos", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.868] GetProcessHeap () returned 0x3a00000 [0083.868] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a653e8 [0083.868] wnsprintfW (in: pszDest=0x3a653e8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*") returned 42 [0083.868] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\My Videos\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="", cAlternateFileName="俠Φ￿￿扨@￿￿俠Φ\x05")) returned 0xffffffff [0083.868] GetProcessHeap () returned 0x3a00000 [0083.868] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a653e8 | out: hHeap=0x3a00000) returned 1 [0083.868] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0083.868] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0083.869] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Documents\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0083.869] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Documents\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\documents\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.870] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.871] CloseHandle (hObject=0x430) returned 1 [0083.871] GetProcessHeap () returned 0x3a00000 [0083.871] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.871] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0083.871] lstrcmpiW (lpString1="Downloads", lpString2="Windows") returned -1 [0083.871] lstrcmpiW (lpString1="Downloads", lpString2="$Recycle.bin") returned 1 [0083.871] lstrcmpiW (lpString1="Downloads", lpString2="System Volume Information") returned -1 [0083.871] lstrcmpiW (lpString1="Downloads", lpString2="Program Files") returned -1 [0083.871] lstrcmpiW (lpString1="Downloads", lpString2="Program Files (x86)") returned -1 [0083.871] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads") returned 30 [0083.871] lstrcmpW (lpString1="Downloads", lpString2=".") returned 1 [0083.871] lstrcmpW (lpString1="Downloads", lpString2="..") returned 1 [0083.871] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Downloads", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.871] GetProcessHeap () returned 0x3a00000 [0083.871] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.871] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\*") returned 32 [0083.871] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0083.872] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.872] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.872] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.872] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.872] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.872] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\.") returned 32 [0083.872] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.872] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.872] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.872] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.872] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Downloads\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\." (normalized: "c:\\users\\default\\downloads\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.872] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.872] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.872] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.872] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.872] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.872] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.872] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\..") returned 33 [0083.872] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.872] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.872] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.872] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.872] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.872] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Downloads\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.872] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.872] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.872] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0083.873] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Downloads\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0083.873] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Downloads\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\downloads\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.873] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.874] CloseHandle (hObject=0x430) returned 1 [0083.874] GetProcessHeap () returned 0x3a00000 [0083.874] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.874] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0083.874] lstrcmpiW (lpString1="Favorites", lpString2="Windows") returned -1 [0083.874] lstrcmpiW (lpString1="Favorites", lpString2="$Recycle.bin") returned 1 [0083.874] lstrcmpiW (lpString1="Favorites", lpString2="System Volume Information") returned -1 [0083.874] lstrcmpiW (lpString1="Favorites", lpString2="Program Files") returned -1 [0083.875] lstrcmpiW (lpString1="Favorites", lpString2="Program Files (x86)") returned -1 [0083.875] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites") returned 30 [0083.875] lstrcmpW (lpString1="Favorites", lpString2=".") returned 1 [0083.875] lstrcmpW (lpString1="Favorites", lpString2="..") returned 1 [0083.875] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Favorites", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.875] GetProcessHeap () returned 0x3a00000 [0083.875] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.875] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\*") returned 32 [0083.875] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0083.875] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.875] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.875] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.875] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.876] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.876] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\.") returned 32 [0083.876] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.876] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.876] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.876] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.876] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Favorites\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\." (normalized: "c:\\users\\default\\favorites\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.876] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.876] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.876] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.876] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.876] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.876] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.876] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\..") returned 33 [0083.876] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.876] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.876] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.876] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.876] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.876] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Favorites\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.876] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.876] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0083.876] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Favorites\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 62 [0083.876] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Favorites\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\favorites\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.877] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.878] CloseHandle (hObject=0x430) returned 1 [0083.878] GetProcessHeap () returned 0x3a00000 [0083.878] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.878] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Links", cAlternateFileName="")) returned 1 [0083.878] lstrcmpiW (lpString1="Links", lpString2="Windows") returned -1 [0083.878] lstrcmpiW (lpString1="Links", lpString2="$Recycle.bin") returned 1 [0083.878] lstrcmpiW (lpString1="Links", lpString2="System Volume Information") returned -1 [0083.878] lstrcmpiW (lpString1="Links", lpString2="Program Files") returned -1 [0083.878] lstrcmpiW (lpString1="Links", lpString2="Program Files (x86)") returned -1 [0083.878] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links") returned 26 [0083.878] lstrcmpW (lpString1="Links", lpString2=".") returned 1 [0083.878] lstrcmpW (lpString1="Links", lpString2="..") returned 1 [0083.878] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Links", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.878] GetProcessHeap () returned 0x3a00000 [0083.878] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.878] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\*") returned 28 [0083.878] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Links\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0083.878] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.878] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.878] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.878] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.878] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.878] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\.") returned 28 [0083.878] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.878] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.878] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.879] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.879] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Links\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\." (normalized: "c:\\users\\default\\links\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.879] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.879] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.879] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.879] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.879] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.879] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.879] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\..") returned 29 [0083.879] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.879] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.879] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.879] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.879] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.879] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Links\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.879] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.879] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0083.879] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Links\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 58 [0083.879] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Links\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\links\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.880] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.881] CloseHandle (hObject=0x430) returned 1 [0083.881] GetProcessHeap () returned 0x3a00000 [0083.881] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.881] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0083.881] lstrcmpiW (lpString1="Local Settings", lpString2="Windows") returned -1 [0083.881] lstrcmpiW (lpString1="Local Settings", lpString2="$Recycle.bin") returned 1 [0083.881] lstrcmpiW (lpString1="Local Settings", lpString2="System Volume Information") returned -1 [0083.881] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files") returned -1 [0083.881] lstrcmpiW (lpString1="Local Settings", lpString2="Program Files (x86)") returned -1 [0083.881] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings") returned 35 [0083.881] lstrcmpW (lpString1="Local Settings", lpString2=".") returned 1 [0083.881] lstrcmpW (lpString1="Local Settings", lpString2="..") returned 1 [0083.881] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Local Settings", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.881] GetProcessHeap () returned 0x3a00000 [0083.881] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a64fe0 [0083.881] wnsprintfW (in: pszDest=0x3a64fe0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Local Settings\\*") returned 37 [0083.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Local Settings\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.882] GetProcessHeap () returned 0x3a00000 [0083.882] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a64fe0 | out: hHeap=0x3a00000) returned 1 [0083.882] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Music", cAlternateFileName="")) returned 1 [0083.882] lstrcmpiW (lpString1="Music", lpString2="Windows") returned -1 [0083.882] lstrcmpiW (lpString1="Music", lpString2="$Recycle.bin") returned 1 [0083.882] lstrcmpiW (lpString1="Music", lpString2="System Volume Information") returned -1 [0083.882] lstrcmpiW (lpString1="Music", lpString2="Program Files") returned -1 [0083.882] lstrcmpiW (lpString1="Music", lpString2="Program Files (x86)") returned -1 [0083.882] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music") returned 26 [0083.882] lstrcmpW (lpString1="Music", lpString2=".") returned 1 [0083.882] lstrcmpW (lpString1="Music", lpString2="..") returned 1 [0083.882] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Music", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.882] GetProcessHeap () returned 0x3a00000 [0083.882] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0083.882] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\*") returned 28 [0083.882] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Music\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0083.883] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.883] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.883] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.883] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.883] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.883] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\.") returned 28 [0083.883] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.883] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.883] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.883] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.883] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Music\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.883] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\." (normalized: "c:\\users\\default\\music\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.884] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.884] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.884] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.884] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.884] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.884] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.884] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\..") returned 29 [0083.884] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.884] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.884] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.884] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.884] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.884] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Music\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.884] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.884] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0083.884] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Music\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 58 [0083.884] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Music\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\music\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.884] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.885] CloseHandle (hObject=0x430) returned 1 [0083.885] GetProcessHeap () returned 0x3a00000 [0083.885] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0083.885] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0083.885] lstrcmpiW (lpString1="My Documents", lpString2="Windows") returned -1 [0083.885] lstrcmpiW (lpString1="My Documents", lpString2="$Recycle.bin") returned 1 [0083.885] lstrcmpiW (lpString1="My Documents", lpString2="System Volume Information") returned -1 [0083.885] lstrcmpiW (lpString1="My Documents", lpString2="Program Files") returned -1 [0083.886] lstrcmpiW (lpString1="My Documents", lpString2="Program Files (x86)") returned -1 [0083.886] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents") returned 33 [0083.886] lstrcmpW (lpString1="My Documents", lpString2=".") returned 1 [0083.886] lstrcmpW (lpString1="My Documents", lpString2="..") returned 1 [0083.886] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\My Documents", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.886] GetProcessHeap () returned 0x3a00000 [0083.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0083.886] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\My Documents\\*") returned 35 [0083.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\My Documents\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.886] GetProcessHeap () returned 0x3a00000 [0083.886] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0083.886] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NetHood", cAlternateFileName="")) returned 1 [0083.886] lstrcmpiW (lpString1="NetHood", lpString2="Windows") returned -1 [0083.886] lstrcmpiW (lpString1="NetHood", lpString2="$Recycle.bin") returned 1 [0083.886] lstrcmpiW (lpString1="NetHood", lpString2="System Volume Information") returned -1 [0083.886] lstrcmpiW (lpString1="NetHood", lpString2="Program Files") returned -1 [0083.886] lstrcmpiW (lpString1="NetHood", lpString2="Program Files (x86)") returned -1 [0083.886] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood") returned 28 [0083.886] lstrcmpW (lpString1="NetHood", lpString2=".") returned 1 [0083.886] lstrcmpW (lpString1="NetHood", lpString2="..") returned 1 [0083.886] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\NetHood", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.886] GetProcessHeap () returned 0x3a00000 [0083.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74f08 [0083.886] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\NetHood\\*") returned 30 [0083.886] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\NetHood\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.886] GetProcessHeap () returned 0x3a00000 [0083.886] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74f08 | out: hHeap=0x3a00000) returned 1 [0083.886] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x7a4c27fa, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x7a4c27fa, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0083.886] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Windows") returned -1 [0083.887] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$Recycle.bin") returned 1 [0083.887] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="System Volume Information") returned -1 [0083.887] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files") returned -1 [0083.887] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="Program Files (x86)") returned -1 [0083.887] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT") returned 31 [0083.887] StrStrIW (lpFirst="NTUSER.DAT", lpSrch=".ebal") returned 0x0 [0083.887] lstrcmpW (lpString1="NTUSER.DAT", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.887] lstrcmpW (lpString1="NTUSER.DAT", lpString2="taridd") returned -1 [0083.887] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.887] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.888] GetTickCount () returned 0x1155446 [0083.888] GetTickCount () returned 0x1155446 [0083.888] GetTickCount () returned 0x1155446 [0083.888] GetTickCount () returned 0x1155446 [0083.888] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.888] GetProcessHeap () returned 0x3a00000 [0083.888] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.888] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.890] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.890] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.890] GetProcessHeap () returned 0x3a00000 [0083.890] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.890] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.890] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.891] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.891] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.891] CloseHandle (hObject=0x430) returned 1 [0083.891] GetProcessHeap () returned 0x3a00000 [0083.891] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0083.891] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT_r00t_{8ew5f6}.ebal") returned 50 [0083.891] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT" (normalized: "c:\\users\\default\\ntuser.dat"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat_r00t_{8ew5f6}.ebal")) returned 1 [0083.892] GetProcessHeap () returned 0x3a00000 [0083.892] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0083.892] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0083.892] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Windows") returned -1 [0083.892] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$Recycle.bin") returned 1 [0083.892] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="System Volume Information") returned -1 [0083.892] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Program Files") returned -1 [0083.892] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="Program Files (x86)") returned -1 [0083.892] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1") returned 36 [0083.892] StrStrIW (lpFirst="NTUSER.DAT.LOG1", lpSrch=".ebal") returned 0x0 [0083.892] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.892] lstrcmpW (lpString1="NTUSER.DAT.LOG1", lpString2="taridd") returned -1 [0083.892] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.892] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.892] GetTickCount () returned 0x1155456 [0083.892] GetTickCount () returned 0x1155456 [0083.892] GetTickCount () returned 0x1155456 [0083.892] GetTickCount () returned 0x1155456 [0083.892] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.892] GetProcessHeap () returned 0x3a00000 [0083.892] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.892] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.894] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.894] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.894] GetProcessHeap () returned 0x3a00000 [0083.894] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.894] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.894] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.895] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.895] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.895] CloseHandle (hObject=0x430) returned 1 [0083.899] GetProcessHeap () returned 0x3a00000 [0083.899] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0083.899] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1_r00t_{8ew5f6}.ebal") returned 55 [0083.899] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG1_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat.log1_r00t_{8ew5f6}.ebal")) returned 1 [0083.899] GetProcessHeap () returned 0x3a00000 [0083.899] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0083.899] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0083.899] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Windows") returned -1 [0083.899] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$Recycle.bin") returned 1 [0083.899] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="System Volume Information") returned -1 [0083.899] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Program Files") returned -1 [0083.899] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="Program Files (x86)") returned -1 [0083.899] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2") returned 36 [0083.900] StrStrIW (lpFirst="NTUSER.DAT.LOG2", lpSrch=".ebal") returned 0x0 [0083.900] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.900] lstrcmpW (lpString1="NTUSER.DAT.LOG2", lpString2="taridd") returned -1 [0083.900] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.900] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.900] GetTickCount () returned 0x1155456 [0083.900] GetTickCount () returned 0x1155456 [0083.900] GetTickCount () returned 0x1155456 [0083.900] GetTickCount () returned 0x1155456 [0083.900] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.900] GetProcessHeap () returned 0x3a00000 [0083.900] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.900] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.923] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.923] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.924] GetProcessHeap () returned 0x3a00000 [0083.924] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.924] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.924] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.924] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.924] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.924] CloseHandle (hObject=0x430) returned 1 [0083.924] GetProcessHeap () returned 0x3a00000 [0083.924] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0083.924] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2_r00t_{8ew5f6}.ebal") returned 55 [0083.924] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT.LOG2_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat.log2_r00t_{8ew5f6}.ebal")) returned 1 [0083.925] GetProcessHeap () returned 0x3a00000 [0083.925] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0083.925] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0083.925] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="Windows") returned -1 [0083.925] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="$Recycle.bin") returned 1 [0083.925] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="System Volume Information") returned -1 [0083.925] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="Program Files") returned -1 [0083.925] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="Program Files (x86)") returned -1 [0083.925] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf") returned 76 [0083.925] StrStrIW (lpFirst="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpSrch=".ebal") returned 0x0 [0083.925] lstrcmpW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.925] lstrcmpW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="taridd") returned -1 [0083.925] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.925] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.926] GetTickCount () returned 0x1155475 [0083.926] GetTickCount () returned 0x1155475 [0083.926] GetTickCount () returned 0x1155475 [0083.926] GetTickCount () returned 0x1155475 [0083.926] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.926] GetProcessHeap () returned 0x3a00000 [0083.926] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.926] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.927] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.927] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.927] GetProcessHeap () returned 0x3a00000 [0083.927] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.928] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.928] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.928] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.928] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.928] CloseHandle (hObject=0x430) returned 1 [0083.928] GetProcessHeap () returned 0x3a00000 [0083.928] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76330 [0083.928] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf_r00t_{8ew5f6}.ebal") returned 95 [0083.928] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf_r00t_{8ew5f6}.ebal")) returned 1 [0083.929] GetProcessHeap () returned 0x3a00000 [0083.929] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76330 | out: hHeap=0x3a00000) returned 1 [0083.929] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0083.929] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="Windows") returned -1 [0083.929] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0083.929] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="System Volume Information") returned -1 [0083.929] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files") returned -1 [0083.929] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0083.929] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0083.929] StrStrIW (lpFirst="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ebal") returned 0x0 [0083.929] lstrcmpW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.929] lstrcmpW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="taridd") returned -1 [0083.929] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer000000000000000000", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.929] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.930] GetTickCount () returned 0x1155475 [0083.930] GetTickCount () returned 0x1155475 [0083.930] GetTickCount () returned 0x1155475 [0083.930] GetTickCount () returned 0x1155475 [0083.930] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.930] GetProcessHeap () returned 0x3a00000 [0083.930] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.930] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.932] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.932] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.932] GetProcessHeap () returned 0x3a00000 [0083.932] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.932] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.932] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.933] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.933] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.933] CloseHandle (hObject=0x430) returned 1 [0083.933] GetProcessHeap () returned 0x3a00000 [0083.933] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0083.933] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms_r00t_{8ew5f6}.ebal") returned 132 [0083.933] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms_r00t_{8ew5f6}.ebal")) returned 1 [0083.934] GetProcessHeap () returned 0x3a00000 [0083.934] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0083.934] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0083.934] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="Windows") returned -1 [0083.934] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0083.934] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="System Volume Information") returned -1 [0083.934] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files") returned -1 [0083.934] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0083.934] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0083.934] StrStrIW (lpFirst="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ebal") returned 0x0 [0083.934] lstrcmpW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.934] lstrcmpW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="taridd") returned -1 [0083.934] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer000000000000000000", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.934] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.935] GetTickCount () returned 0x1155475 [0083.935] GetTickCount () returned 0x1155475 [0083.935] GetTickCount () returned 0x1155475 [0083.935] GetTickCount () returned 0x1155475 [0083.935] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.935] GetProcessHeap () returned 0x3a00000 [0083.935] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.935] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.937] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.937] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.937] GetProcessHeap () returned 0x3a00000 [0083.937] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.937] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.937] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.938] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.938] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.938] CloseHandle (hObject=0x430) returned 1 [0083.938] GetProcessHeap () returned 0x3a00000 [0083.938] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0083.938] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms_r00t_{8ew5f6}.ebal") returned 132 [0083.939] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms_r00t_{8ew5f6}.ebal")) returned 1 [0083.939] GetProcessHeap () returned 0x3a00000 [0083.939] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0083.939] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0083.939] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="Windows") returned -1 [0083.939] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="$Recycle.bin") returned 1 [0083.939] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="System Volume Information") returned -1 [0083.939] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="Program Files") returned -1 [0083.939] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="Program Files (x86)") returned -1 [0083.939] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned 76 [0083.939] StrStrIW (lpFirst="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpSrch=".ebal") returned 0x0 [0083.939] lstrcmpW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.939] lstrcmpW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="taridd") returned -1 [0083.939] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.939] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.940] GetTickCount () returned 0x1155485 [0083.940] GetTickCount () returned 0x1155485 [0083.940] GetTickCount () returned 0x1155485 [0083.940] GetTickCount () returned 0x1155485 [0083.940] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.940] GetProcessHeap () returned 0x3a00000 [0083.940] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.940] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.945] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.945] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.945] GetProcessHeap () returned 0x3a00000 [0083.945] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.945] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.945] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.946] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.947] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.947] CloseHandle (hObject=0x430) returned 1 [0083.947] GetProcessHeap () returned 0x3a00000 [0083.947] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0083.947] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf_r00t_{8ew5f6}.ebal") returned 95 [0083.947] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf_r00t_{8ew5f6}.ebal")) returned 1 [0083.947] GetProcessHeap () returned 0x3a00000 [0083.947] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0083.947] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0083.947] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="Windows") returned -1 [0083.947] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0083.948] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="System Volume Information") returned -1 [0083.948] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files") returned -1 [0083.948] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0083.948] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned 113 [0083.948] StrStrIW (lpFirst="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpSrch=".ebal") returned 0x0 [0083.948] lstrcmpW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.948] lstrcmpW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="taridd") returned -1 [0083.948] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer000000000000000000", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.948] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.948] GetTickCount () returned 0x1155485 [0083.948] GetTickCount () returned 0x1155485 [0083.948] GetTickCount () returned 0x1155485 [0083.948] GetTickCount () returned 0x1155485 [0083.948] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.948] GetProcessHeap () returned 0x3a00000 [0083.948] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.948] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.950] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.950] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.950] GetProcessHeap () returned 0x3a00000 [0083.950] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.950] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.950] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.951] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.951] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.951] CloseHandle (hObject=0x430) returned 1 [0083.951] GetProcessHeap () returned 0x3a00000 [0083.951] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a732d0 [0083.951] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms_r00t_{8ew5f6}.ebal") returned 132 [0083.951] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms_r00t_{8ew5f6}.ebal")) returned 1 [0083.952] GetProcessHeap () returned 0x3a00000 [0083.952] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732d0 | out: hHeap=0x3a00000) returned 1 [0083.952] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0083.952] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="Windows") returned -1 [0083.952] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="$Recycle.bin") returned 1 [0083.952] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="System Volume Information") returned -1 [0083.952] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files") returned -1 [0083.952] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="Program Files (x86)") returned -1 [0083.952] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned 113 [0083.952] StrStrIW (lpFirst="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpSrch=".ebal") returned 0x0 [0083.952] lstrcmpW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0083.952] lstrcmpW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="taridd") returned -1 [0083.952] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer000000000000000000", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.952] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.953] GetTickCount () returned 0x1155495 [0083.953] GetTickCount () returned 0x1155495 [0083.953] GetTickCount () returned 0x1155495 [0083.953] GetTickCount () returned 0x1155495 [0083.953] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x2c, dwBufLen=0x80 | out: pbData=0x65af730*, pdwDataLen=0x65af7e0*=0x80) returned 1 [0083.953] GetProcessHeap () returned 0x3a00000 [0083.953] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0083.953] ReadFile (in: hFile=0x430, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.954] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0083.954] WriteFile (in: hFile=0x430, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af7e4*=0x2800, lpOverlapped=0x0) returned 1 [0083.954] GetProcessHeap () returned 0x3a00000 [0083.954] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0083.954] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.954] WriteFile (in: hFile=0x430, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af7e4*=0x300, lpOverlapped=0x0) returned 1 [0083.955] WriteFile (in: hFile=0x430, lpBuffer=0x65af730*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x65af730*, lpNumberOfBytesWritten=0x65af7e4*=0x80, lpOverlapped=0x0) returned 1 [0083.955] WriteFile (in: hFile=0x430, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af7e4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af7e4*=0x4, lpOverlapped=0x0) returned 1 [0083.955] CloseHandle (hObject=0x430) returned 1 [0083.956] GetProcessHeap () returned 0x3a00000 [0083.956] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a742f0 [0083.956] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms_r00t_{8ew5f6}.ebal") returned 132 [0083.956] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="\\\\?\\C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms_r00t_{8ew5f6}.ebal")) returned 1 [0083.956] GetProcessHeap () returned 0x3a00000 [0083.956] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742f0 | out: hHeap=0x3a00000) returned 1 [0083.956] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Pictures", cAlternateFileName="")) returned 1 [0083.956] lstrcmpiW (lpString1="Pictures", lpString2="Windows") returned -1 [0083.956] lstrcmpiW (lpString1="Pictures", lpString2="$Recycle.bin") returned 1 [0083.956] lstrcmpiW (lpString1="Pictures", lpString2="System Volume Information") returned -1 [0083.956] lstrcmpiW (lpString1="Pictures", lpString2="Program Files") returned -1 [0083.956] lstrcmpiW (lpString1="Pictures", lpString2="Program Files (x86)") returned -1 [0083.956] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures") returned 29 [0083.956] lstrcmpW (lpString1="Pictures", lpString2=".") returned 1 [0083.956] lstrcmpW (lpString1="Pictures", lpString2="..") returned 1 [0083.956] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Pictures", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.956] GetProcessHeap () returned 0x3a00000 [0083.956] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ee8 [0083.956] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\*") returned 31 [0083.957] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0083.957] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.957] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.957] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.957] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.957] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.957] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\.") returned 31 [0083.957] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.957] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.957] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.957] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.957] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Pictures\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.957] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\." (normalized: "c:\\users\\default\\pictures\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.957] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.957] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.957] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.957] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.957] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.957] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.957] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\..") returned 32 [0083.957] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.957] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.957] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.957] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.957] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.957] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Pictures\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.958] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.958] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0083.958] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 61 [0083.958] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Pictures\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\pictures\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.958] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.959] CloseHandle (hObject=0x430) returned 1 [0083.960] GetProcessHeap () returned 0x3a00000 [0083.960] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ee8 | out: hHeap=0x3a00000) returned 1 [0083.960] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0083.960] lstrcmpiW (lpString1="PrintHood", lpString2="Windows") returned -1 [0083.960] lstrcmpiW (lpString1="PrintHood", lpString2="$Recycle.bin") returned 1 [0083.960] lstrcmpiW (lpString1="PrintHood", lpString2="System Volume Information") returned -1 [0083.960] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files") returned -1 [0083.960] lstrcmpiW (lpString1="PrintHood", lpString2="Program Files (x86)") returned -1 [0083.960] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood") returned 30 [0083.960] lstrcmpW (lpString1="PrintHood", lpString2=".") returned 1 [0083.960] lstrcmpW (lpString1="PrintHood", lpString2="..") returned 1 [0083.960] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\PrintHood", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.960] GetProcessHeap () returned 0x3a00000 [0083.960] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ee8 [0083.960] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\PrintHood\\*") returned 32 [0083.960] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\PrintHood\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.960] GetProcessHeap () returned 0x3a00000 [0083.960] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ee8 | out: hHeap=0x3a00000) returned 1 [0083.960] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Recent", cAlternateFileName="")) returned 1 [0083.960] lstrcmpiW (lpString1="Recent", lpString2="Windows") returned -1 [0083.960] lstrcmpiW (lpString1="Recent", lpString2="$Recycle.bin") returned 1 [0083.960] lstrcmpiW (lpString1="Recent", lpString2="System Volume Information") returned -1 [0083.960] lstrcmpiW (lpString1="Recent", lpString2="Program Files") returned 1 [0083.960] lstrcmpiW (lpString1="Recent", lpString2="Program Files (x86)") returned 1 [0083.960] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent") returned 27 [0083.960] lstrcmpW (lpString1="Recent", lpString2=".") returned 1 [0083.960] lstrcmpW (lpString1="Recent", lpString2="..") returned 1 [0083.960] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Recent", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.960] GetProcessHeap () returned 0x3a00000 [0083.961] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a732d0 [0083.961] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Recent\\*") returned 29 [0083.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Recent\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.961] GetProcessHeap () returned 0x3a00000 [0083.961] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a732d0 | out: hHeap=0x3a00000) returned 1 [0083.961] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0083.961] lstrcmpiW (lpString1="Saved Games", lpString2="Windows") returned -1 [0083.961] lstrcmpiW (lpString1="Saved Games", lpString2="$Recycle.bin") returned 1 [0083.961] lstrcmpiW (lpString1="Saved Games", lpString2="System Volume Information") returned -1 [0083.961] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files") returned 1 [0083.961] lstrcmpiW (lpString1="Saved Games", lpString2="Program Files (x86)") returned 1 [0083.961] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games") returned 32 [0083.961] lstrcmpW (lpString1="Saved Games", lpString2=".") returned 1 [0083.961] lstrcmpW (lpString1="Saved Games", lpString2="..") returned 1 [0083.961] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Saved Games", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.961] GetProcessHeap () returned 0x3a00000 [0083.961] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0083.961] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\*") returned 34 [0083.961] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0083.961] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.961] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.961] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.961] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.961] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.961] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\.") returned 34 [0083.961] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.961] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.962] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.962] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.962] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.962] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.962] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.962] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\..") returned 35 [0083.962] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.962] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.962] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.962] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0083.962] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Saved Games\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 64 [0083.962] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Saved Games\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\saved games\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.962] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0083.963] CloseHandle (hObject=0x430) returned 1 [0083.963] GetProcessHeap () returned 0x3a00000 [0083.963] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0083.963] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="SendTo", cAlternateFileName="")) returned 1 [0083.963] lstrcmpiW (lpString1="SendTo", lpString2="Windows") returned -1 [0083.963] lstrcmpiW (lpString1="SendTo", lpString2="$Recycle.bin") returned 1 [0083.963] lstrcmpiW (lpString1="SendTo", lpString2="System Volume Information") returned -1 [0083.963] lstrcmpiW (lpString1="SendTo", lpString2="Program Files") returned 1 [0083.963] lstrcmpiW (lpString1="SendTo", lpString2="Program Files (x86)") returned 1 [0083.963] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo") returned 27 [0083.963] lstrcmpW (lpString1="SendTo", lpString2=".") returned 1 [0083.964] lstrcmpW (lpString1="SendTo", lpString2="..") returned 1 [0083.964] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\SendTo", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.964] GetProcessHeap () returned 0x3a00000 [0083.964] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0083.964] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\SendTo\\*") returned 29 [0083.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\SendTo\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.964] GetProcessHeap () returned 0x3a00000 [0083.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0083.964] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0083.964] lstrcmpiW (lpString1="Start Menu", lpString2="Windows") returned -1 [0083.964] lstrcmpiW (lpString1="Start Menu", lpString2="$Recycle.bin") returned 1 [0083.964] lstrcmpiW (lpString1="Start Menu", lpString2="System Volume Information") returned -1 [0083.964] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files") returned 1 [0083.964] lstrcmpiW (lpString1="Start Menu", lpString2="Program Files (x86)") returned 1 [0083.964] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu") returned 31 [0083.964] lstrcmpW (lpString1="Start Menu", lpString2=".") returned 1 [0083.964] lstrcmpW (lpString1="Start Menu", lpString2="..") returned 1 [0083.964] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Start Menu", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.964] GetProcessHeap () returned 0x3a00000 [0083.964] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0083.964] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Start Menu\\*") returned 33 [0083.964] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Start Menu\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.964] GetProcessHeap () returned 0x3a00000 [0083.964] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0083.964] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0083.964] lstrcmpiW (lpString1="Templates", lpString2="Windows") returned -1 [0083.964] lstrcmpiW (lpString1="Templates", lpString2="$Recycle.bin") returned 1 [0083.964] lstrcmpiW (lpString1="Templates", lpString2="System Volume Information") returned 1 [0083.964] lstrcmpiW (lpString1="Templates", lpString2="Program Files") returned 1 [0083.965] lstrcmpiW (lpString1="Templates", lpString2="Program Files (x86)") returned 1 [0083.965] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates") returned 30 [0083.965] lstrcmpW (lpString1="Templates", lpString2=".") returned 1 [0083.965] lstrcmpW (lpString1="Templates", lpString2="..") returned 1 [0083.965] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Templates", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.965] GetProcessHeap () returned 0x3a00000 [0083.965] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0083.965] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Templates\\*") returned 32 [0083.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Templates\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..?", cAlternateFileName="欨Τ￿￿扨@￿￿欨Τ\x05")) returned 0xffffffff [0083.965] GetProcessHeap () returned 0x3a00000 [0083.965] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0083.965] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Videos", cAlternateFileName="")) returned 1 [0083.965] lstrcmpiW (lpString1="Videos", lpString2="Windows") returned -1 [0083.965] lstrcmpiW (lpString1="Videos", lpString2="$Recycle.bin") returned 1 [0083.965] lstrcmpiW (lpString1="Videos", lpString2="System Volume Information") returned 1 [0083.965] lstrcmpiW (lpString1="Videos", lpString2="Program Files") returned 1 [0083.965] lstrcmpiW (lpString1="Videos", lpString2="Program Files (x86)") returned 1 [0083.965] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos") returned 27 [0083.965] lstrcmpW (lpString1="Videos", lpString2=".") returned 1 [0083.965] lstrcmpW (lpString1="Videos", lpString2="..") returned 1 [0083.965] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default\\Videos", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0083.965] GetProcessHeap () returned 0x3a00000 [0083.965] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0083.965] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\*") returned 29 [0083.965] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0083.965] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0083.965] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0083.965] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0083.966] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0083.966] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0083.966] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\.") returned 29 [0083.966] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0083.966] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0083.966] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.966] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0083.966] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Videos\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\." (normalized: "c:\\users\\default\\videos\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.966] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0083.966] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0083.966] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0083.966] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0083.966] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0083.966] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0083.966] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\..") returned 30 [0083.966] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0083.966] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0083.966] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0083.966] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0083.966] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0083.966] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\Default\\Videos\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0083.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\.." (normalized: "c:\\users\\default"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0083.966] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0083.966] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0083.966] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\Videos\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 59 [0083.966] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\Videos\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\videos\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0083.967] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0084.000] CloseHandle (hObject=0x430) returned 1 [0084.000] GetProcessHeap () returned 0x3a00000 [0084.000] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.000] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Videos", cAlternateFileName="")) returned 0 [0084.001] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0084.001] wnsprintfW (in: pszDest=0x3a46b28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 52 [0084.001] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0084.002] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0084.003] CloseHandle (hObject=0x42c) returned 1 [0084.003] GetProcessHeap () returned 0x3a00000 [0084.003] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a46b28 | out: hHeap=0x3a00000) returned 1 [0084.003] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0084.003] lstrcmpiW (lpString1="Default User", lpString2="Windows") returned -1 [0084.003] lstrcmpiW (lpString1="Default User", lpString2="$Recycle.bin") returned 1 [0084.003] lstrcmpiW (lpString1="Default User", lpString2="System Volume Information") returned -1 [0084.003] lstrcmpiW (lpString1="Default User", lpString2="Program Files") returned -1 [0084.003] lstrcmpiW (lpString1="Default User", lpString2="Program Files (x86)") returned -1 [0084.003] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default User") returned 25 [0084.003] lstrcmpW (lpString1="Default User", lpString2=".") returned 1 [0084.003] lstrcmpW (lpString1="Default User", lpString2="..") returned 1 [0084.003] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default User", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.003] GetProcessHeap () returned 0x3a00000 [0084.003] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76330 [0084.003] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default User\\*") returned 27 [0084.003] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default User\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Vi?", cAlternateFileName="䬸Τ￿￿扨@￿￿䬸Τ\x05")) returned 0xffffffff [0084.003] GetProcessHeap () returned 0x3a00000 [0084.003] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76330 | out: hHeap=0x3a00000) returned 1 [0084.003] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0084.003] lstrcmpiW (lpString1="Default.migrated", lpString2="Windows") returned -1 [0084.004] lstrcmpiW (lpString1="Default.migrated", lpString2="$Recycle.bin") returned 1 [0084.004] lstrcmpiW (lpString1="Default.migrated", lpString2="System Volume Information") returned -1 [0084.004] lstrcmpiW (lpString1="Default.migrated", lpString2="Program Files") returned -1 [0084.004] lstrcmpiW (lpString1="Default.migrated", lpString2="Program Files (x86)") returned -1 [0084.004] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated") returned 29 [0084.004] lstrcmpW (lpString1="Default.migrated", lpString2=".") returned 1 [0084.004] lstrcmpW (lpString1="Default.migrated", lpString2="..") returned 1 [0084.004] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.004] GetProcessHeap () returned 0x3a00000 [0084.004] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a736d8 [0084.004] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\*") returned 31 [0084.004] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0084.008] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.008] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.008] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.008] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.008] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.008] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\.") returned 31 [0084.008] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.008] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.008] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.008] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.008] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.008] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.008] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.008] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\..") returned 32 [0084.008] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.008] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.008] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AppData", cAlternateFileName="")) returned 1 [0084.008] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0084.008] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0084.008] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0084.008] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0084.008] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0084.008] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData") returned 37 [0084.008] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0084.008] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0084.008] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\AppData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.008] GetProcessHeap () returned 0x3a00000 [0084.008] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75b20 [0084.008] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\*") returned 39 [0084.008] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\AppData\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0084.009] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.009] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.009] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.009] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.009] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.009] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\.") returned 39 [0084.009] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.009] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.009] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.009] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.009] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.009] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.009] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.009] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\..") returned 40 [0084.009] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.009] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.009] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Local", cAlternateFileName="")) returned 1 [0084.009] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0084.009] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0084.009] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0084.009] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0084.009] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0084.009] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local") returned 43 [0084.009] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0084.009] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0084.009] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.009] GetProcessHeap () returned 0x3a00000 [0084.009] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a742f0 [0084.009] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\*") returned 45 [0084.010] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a383f8 [0084.010] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.010] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.010] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.010] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.010] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.010] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\.") returned 45 [0084.010] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.010] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.010] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.010] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.010] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.010] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.010] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.010] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\..") returned 46 [0084.010] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.010] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.010] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0084.010] lstrcmpiW (lpString1="Microsoft", lpString2="Windows") returned -1 [0084.010] lstrcmpiW (lpString1="Microsoft", lpString2="$Recycle.bin") returned 1 [0084.010] lstrcmpiW (lpString1="Microsoft", lpString2="System Volume Information") returned -1 [0084.010] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files") returned -1 [0084.010] lstrcmpiW (lpString1="Microsoft", lpString2="Program Files (x86)") returned -1 [0084.010] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft") returned 53 [0084.010] lstrcmpW (lpString1="Microsoft", lpString2=".") returned 1 [0084.010] lstrcmpW (lpString1="Microsoft", lpString2="..") returned 1 [0084.010] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.010] GetProcessHeap () returned 0x3a00000 [0084.011] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.011] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft\\*") returned 55 [0084.011] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0084.011] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.011] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.011] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.011] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.011] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.011] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft\\.") returned 55 [0084.011] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.011] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.011] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.011] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.011] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.011] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.011] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.011] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft\\..") returned 56 [0084.011] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.011] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.011] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 1 [0084.011] lstrcmpiW (lpString1="Windows", lpString2="Windows") returned 0 [0084.011] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Windows", cAlternateFileName="")) returned 0 [0084.011] FindClose (in: hFindFile=0x3a38478 | out: hFindFile=0x3a38478) returned 1 [0084.011] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0084.011] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\Microsoft\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default.migrated\\appdata\\local\\microsoft\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0084.012] WriteFile (in: hFile=0x340, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0084.013] CloseHandle (hObject=0x340) returned 1 [0084.013] GetProcessHeap () returned 0x3a00000 [0084.013] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0084.013] FindNextFileW (in: hFindFile=0x3a383f8, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0084.013] FindClose (in: hFindFile=0x3a383f8 | out: hFindFile=0x3a383f8) returned 1 [0084.013] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 75 [0084.013] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default.migrated\\AppData\\Local\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default.migrated\\appdata\\local\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x348 [0084.013] WriteFile (in: hFile=0x348, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af2dc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af2dc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.014] CloseHandle (hObject=0x348) returned 1 [0084.014] GetProcessHeap () returned 0x3a00000 [0084.014] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a742f0 | out: hHeap=0x3a00000) returned 1 [0084.014] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7202dfa5, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7202dfa5, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Local", cAlternateFileName="")) returned 0 [0084.014] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0084.014] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\AppData\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0084.015] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default.migrated\\AppData\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default.migrated\\appdata\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0084.015] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0084.016] CloseHandle (hObject=0x430) returned 1 [0084.016] GetProcessHeap () returned 0x3a00000 [0084.016] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75b20 | out: hHeap=0x3a00000) returned 1 [0084.016] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0084.016] lstrcmpiW (lpString1="Documents", lpString2="Windows") returned -1 [0084.016] lstrcmpiW (lpString1="Documents", lpString2="$Recycle.bin") returned 1 [0084.016] lstrcmpiW (lpString1="Documents", lpString2="System Volume Information") returned -1 [0084.016] lstrcmpiW (lpString1="Documents", lpString2="Program Files") returned -1 [0084.016] lstrcmpiW (lpString1="Documents", lpString2="Program Files (x86)") returned -1 [0084.017] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents") returned 39 [0084.017] lstrcmpW (lpString1="Documents", lpString2=".") returned 1 [0084.017] lstrcmpW (lpString1="Documents", lpString2="..") returned 1 [0084.017] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\Documents", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.017] GetProcessHeap () returned 0x3a00000 [0084.017] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75b20 [0084.017] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\*") returned 41 [0084.017] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\Documents\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38538 [0084.019] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.019] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.019] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.019] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.019] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.019] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\.") returned 41 [0084.019] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.019] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.019] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.019] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.019] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.019] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.019] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.019] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\..") returned 42 [0084.019] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.019] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.019] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0084.019] lstrcmpiW (lpString1="My Music", lpString2="Windows") returned -1 [0084.019] lstrcmpiW (lpString1="My Music", lpString2="$Recycle.bin") returned 1 [0084.019] lstrcmpiW (lpString1="My Music", lpString2="System Volume Information") returned -1 [0084.019] lstrcmpiW (lpString1="My Music", lpString2="Program Files") returned -1 [0084.019] lstrcmpiW (lpString1="My Music", lpString2="Program Files (x86)") returned -1 [0084.019] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Music") returned 48 [0084.019] lstrcmpW (lpString1="My Music", lpString2=".") returned 1 [0084.019] lstrcmpW (lpString1="My Music", lpString2="..") returned 1 [0084.019] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Music", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.019] GetProcessHeap () returned 0x3a00000 [0084.019] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75718 [0084.020] wnsprintfW (in: pszDest=0x3a75718, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Music\\*") returned 50 [0084.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Music\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ff, ftLastWriteTime.dwLowDateTime=0xffffdc5a, ftLastWriteTime.dwHighDateTime=0x201, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ʄΠ?", cAlternateFileName="嬠Χ￿￿扨@￿￿嬠Χ\x05")) returned 0xffffffff [0084.020] GetProcessHeap () returned 0x3a00000 [0084.020] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75718 | out: hHeap=0x3a00000) returned 1 [0084.020] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0084.020] lstrcmpiW (lpString1="My Pictures", lpString2="Windows") returned -1 [0084.020] lstrcmpiW (lpString1="My Pictures", lpString2="$Recycle.bin") returned 1 [0084.020] lstrcmpiW (lpString1="My Pictures", lpString2="System Volume Information") returned -1 [0084.020] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files") returned -1 [0084.020] lstrcmpiW (lpString1="My Pictures", lpString2="Program Files (x86)") returned -1 [0084.020] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Pictures") returned 51 [0084.020] lstrcmpW (lpString1="My Pictures", lpString2=".") returned 1 [0084.020] lstrcmpW (lpString1="My Pictures", lpString2="..") returned 1 [0084.020] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Pictures", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.020] GetProcessHeap () returned 0x3a00000 [0084.020] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0084.020] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Pictures\\*") returned 53 [0084.020] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Pictures\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ff, ftLastWriteTime.dwLowDateTime=0xffffdc5a, ftLastWriteTime.dwHighDateTime=0x201, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ʄΠ?", cAlternateFileName="嬠Χ￿￿扨@￿￿嬠Χ\x05")) returned 0xffffffff [0084.020] GetProcessHeap () returned 0x3a00000 [0084.020] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.020] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0084.020] lstrcmpiW (lpString1="My Videos", lpString2="Windows") returned -1 [0084.020] lstrcmpiW (lpString1="My Videos", lpString2="$Recycle.bin") returned 1 [0084.020] lstrcmpiW (lpString1="My Videos", lpString2="System Volume Information") returned -1 [0084.020] lstrcmpiW (lpString1="My Videos", lpString2="Program Files") returned -1 [0084.020] lstrcmpiW (lpString1="My Videos", lpString2="Program Files (x86)") returned -1 [0084.021] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Videos") returned 49 [0084.021] lstrcmpW (lpString1="My Videos", lpString2=".") returned 1 [0084.021] lstrcmpW (lpString1="My Videos", lpString2="..") returned 1 [0084.021] lstrcmpW (lpString1="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Videos", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.021] GetProcessHeap () returned 0x3a00000 [0084.021] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.021] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Videos\\*") returned 51 [0084.021] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\Default.migrated\\Documents\\My Videos\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x1ff, ftLastWriteTime.dwLowDateTime=0xffffdc5a, ftLastWriteTime.dwHighDateTime=0x201, nFileSizeHigh=0x2, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ʄΠ?", cAlternateFileName="嬠Χ￿￿扨@￿￿嬠Χ\x05")) returned 0xffffffff [0084.021] GetProcessHeap () returned 0x3a00000 [0084.021] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.021] FindNextFileW (in: hFindFile=0x3a38538, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0084.021] FindClose (in: hFindFile=0x3a38538 | out: hFindFile=0x3a38538) returned 1 [0084.022] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\Documents\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0084.022] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default.migrated\\Documents\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default.migrated\\documents\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x430 [0084.023] WriteFile (in: hFile=0x430, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af564, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af564*=0x3a6, lpOverlapped=0x0) returned 1 [0084.023] CloseHandle (hObject=0x430) returned 1 [0084.024] GetProcessHeap () returned 0x3a00000 [0084.024] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75b20 | out: hHeap=0x3a00000) returned 1 [0084.024] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0084.024] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0084.024] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\Default.migrated\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 61 [0084.024] CreateFileW (lpFileName="\\\\?\\C:\\Users\\Default.migrated\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\default.migrated\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0084.024] WriteFile (in: hFile=0x42c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af7ec, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af7ec*=0x3a6, lpOverlapped=0x0) returned 1 [0084.025] CloseHandle (hObject=0x42c) returned 1 [0084.025] GetProcessHeap () returned 0x3a00000 [0084.025] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a736d8 | out: hHeap=0x3a00000) returned 1 [0084.025] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0084.025] lstrcmpiW (lpString1="desktop.ini", lpString2="Windows") returned -1 [0084.025] lstrcmpiW (lpString1="desktop.ini", lpString2="$Recycle.bin") returned 1 [0084.025] lstrcmpiW (lpString1="desktop.ini", lpString2="System Volume Information") returned -1 [0084.026] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files") returned -1 [0084.026] lstrcmpiW (lpString1="desktop.ini", lpString2="Program Files (x86)") returned -1 [0084.026] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini") returned 24 [0084.026] StrStrIW (lpFirst="desktop.ini", lpSrch=".ebal") returned 0x0 [0084.026] lstrcmpW (lpString1="desktop.ini", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.026] lstrcmpW (lpString1="desktop.ini", lpString2="taridd") returned -1 [0084.026] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\desktop.ini", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.026] CreateFileW (lpFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x42c [0084.026] GetTickCount () returned 0x11554d3 [0084.026] GetTickCount () returned 0x11554d3 [0084.026] GetTickCount () returned 0x11554d3 [0084.026] GetTickCount () returned 0x11554d3 [0084.026] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x2c, dwBufLen=0x80 | out: pbData=0x65af9b8*, pdwDataLen=0x65afa68*=0x80) returned 1 [0084.026] GetProcessHeap () returned 0x3a00000 [0084.026] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0084.026] ReadFile (in: hFile=0x42c, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65afa6c*=0xae, lpOverlapped=0x0) returned 1 [0084.027] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0xffffff52, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.027] WriteFile (in: hFile=0x42c, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0xae, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65afa6c*=0xae, lpOverlapped=0x0) returned 1 [0084.027] GetProcessHeap () returned 0x3a00000 [0084.027] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0084.027] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.027] WriteFile (in: hFile=0x42c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65afa6c*=0x300, lpOverlapped=0x0) returned 1 [0084.028] WriteFile (in: hFile=0x42c, lpBuffer=0x65af9b8*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x65af9b8*, lpNumberOfBytesWritten=0x65afa6c*=0x80, lpOverlapped=0x0) returned 1 [0084.028] WriteFile (in: hFile=0x42c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65afa6c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65afa6c*=0x4, lpOverlapped=0x0) returned 1 [0084.028] CloseHandle (hObject=0x42c) returned 1 [0084.028] GetProcessHeap () returned 0x3a00000 [0084.028] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0084.028] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\desktop.ini_r00t_{8ew5f6}.ebal") returned 43 [0084.028] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\desktop.ini" (normalized: "c:\\users\\desktop.ini"), lpNewFileName="\\\\?\\C:\\Users\\desktop.ini_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\desktop.ini_r00t_{8ew5f6}.ebal")) returned 1 [0084.029] GetProcessHeap () returned 0x3a00000 [0084.029] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0084.029] FindNextFileW (in: hFindFile=0x3a383b8, lpFindFileData=0x65afaa8 | out: lpFindFileData=0x65afaa8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0084.029] lstrcmpiW (lpString1="FD1HVy", lpString2="Windows") returned -1 [0084.029] lstrcmpiW (lpString1="FD1HVy", lpString2="$Recycle.bin") returned 1 [0084.029] lstrcmpiW (lpString1="FD1HVy", lpString2="System Volume Information") returned -1 [0084.029] lstrcmpiW (lpString1="FD1HVy", lpString2="Program Files") returned -1 [0084.029] lstrcmpiW (lpString1="FD1HVy", lpString2="Program Files (x86)") returned -1 [0084.029] wnsprintfW (in: pszDest=0x3a44b38, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy") returned 19 [0084.029] lstrcmpW (lpString1="FD1HVy", lpString2=".") returned 1 [0084.029] lstrcmpW (lpString1="FD1HVy", lpString2="..") returned 1 [0084.029] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.029] GetProcessHeap () returned 0x3a00000 [0084.029] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75b20 [0084.029] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\*") returned 21 [0084.029] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\*", lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38478 [0084.029] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.029] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.029] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.029] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.029] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.029] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\.") returned 21 [0084.030] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.030] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.030] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.030] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.030] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.030] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.030] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.030] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\..") returned 22 [0084.030] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.030] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.030] FindNextFileW (in: hFindFile=0x3a38478, lpFindFileData=0x65af820 | out: lpFindFileData=0x65af820*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AppData", cAlternateFileName="")) returned 1 [0084.030] lstrcmpiW (lpString1="AppData", lpString2="Windows") returned -1 [0084.030] lstrcmpiW (lpString1="AppData", lpString2="$Recycle.bin") returned 1 [0084.030] lstrcmpiW (lpString1="AppData", lpString2="System Volume Information") returned -1 [0084.030] lstrcmpiW (lpString1="AppData", lpString2="Program Files") returned -1 [0084.030] lstrcmpiW (lpString1="AppData", lpString2="Program Files (x86)") returned -1 [0084.030] wnsprintfW (in: pszDest=0x3a75b20, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData") returned 27 [0084.030] lstrcmpW (lpString1="AppData", lpString2=".") returned 1 [0084.030] lstrcmpW (lpString1="AppData", lpString2="..") returned 1 [0084.030] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.030] GetProcessHeap () returned 0x3a00000 [0084.030] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a742f0 [0084.030] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\*") returned 29 [0084.030] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\*", lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38578 [0084.031] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.031] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.031] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.031] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.031] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.031] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\.") returned 29 [0084.031] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.031] StrStrIW (lpFirst=".", lpSrch=".ebal") returned 0x0 [0084.031] lstrcmpW (lpString1=".", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0084.031] lstrcmpW (lpString1=".", lpString2="taridd") returned -1 [0084.031] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\.", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\." (normalized: "c:\\users\\fd1hvy\\appdata\\."), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.031] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.031] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.031] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.031] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.031] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.031] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.031] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\..") returned 30 [0084.031] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.031] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.031] StrStrIW (lpFirst="..", lpSrch=".ebal") returned 0x0 [0084.031] lstrcmpW (lpString1="..", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned -1 [0084.031] lstrcmpW (lpString1="..", lpString2="taridd") returned -1 [0084.031] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\..", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.031] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\.." (normalized: "c:\\users\\fd1hvy"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0084.032] FindNextFileW (in: hFindFile=0x3a38578, lpFindFileData=0x65af598 | out: lpFindFileData=0x65af598*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Local", cAlternateFileName="")) returned 1 [0084.032] lstrcmpiW (lpString1="Local", lpString2="Windows") returned -1 [0084.032] lstrcmpiW (lpString1="Local", lpString2="$Recycle.bin") returned 1 [0084.032] lstrcmpiW (lpString1="Local", lpString2="System Volume Information") returned -1 [0084.032] lstrcmpiW (lpString1="Local", lpString2="Program Files") returned -1 [0084.032] lstrcmpiW (lpString1="Local", lpString2="Program Files (x86)") returned -1 [0084.032] wnsprintfW (in: pszDest=0x3a742f0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local") returned 33 [0084.032] lstrcmpW (lpString1="Local", lpString2=".") returned 1 [0084.032] lstrcmpW (lpString1="Local", lpString2="..") returned 1 [0084.032] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.032] GetProcessHeap () returned 0x3a00000 [0084.032] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a732d0 [0084.032] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\*") returned 35 [0084.032] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\*", lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38638 [0084.032] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.032] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.032] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.032] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.032] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.032] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\.") returned 35 [0084.032] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.032] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.032] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.032] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.032] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.032] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.032] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.032] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\..") returned 36 [0084.032] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.033] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.033] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ActiveSync", cAlternateFileName="ACTIVE~1")) returned 1 [0084.033] lstrcmpiW (lpString1="ActiveSync", lpString2="Windows") returned -1 [0084.033] lstrcmpiW (lpString1="ActiveSync", lpString2="$Recycle.bin") returned 1 [0084.033] lstrcmpiW (lpString1="ActiveSync", lpString2="System Volume Information") returned -1 [0084.033] lstrcmpiW (lpString1="ActiveSync", lpString2="Program Files") returned -1 [0084.033] lstrcmpiW (lpString1="ActiveSync", lpString2="Program Files (x86)") returned -1 [0084.033] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync") returned 44 [0084.033] lstrcmpW (lpString1="ActiveSync", lpString2=".") returned 1 [0084.033] lstrcmpW (lpString1="ActiveSync", lpString2="..") returned 1 [0084.033] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.033] GetProcessHeap () returned 0x3a00000 [0084.033] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.033] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync\\*") returned 46 [0084.033] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38278 [0084.033] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.033] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.033] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.033] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.033] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.033] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync\\.") returned 46 [0084.033] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.033] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.033] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.033] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.033] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.033] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.033] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.034] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync\\..") returned 47 [0084.034] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.034] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.034] FindNextFileW (in: hFindFile=0x3a38278, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa96a60b1, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xc4462fde, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa96a60b1, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0084.034] FindClose (in: hFindFile=0x3a38278 | out: hFindFile=0x3a38278) returned 1 [0084.034] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0084.034] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ActiveSync\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\activesync\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0084.034] WriteFile (in: hFile=0x340, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0084.035] CloseHandle (hObject=0x340) returned 1 [0084.035] GetProcessHeap () returned 0x3a00000 [0084.035] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.035] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Adobe", cAlternateFileName="")) returned 1 [0084.035] lstrcmpiW (lpString1="Adobe", lpString2="Windows") returned -1 [0084.035] lstrcmpiW (lpString1="Adobe", lpString2="$Recycle.bin") returned 1 [0084.035] lstrcmpiW (lpString1="Adobe", lpString2="System Volume Information") returned -1 [0084.035] lstrcmpiW (lpString1="Adobe", lpString2="Program Files") returned -1 [0084.035] lstrcmpiW (lpString1="Adobe", lpString2="Program Files (x86)") returned -1 [0084.035] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe") returned 39 [0084.035] lstrcmpW (lpString1="Adobe", lpString2=".") returned 1 [0084.035] lstrcmpW (lpString1="Adobe", lpString2="..") returned 1 [0084.035] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.035] GetProcessHeap () returned 0x3a00000 [0084.035] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76330 [0084.036] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\*") returned 41 [0084.036] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0084.036] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.036] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.036] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.036] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.036] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.036] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\.") returned 41 [0084.036] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.036] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.036] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.036] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.036] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.036] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.036] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.036] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\..") returned 42 [0084.036] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.036] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.036] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715a3e1e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0084.036] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0084.036] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0084.036] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0084.036] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0084.036] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0084.036] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat") returned 47 [0084.036] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0084.036] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0084.036] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.037] GetProcessHeap () returned 0x3a00000 [0084.037] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0084.037] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\*") returned 49 [0084.037] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715a3e1e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0084.037] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.037] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.037] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.037] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.037] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.037] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\.") returned 49 [0084.037] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.037] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x715a3e1e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x715a3e1e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.037] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.037] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.037] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.037] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.037] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.037] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\..") returned 50 [0084.037] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.037] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.037] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe8b394a7, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8b394a7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DC", cAlternateFileName="")) returned 1 [0084.037] lstrcmpiW (lpString1="DC", lpString2="Windows") returned -1 [0084.037] lstrcmpiW (lpString1="DC", lpString2="$Recycle.bin") returned 1 [0084.037] lstrcmpiW (lpString1="DC", lpString2="System Volume Information") returned -1 [0084.037] lstrcmpiW (lpString1="DC", lpString2="Program Files") returned -1 [0084.037] lstrcmpiW (lpString1="DC", lpString2="Program Files (x86)") returned -1 [0084.037] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC") returned 50 [0084.037] lstrcmpW (lpString1="DC", lpString2=".") returned 1 [0084.037] lstrcmpW (lpString1="DC", lpString2="..") returned 1 [0084.037] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.038] GetProcessHeap () returned 0x3a00000 [0084.038] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ee8 [0084.038] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\*") returned 52 [0084.038] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe8b394a7, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8b394a7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0084.069] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.069] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.069] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.069] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.069] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.069] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\.") returned 52 [0084.069] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.069] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe8b394a7, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8b394a7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.069] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.069] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.069] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.069] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.069] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.069] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\..") returned 53 [0084.070] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.070] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.070] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x40b, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AdobeCMapFnt15.lst", cAlternateFileName="ADOBEC~1.LST")) returned 1 [0084.070] lstrcmpiW (lpString1="AdobeCMapFnt15.lst", lpString2="Windows") returned -1 [0084.070] lstrcmpiW (lpString1="AdobeCMapFnt15.lst", lpString2="$Recycle.bin") returned 1 [0084.070] lstrcmpiW (lpString1="AdobeCMapFnt15.lst", lpString2="System Volume Information") returned -1 [0084.070] lstrcmpiW (lpString1="AdobeCMapFnt15.lst", lpString2="Program Files") returned -1 [0084.070] lstrcmpiW (lpString1="AdobeCMapFnt15.lst", lpString2="Program Files (x86)") returned -1 [0084.070] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeCMapFnt15.lst") returned 69 [0084.070] StrStrIW (lpFirst="AdobeCMapFnt15.lst", lpSrch=".ebal") returned 0x0 [0084.070] lstrcmpW (lpString1="AdobeCMapFnt15.lst", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.070] lstrcmpW (lpString1="AdobeCMapFnt15.lst", lpString2="taridd") returned -1 [0084.070] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeCMapFnt15.lst", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.070] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeCMapFnt15.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\adobecmapfnt15.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.073] GetTickCount () returned 0x1155502 [0084.073] GetTickCount () returned 0x1155502 [0084.073] GetTickCount () returned 0x1155502 [0084.073] GetTickCount () returned 0x1155502 [0084.073] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.073] GetProcessHeap () returned 0x3a00000 [0084.073] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a772b0 [0084.073] ReadFile (in: hFile=0x43c, lpBuffer=0x3a772b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesRead=0x65aeb3c*=0x40b, lpOverlapped=0x0) returned 1 [0084.074] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffbf5, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.074] WriteFile (in: hFile=0x43c, lpBuffer=0x3a772b0*, nNumberOfBytesToWrite=0x40b, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesWritten=0x65aeb3c*=0x40b, lpOverlapped=0x0) returned 1 [0084.075] GetProcessHeap () returned 0x3a00000 [0084.075] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a772b0 | out: hHeap=0x3a00000) returned 1 [0084.075] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.075] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.075] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.075] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.075] CloseHandle (hObject=0x43c) returned 1 [0084.075] GetProcessHeap () returned 0x3a00000 [0084.075] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.075] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeCMapFnt15.lst_r00t_{8ew5f6}.ebal") returned 88 [0084.075] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeCMapFnt15.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\adobecmapfnt15.lst"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeCMapFnt15.lst_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\adobecmapfnt15.lst_r00t_{8ew5f6}.ebal")) returned 1 [0084.076] GetProcessHeap () returned 0x3a00000 [0084.076] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.076] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x24c57, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AdobeSysFnt15.lst", cAlternateFileName="ADOBES~1.LST")) returned 1 [0084.076] lstrcmpiW (lpString1="AdobeSysFnt15.lst", lpString2="Windows") returned -1 [0084.076] lstrcmpiW (lpString1="AdobeSysFnt15.lst", lpString2="$Recycle.bin") returned 1 [0084.076] lstrcmpiW (lpString1="AdobeSysFnt15.lst", lpString2="System Volume Information") returned -1 [0084.076] lstrcmpiW (lpString1="AdobeSysFnt15.lst", lpString2="Program Files") returned -1 [0084.076] lstrcmpiW (lpString1="AdobeSysFnt15.lst", lpString2="Program Files (x86)") returned -1 [0084.076] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeSysFnt15.lst") returned 68 [0084.076] StrStrIW (lpFirst="AdobeSysFnt15.lst", lpSrch=".ebal") returned 0x0 [0084.076] lstrcmpW (lpString1="AdobeSysFnt15.lst", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.076] lstrcmpW (lpString1="AdobeSysFnt15.lst", lpString2="taridd") returned -1 [0084.076] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeSysFnt15.lst", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.076] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeSysFnt15.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\adobesysfnt15.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.076] GetTickCount () returned 0x1155502 [0084.077] GetTickCount () returned 0x1155502 [0084.077] GetTickCount () returned 0x1155502 [0084.077] GetTickCount () returned 0x1155502 [0084.077] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.077] GetProcessHeap () returned 0x3a00000 [0084.077] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a772b0 [0084.077] ReadFile (in: hFile=0x43c, lpBuffer=0x3a772b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesRead=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.079] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.079] WriteFile (in: hFile=0x43c, lpBuffer=0x3a772b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesWritten=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.079] GetProcessHeap () returned 0x3a00000 [0084.079] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a772b0 | out: hHeap=0x3a00000) returned 1 [0084.079] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.079] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.081] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.081] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.082] CloseHandle (hObject=0x43c) returned 1 [0084.082] GetProcessHeap () returned 0x3a00000 [0084.082] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.082] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeSysFnt15.lst_r00t_{8ew5f6}.ebal") returned 87 [0084.083] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeSysFnt15.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\adobesysfnt15.lst"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\AdobeSysFnt15.lst_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\adobesysfnt15.lst_r00t_{8ew5f6}.ebal")) returned 1 [0084.084] GetProcessHeap () returned 0x3a00000 [0084.084] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.084] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cache", cAlternateFileName="")) returned 1 [0084.084] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0084.084] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0084.084] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0084.084] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0084.084] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0084.084] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache") returned 56 [0084.084] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0084.084] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0084.084] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.084] GetProcessHeap () returned 0x3a00000 [0084.084] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0084.084] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\*") returned 58 [0084.084] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0084.085] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.085] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.085] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.085] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.085] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.085] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\.") returned 58 [0084.085] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.085] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.085] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.085] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.085] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.085] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.085] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.085] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\..") returned 59 [0084.085] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.085] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.085] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x255e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AcroFnt15.lst", cAlternateFileName="ACROFN~1.LST")) returned 1 [0084.085] lstrcmpiW (lpString1="AcroFnt15.lst", lpString2="Windows") returned -1 [0084.085] lstrcmpiW (lpString1="AcroFnt15.lst", lpString2="$Recycle.bin") returned 1 [0084.085] lstrcmpiW (lpString1="AcroFnt15.lst", lpString2="System Volume Information") returned -1 [0084.085] lstrcmpiW (lpString1="AcroFnt15.lst", lpString2="Program Files") returned -1 [0084.085] lstrcmpiW (lpString1="AcroFnt15.lst", lpString2="Program Files (x86)") returned -1 [0084.085] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\AcroFnt15.lst") returned 70 [0084.085] StrStrIW (lpFirst="AcroFnt15.lst", lpSrch=".ebal") returned 0x0 [0084.085] lstrcmpW (lpString1="AcroFnt15.lst", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.085] lstrcmpW (lpString1="AcroFnt15.lst", lpString2="taridd") returned -1 [0084.085] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\AcroFnt15.lst", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.086] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\AcroFnt15.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\cache\\acrofnt15.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0084.086] GetTickCount () returned 0x1155512 [0084.086] GetTickCount () returned 0x1155512 [0084.086] GetTickCount () returned 0x1155512 [0084.086] GetTickCount () returned 0x1155512 [0084.086] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0084.086] GetProcessHeap () returned 0x3a00000 [0084.086] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.086] ReadFile (in: hFile=0x440, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65ae8b4*=0x255e, lpOverlapped=0x0) returned 1 [0084.088] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0xffffdaa2, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.088] WriteFile (in: hFile=0x440, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x255e, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65ae8b4*=0x255e, lpOverlapped=0x0) returned 1 [0084.088] GetProcessHeap () returned 0x3a00000 [0084.088] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.088] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.088] WriteFile (in: hFile=0x440, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0084.088] WriteFile (in: hFile=0x440, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0084.088] WriteFile (in: hFile=0x440, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0084.088] CloseHandle (hObject=0x440) returned 1 [0084.088] GetProcessHeap () returned 0x3a00000 [0084.088] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.088] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\AcroFnt15.lst_r00t_{8ew5f6}.ebal") returned 89 [0084.088] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\AcroFnt15.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\cache\\acrofnt15.lst"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\AcroFnt15.lst_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\cache\\acrofnt15.lst_r00t_{8ew5f6}.ebal")) returned 1 [0084.089] GetProcessHeap () returned 0x3a00000 [0084.089] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.089] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b8a348b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b8a348b, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x7b8a348b, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x255e, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AcroFnt15.lst", cAlternateFileName="ACROFN~1.LST")) returned 0 [0084.089] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0084.089] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 88 [0084.089] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\Cache\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\cache\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.090] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.091] CloseHandle (hObject=0x43c) returned 1 [0084.091] GetProcessHeap () returned 0x3a00000 [0084.091] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0084.091] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7b7e48a8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x7b7e48a8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x63727ff2, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xf6b0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="IconCacheRdr.dat", cAlternateFileName="ICONCA~1.DAT")) returned 1 [0084.091] lstrcmpiW (lpString1="IconCacheRdr.dat", lpString2="Windows") returned -1 [0084.091] lstrcmpiW (lpString1="IconCacheRdr.dat", lpString2="$Recycle.bin") returned 1 [0084.091] lstrcmpiW (lpString1="IconCacheRdr.dat", lpString2="System Volume Information") returned -1 [0084.091] lstrcmpiW (lpString1="IconCacheRdr.dat", lpString2="Program Files") returned -1 [0084.091] lstrcmpiW (lpString1="IconCacheRdr.dat", lpString2="Program Files (x86)") returned -1 [0084.091] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr.dat") returned 67 [0084.091] StrStrIW (lpFirst="IconCacheRdr.dat", lpSrch=".ebal") returned 0x0 [0084.091] lstrcmpW (lpString1="IconCacheRdr.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.091] lstrcmpW (lpString1="IconCacheRdr.dat", lpString2="taridd") returned -1 [0084.091] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.091] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\iconcacherdr.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.091] GetTickCount () returned 0x1155512 [0084.091] GetTickCount () returned 0x1155512 [0084.091] GetTickCount () returned 0x1155512 [0084.091] GetTickCount () returned 0x1155512 [0084.091] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.092] GetProcessHeap () returned 0x3a00000 [0084.092] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a772b0 [0084.092] ReadFile (in: hFile=0x43c, lpBuffer=0x3a772b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesRead=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.093] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.093] WriteFile (in: hFile=0x43c, lpBuffer=0x3a772b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesWritten=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.093] GetProcessHeap () returned 0x3a00000 [0084.093] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a772b0 | out: hHeap=0x3a00000) returned 1 [0084.093] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.093] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.096] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.096] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.096] CloseHandle (hObject=0x43c) returned 1 [0084.097] GetProcessHeap () returned 0x3a00000 [0084.097] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a736d8 [0084.097] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr.dat_r00t_{8ew5f6}.ebal") returned 86 [0084.097] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\iconcacherdr.dat"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\iconcacherdr.dat_r00t_{8ew5f6}.ebal")) returned 1 [0084.099] GetProcessHeap () returned 0x3a00000 [0084.099] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a736d8 | out: hHeap=0x3a00000) returned 1 [0084.099] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8995a87, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe8995a87, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8995a87, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1aaac, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="IconCacheRdr65536.dat", cAlternateFileName="ICONCA~2.DAT")) returned 1 [0084.099] lstrcmpiW (lpString1="IconCacheRdr65536.dat", lpString2="Windows") returned -1 [0084.099] lstrcmpiW (lpString1="IconCacheRdr65536.dat", lpString2="$Recycle.bin") returned 1 [0084.099] lstrcmpiW (lpString1="IconCacheRdr65536.dat", lpString2="System Volume Information") returned -1 [0084.099] lstrcmpiW (lpString1="IconCacheRdr65536.dat", lpString2="Program Files") returned -1 [0084.099] lstrcmpiW (lpString1="IconCacheRdr65536.dat", lpString2="Program Files (x86)") returned -1 [0084.099] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr65536.dat") returned 72 [0084.099] StrStrIW (lpFirst="IconCacheRdr65536.dat", lpSrch=".ebal") returned 0x0 [0084.099] lstrcmpW (lpString1="IconCacheRdr65536.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.099] lstrcmpW (lpString1="IconCacheRdr65536.dat", lpString2="taridd") returned -1 [0084.099] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr65536.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.099] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr65536.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\iconcacherdr65536.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.099] GetTickCount () returned 0x1155521 [0084.099] GetTickCount () returned 0x1155521 [0084.099] GetTickCount () returned 0x1155521 [0084.099] GetTickCount () returned 0x1155521 [0084.099] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.100] GetProcessHeap () returned 0x3a00000 [0084.100] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a772b0 [0084.100] ReadFile (in: hFile=0x43c, lpBuffer=0x3a772b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesRead=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.104] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.105] WriteFile (in: hFile=0x43c, lpBuffer=0x3a772b0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesWritten=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.105] GetProcessHeap () returned 0x3a00000 [0084.105] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a772b0 | out: hHeap=0x3a00000) returned 1 [0084.105] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.105] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.106] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.106] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.106] CloseHandle (hObject=0x43c) returned 1 [0084.106] GetProcessHeap () returned 0x3a00000 [0084.106] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74f08 [0084.106] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr65536.dat_r00t_{8ew5f6}.ebal") returned 91 [0084.106] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr65536.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\iconcacherdr65536.dat"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\IconCacheRdr65536.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\iconcacherdr65536.dat_r00t_{8ew5f6}.ebal")) returned 1 [0084.107] GetProcessHeap () returned 0x3a00000 [0084.107] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74f08 | out: hHeap=0x3a00000) returned 1 [0084.107] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x76642b27, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76642b27, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe8aecfcb, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1400, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="SharedDataEvents", cAlternateFileName="SHARED~1")) returned 1 [0084.107] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Windows") returned -1 [0084.107] lstrcmpiW (lpString1="SharedDataEvents", lpString2="$Recycle.bin") returned 1 [0084.107] lstrcmpiW (lpString1="SharedDataEvents", lpString2="System Volume Information") returned -1 [0084.107] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files") returned 1 [0084.107] lstrcmpiW (lpString1="SharedDataEvents", lpString2="Program Files (x86)") returned 1 [0084.107] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents") returned 67 [0084.107] StrStrIW (lpFirst="SharedDataEvents", lpSrch=".ebal") returned 0x0 [0084.107] lstrcmpW (lpString1="SharedDataEvents", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.107] lstrcmpW (lpString1="SharedDataEvents", lpString2="taridd") returned -1 [0084.107] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.107] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\shareddataevents"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.108] GetTickCount () returned 0x1155521 [0084.108] GetTickCount () returned 0x1155521 [0084.108] GetTickCount () returned 0x1155521 [0084.108] GetTickCount () returned 0x1155521 [0084.108] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.108] GetProcessHeap () returned 0x3a00000 [0084.108] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a772b0 [0084.108] ReadFile (in: hFile=0x43c, lpBuffer=0x3a772b0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesRead=0x65aeb3c*=0x1400, lpOverlapped=0x0) returned 1 [0084.112] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffec00, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.112] WriteFile (in: hFile=0x43c, lpBuffer=0x3a772b0*, nNumberOfBytesToWrite=0x1400, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a772b0*, lpNumberOfBytesWritten=0x65aeb3c*=0x1400, lpOverlapped=0x0) returned 1 [0084.112] GetProcessHeap () returned 0x3a00000 [0084.112] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a772b0 | out: hHeap=0x3a00000) returned 1 [0084.112] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.112] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.112] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.113] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.113] CloseHandle (hObject=0x43c) returned 1 [0084.113] GetProcessHeap () returned 0x3a00000 [0084.113] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0084.113] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents_r00t_{8ew5f6}.ebal") returned 86 [0084.113] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\shareddataevents"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\shareddataevents_r00t_{8ew5f6}.ebal")) returned 1 [0084.113] GetProcessHeap () returned 0x3a00000 [0084.113] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0084.113] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8a08189, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe8a08189, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8a08189, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ToolsSearchCacheRdr", cAlternateFileName="TOOLSS~1")) returned 1 [0084.114] lstrcmpiW (lpString1="ToolsSearchCacheRdr", lpString2="Windows") returned -1 [0084.114] lstrcmpiW (lpString1="ToolsSearchCacheRdr", lpString2="$Recycle.bin") returned 1 [0084.114] lstrcmpiW (lpString1="ToolsSearchCacheRdr", lpString2="System Volume Information") returned 1 [0084.114] lstrcmpiW (lpString1="ToolsSearchCacheRdr", lpString2="Program Files") returned 1 [0084.114] lstrcmpiW (lpString1="ToolsSearchCacheRdr", lpString2="Program Files (x86)") returned 1 [0084.114] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr") returned 70 [0084.114] lstrcmpW (lpString1="ToolsSearchCacheRdr", lpString2=".") returned 1 [0084.114] lstrcmpW (lpString1="ToolsSearchCacheRdr", lpString2="..") returned 1 [0084.114] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.114] GetProcessHeap () returned 0x3a00000 [0084.114] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a736d8 [0084.114] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr\\*") returned 72 [0084.114] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8a08189, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe8a08189, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8a08189, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38778 [0084.114] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.114] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.114] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.114] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.114] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.114] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr\\.") returned 72 [0084.114] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.114] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8a08189, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe8a08189, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8a08189, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.114] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.114] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.114] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.114] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.115] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.115] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr\\..") returned 73 [0084.115] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.115] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.115] FindNextFileW (in: hFindFile=0x3a38778, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe8a08189, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xe8a08189, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8a08189, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0084.115] FindClose (in: hFindFile=0x3a38778 | out: hFindFile=0x3a38778) returned 1 [0084.115] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 102 [0084.115] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\ToolsSearchCacheRdr\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\toolssearchcacherdr\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.116] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.117] CloseHandle (hObject=0x43c) returned 1 [0084.117] GetProcessHeap () returned 0x3a00000 [0084.117] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a736d8 | out: hHeap=0x3a00000) returned 1 [0084.117] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74f036ab, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x74f036ab, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x59d13ceb, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xf76f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserCache.bin", cAlternateFileName="USERCA~1.BIN")) returned 1 [0084.117] lstrcmpiW (lpString1="UserCache.bin", lpString2="Windows") returned -1 [0084.117] lstrcmpiW (lpString1="UserCache.bin", lpString2="$Recycle.bin") returned 1 [0084.117] lstrcmpiW (lpString1="UserCache.bin", lpString2="System Volume Information") returned 1 [0084.117] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files") returned 1 [0084.117] lstrcmpiW (lpString1="UserCache.bin", lpString2="Program Files (x86)") returned 1 [0084.117] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin") returned 64 [0084.117] StrStrIW (lpFirst="UserCache.bin", lpSrch=".ebal") returned 0x0 [0084.117] lstrcmpW (lpString1="UserCache.bin", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.117] lstrcmpW (lpString1="UserCache.bin", lpString2="taridd") returned 1 [0084.117] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.117] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\usercache.bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.130] GetTickCount () returned 0x1155540 [0084.130] GetTickCount () returned 0x1155540 [0084.130] GetTickCount () returned 0x1155540 [0084.130] GetTickCount () returned 0x1155540 [0084.130] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.130] GetProcessHeap () returned 0x3a00000 [0084.130] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.130] ReadFile (in: hFile=0x43c, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.135] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.137] WriteFile (in: hFile=0x43c, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.138] GetProcessHeap () returned 0x3a00000 [0084.138] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.138] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.138] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.138] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.138] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.139] CloseHandle (hObject=0x43c) returned 1 [0084.139] GetProcessHeap () returned 0x3a00000 [0084.139] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a736d8 [0084.139] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin_r00t_{8ew5f6}.ebal") returned 83 [0084.139] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\usercache.bin"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\usercache.bin_r00t_{8ew5f6}.ebal")) returned 1 [0084.139] GetProcessHeap () returned 0x3a00000 [0084.139] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a736d8 | out: hHeap=0x3a00000) returned 1 [0084.139] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x74f036ab, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x74f036ab, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x59d13ceb, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0xf76f, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UserCache.bin", cAlternateFileName="USERCA~1.BIN")) returned 0 [0084.139] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0084.151] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0084.151] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\DC\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\dc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.152] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0084.152] CloseHandle (hObject=0x438) returned 1 [0084.153] GetProcessHeap () returned 0x3a00000 [0084.153] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ee8 | out: hHeap=0x3a00000) returned 1 [0084.153] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xe8b394a7, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8b394a7, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DC", cAlternateFileName="")) returned 0 [0084.153] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0084.153] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0084.153] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Acrobat\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrobat\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.153] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.154] CloseHandle (hObject=0x434) returned 1 [0084.154] GetProcessHeap () returned 0x3a00000 [0084.154] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0084.154] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AcroCef", cAlternateFileName="")) returned 1 [0084.154] lstrcmpiW (lpString1="AcroCef", lpString2="Windows") returned -1 [0084.154] lstrcmpiW (lpString1="AcroCef", lpString2="$Recycle.bin") returned 1 [0084.154] lstrcmpiW (lpString1="AcroCef", lpString2="System Volume Information") returned -1 [0084.154] lstrcmpiW (lpString1="AcroCef", lpString2="Program Files") returned -1 [0084.154] lstrcmpiW (lpString1="AcroCef", lpString2="Program Files (x86)") returned -1 [0084.154] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef") returned 47 [0084.154] lstrcmpW (lpString1="AcroCef", lpString2=".") returned 1 [0084.154] lstrcmpW (lpString1="AcroCef", lpString2="..") returned 1 [0084.154] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.154] GetProcessHeap () returned 0x3a00000 [0084.154] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.154] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\*") returned 49 [0084.154] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a387b8 [0084.155] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.155] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.155] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.155] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.155] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.155] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\.") returned 49 [0084.155] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.155] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.155] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.155] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.155] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.155] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.155] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.155] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\..") returned 50 [0084.155] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.155] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.155] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DC", cAlternateFileName="")) returned 1 [0084.194] lstrcmpiW (lpString1="DC", lpString2="Windows") returned -1 [0084.194] lstrcmpiW (lpString1="DC", lpString2="$Recycle.bin") returned 1 [0084.194] lstrcmpiW (lpString1="DC", lpString2="System Volume Information") returned -1 [0084.194] lstrcmpiW (lpString1="DC", lpString2="Program Files") returned -1 [0084.194] lstrcmpiW (lpString1="DC", lpString2="Program Files (x86)") returned -1 [0084.194] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC") returned 50 [0084.194] lstrcmpW (lpString1="DC", lpString2=".") returned 1 [0084.194] lstrcmpW (lpString1="DC", lpString2="..") returned 1 [0084.194] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.194] GetProcessHeap () returned 0x3a00000 [0084.194] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.194] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\*") returned 52 [0084.194] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0084.195] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.195] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.195] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.195] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.195] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.195] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\.") returned 52 [0084.195] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.195] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.195] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.195] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.195] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.195] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.195] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.195] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\..") returned 53 [0084.195] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.195] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.195] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Acrobat", cAlternateFileName="")) returned 1 [0084.195] lstrcmpiW (lpString1="Acrobat", lpString2="Windows") returned -1 [0084.195] lstrcmpiW (lpString1="Acrobat", lpString2="$Recycle.bin") returned 1 [0084.195] lstrcmpiW (lpString1="Acrobat", lpString2="System Volume Information") returned -1 [0084.195] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files") returned -1 [0084.195] lstrcmpiW (lpString1="Acrobat", lpString2="Program Files (x86)") returned -1 [0084.196] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat") returned 58 [0084.196] lstrcmpW (lpString1="Acrobat", lpString2=".") returned 1 [0084.196] lstrcmpW (lpString1="Acrobat", lpString2="..") returned 1 [0084.196] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.196] GetProcessHeap () returned 0x3a00000 [0084.196] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74f08 [0084.196] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\*") returned 60 [0084.196] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xd6a51047, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38138 [0084.196] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.196] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.196] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.196] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.196] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.196] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\.") returned 60 [0084.197] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.197] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xd6a51047, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.197] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.197] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.197] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.197] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.197] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.197] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\..") returned 61 [0084.197] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.197] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.197] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a51047, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd780dd5d, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd780dd5d, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cache", cAlternateFileName="")) returned 1 [0084.197] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0084.197] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0084.197] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0084.197] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0084.197] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0084.197] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache") returned 64 [0084.197] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0084.197] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0084.197] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.197] GetProcessHeap () returned 0x3a00000 [0084.197] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ee8 [0084.197] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\*") returned 66 [0084.197] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a51047, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd780dd5d, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd7823d0a, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0084.198] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.198] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.198] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.198] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.198] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.198] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\.") returned 66 [0084.198] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.198] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a51047, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd780dd5d, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd7823d0a, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.198] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.198] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.198] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.198] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.198] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.198] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\..") returned 67 [0084.198] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.198] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.198] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd781529a, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd781529a, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd781529a, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_0", cAlternateFileName="")) returned 1 [0084.198] lstrcmpiW (lpString1="data_0", lpString2="Windows") returned -1 [0084.198] lstrcmpiW (lpString1="data_0", lpString2="$Recycle.bin") returned 1 [0084.198] lstrcmpiW (lpString1="data_0", lpString2="System Volume Information") returned -1 [0084.198] lstrcmpiW (lpString1="data_0", lpString2="Program Files") returned -1 [0084.198] lstrcmpiW (lpString1="data_0", lpString2="Program Files (x86)") returned -1 [0084.198] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_0") returned 71 [0084.198] StrStrIW (lpFirst="data_0", lpSrch=".ebal") returned 0x0 [0084.199] lstrcmpW (lpString1="data_0", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.199] lstrcmpW (lpString1="data_0", lpString2="taridd") returned -1 [0084.199] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_0", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.199] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_0" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.199] GetTickCount () returned 0x115557f [0084.199] GetTickCount () returned 0x115557f [0084.199] GetTickCount () returned 0x115557f [0084.199] GetTickCount () returned 0x115557f [0084.199] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.200] GetProcessHeap () returned 0x3a00000 [0084.200] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.200] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.201] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.202] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.202] GetProcessHeap () returned 0x3a00000 [0084.202] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.202] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.202] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.202] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.202] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.202] CloseHandle (hObject=0x44c) returned 1 [0084.202] GetProcessHeap () returned 0x3a00000 [0084.202] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0084.202] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_0_r00t_{8ew5f6}.ebal") returned 90 [0084.202] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_0" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_0"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_0_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_0_r00t_{8ew5f6}.ebal")) returned 1 [0084.203] GetProcessHeap () returned 0x3a00000 [0084.203] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.203] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd78179b2, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd78179b2, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xe8c1e26a, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x42000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_1", cAlternateFileName="")) returned 1 [0084.203] lstrcmpiW (lpString1="data_1", lpString2="Windows") returned -1 [0084.203] lstrcmpiW (lpString1="data_1", lpString2="$Recycle.bin") returned 1 [0084.203] lstrcmpiW (lpString1="data_1", lpString2="System Volume Information") returned -1 [0084.203] lstrcmpiW (lpString1="data_1", lpString2="Program Files") returned -1 [0084.203] lstrcmpiW (lpString1="data_1", lpString2="Program Files (x86)") returned -1 [0084.203] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_1") returned 71 [0084.203] StrStrIW (lpFirst="data_1", lpSrch=".ebal") returned 0x0 [0084.203] lstrcmpW (lpString1="data_1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.203] lstrcmpW (lpString1="data_1", lpString2="taridd") returned -1 [0084.203] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.203] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.204] GetTickCount () returned 0x115558f [0084.204] GetTickCount () returned 0x115558f [0084.204] GetTickCount () returned 0x115558f [0084.204] GetTickCount () returned 0x115558f [0084.204] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.204] GetProcessHeap () returned 0x3a00000 [0084.204] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.204] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.206] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.206] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.206] GetProcessHeap () returned 0x3a00000 [0084.206] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.206] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.206] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.210] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.210] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.210] CloseHandle (hObject=0x44c) returned 1 [0084.210] GetProcessHeap () returned 0x3a00000 [0084.210] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.210] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_1_r00t_{8ew5f6}.ebal") returned 90 [0084.210] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_1"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_1_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_1_r00t_{8ew5f6}.ebal")) returned 1 [0084.212] GetProcessHeap () returned 0x3a00000 [0084.212] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.212] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd78215d4, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd78215d4, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd78215d4, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_2", cAlternateFileName="")) returned 1 [0084.212] lstrcmpiW (lpString1="data_2", lpString2="Windows") returned -1 [0084.212] lstrcmpiW (lpString1="data_2", lpString2="$Recycle.bin") returned 1 [0084.212] lstrcmpiW (lpString1="data_2", lpString2="System Volume Information") returned -1 [0084.212] lstrcmpiW (lpString1="data_2", lpString2="Program Files") returned -1 [0084.212] lstrcmpiW (lpString1="data_2", lpString2="Program Files (x86)") returned -1 [0084.212] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_2") returned 71 [0084.212] StrStrIW (lpFirst="data_2", lpSrch=".ebal") returned 0x0 [0084.213] lstrcmpW (lpString1="data_2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.213] lstrcmpW (lpString1="data_2", lpString2="taridd") returned -1 [0084.213] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.213] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.213] GetTickCount () returned 0x115558f [0084.213] GetTickCount () returned 0x115558f [0084.213] GetTickCount () returned 0x115558f [0084.213] GetTickCount () returned 0x115558f [0084.213] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.213] GetProcessHeap () returned 0x3a00000 [0084.213] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.213] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.216] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.216] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.219] GetProcessHeap () returned 0x3a00000 [0084.219] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.219] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.219] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.219] CloseHandle (hObject=0x44c) returned 1 [0084.219] GetProcessHeap () returned 0x3a00000 [0084.219] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75718 [0084.220] wnsprintfW (in: pszDest=0x3a75718, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_2_r00t_{8ew5f6}.ebal") returned 90 [0084.220] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_2"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_2_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_2_r00t_{8ew5f6}.ebal")) returned 1 [0084.220] GetProcessHeap () returned 0x3a00000 [0084.220] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75718 | out: hHeap=0x3a00000) returned 1 [0084.220] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7823d0a, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd7823d0a, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd7823d0a, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_3", cAlternateFileName="")) returned 1 [0084.220] lstrcmpiW (lpString1="data_3", lpString2="Windows") returned -1 [0084.220] lstrcmpiW (lpString1="data_3", lpString2="$Recycle.bin") returned 1 [0084.220] lstrcmpiW (lpString1="data_3", lpString2="System Volume Information") returned -1 [0084.220] lstrcmpiW (lpString1="data_3", lpString2="Program Files") returned -1 [0084.220] lstrcmpiW (lpString1="data_3", lpString2="Program Files (x86)") returned -1 [0084.220] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_3") returned 71 [0084.220] StrStrIW (lpFirst="data_3", lpSrch=".ebal") returned 0x0 [0084.220] lstrcmpW (lpString1="data_3", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.220] lstrcmpW (lpString1="data_3", lpString2="taridd") returned -1 [0084.220] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_3", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.220] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.221] GetTickCount () returned 0x115559e [0084.221] GetTickCount () returned 0x115559e [0084.221] GetTickCount () returned 0x115559e [0084.221] GetTickCount () returned 0x115559e [0084.221] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.221] GetProcessHeap () returned 0x3a00000 [0084.221] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.221] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.228] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.228] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.228] GetProcessHeap () returned 0x3a00000 [0084.228] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.228] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.229] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.229] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.229] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.229] CloseHandle (hObject=0x44c) returned 1 [0084.229] GetProcessHeap () returned 0x3a00000 [0084.229] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.229] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_3_r00t_{8ew5f6}.ebal") returned 90 [0084.229] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_3"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\data_3_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\data_3_r00t_{8ew5f6}.ebal")) returned 1 [0084.230] GetProcessHeap () returned 0x3a00000 [0084.230] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.230] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd780dd5d, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd780dd5d, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd7812b7f, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x80170, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="index", cAlternateFileName="")) returned 1 [0084.230] lstrcmpiW (lpString1="index", lpString2="Windows") returned -1 [0084.230] lstrcmpiW (lpString1="index", lpString2="$Recycle.bin") returned 1 [0084.230] lstrcmpiW (lpString1="index", lpString2="System Volume Information") returned -1 [0084.230] lstrcmpiW (lpString1="index", lpString2="Program Files") returned -1 [0084.230] lstrcmpiW (lpString1="index", lpString2="Program Files (x86)") returned -1 [0084.230] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\index") returned 70 [0084.230] StrStrIW (lpFirst="index", lpSrch=".ebal") returned 0x0 [0084.230] lstrcmpW (lpString1="index", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.230] lstrcmpW (lpString1="index", lpString2="taridd") returned -1 [0084.230] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\index", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.230] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\index"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.230] GetTickCount () returned 0x115559e [0084.230] GetTickCount () returned 0x115559e [0084.230] GetTickCount () returned 0x115559e [0084.230] GetTickCount () returned 0x115559e [0084.230] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.231] GetProcessHeap () returned 0x3a00000 [0084.231] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.231] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.261] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.263] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.264] GetProcessHeap () returned 0x3a00000 [0084.264] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.264] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.264] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.271] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.271] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.271] CloseHandle (hObject=0x44c) returned 1 [0084.271] GetProcessHeap () returned 0x3a00000 [0084.271] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0084.271] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\index_r00t_{8ew5f6}.ebal") returned 89 [0084.271] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\index" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\index"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\index_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\index_r00t_{8ew5f6}.ebal")) returned 1 [0084.272] GetProcessHeap () returned 0x3a00000 [0084.272] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.272] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd780dd5d, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd780dd5d, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd7812b7f, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x80170, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="index", cAlternateFileName="")) returned 0 [0084.272] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0084.272] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 96 [0084.272] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cache\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cache\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0084.273] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0084.273] CloseHandle (hObject=0x440) returned 1 [0084.274] GetProcessHeap () returned 0x3a00000 [0084.274] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ee8 | out: hHeap=0x3a00000) returned 1 [0084.274] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x777b22bc, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cookie", cAlternateFileName="")) returned 1 [0084.274] lstrcmpiW (lpString1="Cookie", lpString2="Windows") returned -1 [0084.274] lstrcmpiW (lpString1="Cookie", lpString2="$Recycle.bin") returned 1 [0084.274] lstrcmpiW (lpString1="Cookie", lpString2="System Volume Information") returned -1 [0084.274] lstrcmpiW (lpString1="Cookie", lpString2="Program Files") returned -1 [0084.274] lstrcmpiW (lpString1="Cookie", lpString2="Program Files (x86)") returned -1 [0084.274] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie") returned 65 [0084.274] lstrcmpW (lpString1="Cookie", lpString2=".") returned 1 [0084.274] lstrcmpW (lpString1="Cookie", lpString2="..") returned 1 [0084.274] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.274] GetProcessHeap () returned 0x3a00000 [0084.274] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.274] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\*") returned 67 [0084.274] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x777b22bc, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0084.274] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.274] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.274] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.274] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.274] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.274] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\.") returned 67 [0084.274] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.274] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x777b22bc, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.275] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.275] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.275] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.275] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.275] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.275] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\..") returned 68 [0084.275] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.275] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.275] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777b22bc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x777b22bc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xd7437f7e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cookies", cAlternateFileName="")) returned 1 [0084.275] lstrcmpiW (lpString1="Cookies", lpString2="Windows") returned -1 [0084.275] lstrcmpiW (lpString1="Cookies", lpString2="$Recycle.bin") returned 1 [0084.275] lstrcmpiW (lpString1="Cookies", lpString2="System Volume Information") returned -1 [0084.275] lstrcmpiW (lpString1="Cookies", lpString2="Program Files") returned -1 [0084.275] lstrcmpiW (lpString1="Cookies", lpString2="Program Files (x86)") returned -1 [0084.275] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies") returned 73 [0084.275] StrStrIW (lpFirst="Cookies", lpSrch=".ebal") returned 0x0 [0084.275] lstrcmpW (lpString1="Cookies", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.275] lstrcmpW (lpString1="Cookies", lpString2="taridd") returned -1 [0084.275] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.275] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\cookies"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.276] GetTickCount () returned 0x11555cd [0084.276] GetTickCount () returned 0x11555cd [0084.276] GetTickCount () returned 0x11555cd [0084.276] GetTickCount () returned 0x11555cd [0084.276] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.276] GetProcessHeap () returned 0x3a00000 [0084.276] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.276] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x1c00, lpOverlapped=0x0) returned 1 [0084.278] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0xffffe400, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.278] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x1c00, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x1c00, lpOverlapped=0x0) returned 1 [0084.278] GetProcessHeap () returned 0x3a00000 [0084.278] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.278] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.278] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.278] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.278] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.278] CloseHandle (hObject=0x44c) returned 1 [0084.278] GetProcessHeap () returned 0x3a00000 [0084.278] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.278] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies_r00t_{8ew5f6}.ebal") returned 92 [0084.278] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\cookies"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\cookies_r00t_{8ew5f6}.ebal")) returned 1 [0084.279] GetProcessHeap () returned 0x3a00000 [0084.279] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.279] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777b22bc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x777b22bc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xd74f6b1c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cookies-journal", cAlternateFileName="COOKIE~1")) returned 1 [0084.279] lstrcmpiW (lpString1="Cookies-journal", lpString2="Windows") returned -1 [0084.279] lstrcmpiW (lpString1="Cookies-journal", lpString2="$Recycle.bin") returned 1 [0084.279] lstrcmpiW (lpString1="Cookies-journal", lpString2="System Volume Information") returned -1 [0084.279] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files") returned -1 [0084.279] lstrcmpiW (lpString1="Cookies-journal", lpString2="Program Files (x86)") returned -1 [0084.279] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies-journal") returned 81 [0084.279] StrStrIW (lpFirst="Cookies-journal", lpSrch=".ebal") returned 0x0 [0084.279] lstrcmpW (lpString1="Cookies-journal", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.279] lstrcmpW (lpString1="Cookies-journal", lpString2="taridd") returned -1 [0084.279] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies-journal", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.279] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies-journal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\cookies-journal"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x44c [0084.279] GetTickCount () returned 0x11555cd [0084.279] GetTickCount () returned 0x11555cd [0084.279] GetTickCount () returned 0x11555cd [0084.279] GetTickCount () returned 0x11555cd [0084.280] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.280] GetProcessHeap () returned 0x3a00000 [0084.280] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a7a2c8 [0084.280] ReadFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesRead=0x65ae62c*=0x0, lpOverlapped=0x0) returned 1 [0084.280] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.280] WriteFile (in: hFile=0x44c, lpBuffer=0x3a7a2c8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a7a2c8*, lpNumberOfBytesWritten=0x65ae62c*=0x0, lpOverlapped=0x0) returned 1 [0084.280] GetProcessHeap () returned 0x3a00000 [0084.280] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a7a2c8 | out: hHeap=0x3a00000) returned 1 [0084.280] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.280] WriteFile (in: hFile=0x44c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.281] WriteFile (in: hFile=0x44c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.282] WriteFile (in: hFile=0x44c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.282] CloseHandle (hObject=0x44c) returned 1 [0084.282] GetProcessHeap () returned 0x3a00000 [0084.282] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.282] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies-journal_r00t_{8ew5f6}.ebal") returned 100 [0084.282] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies-journal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\cookies-journal"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\Cookies-journal_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\cookies-journal_r00t_{8ew5f6}.ebal")) returned 1 [0084.282] GetProcessHeap () returned 0x3a00000 [0084.282] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.282] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x777b22bc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x777b22bc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xd74f6b1c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cookies-journal", cAlternateFileName="COOKIE~1")) returned 0 [0084.282] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0084.282] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 97 [0084.283] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\Cookie\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\cookie\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x440 [0084.288] WriteFile (in: hFile=0x440, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0084.289] CloseHandle (hObject=0x440) returned 1 [0084.289] GetProcessHeap () returned 0x3a00000 [0084.289] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.289] FindNextFileW (in: hFindFile=0x3a38138, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x777b22bc, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cookie", cAlternateFileName="")) returned 0 [0084.289] FindClose (in: hFindFile=0x3a38138 | out: hFindFile=0x3a38138) returned 1 [0084.289] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0084.289] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\Acrobat\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\acrobat\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.290] WriteFile (in: hFile=0x43c, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.290] CloseHandle (hObject=0x43c) returned 1 [0084.291] GetProcessHeap () returned 0x3a00000 [0084.291] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74f08 | out: hHeap=0x3a00000) returned 1 [0084.291] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Acrobat", cAlternateFileName="")) returned 0 [0084.291] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0084.291] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0084.291] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\DC\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\dc\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.291] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0084.292] CloseHandle (hObject=0x438) returned 1 [0084.292] GetProcessHeap () returned 0x3a00000 [0084.292] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.292] FindNextFileW (in: hFindFile=0x3a387b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x76e74ef1, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x76e74ef1, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x76e74ef1, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="DC", cAlternateFileName="")) returned 0 [0084.292] FindClose (in: hFindFile=0x3a387b8 | out: hFindFile=0x3a387b8) returned 1 [0084.292] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0084.292] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\AcroCef\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\acrocef\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.293] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.293] CloseHandle (hObject=0x434) returned 1 [0084.293] GetProcessHeap () returned 0x3a00000 [0084.293] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0084.293] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73de0392, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73de0392, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Color", cAlternateFileName="")) returned 1 [0084.294] lstrcmpiW (lpString1="Color", lpString2="Windows") returned -1 [0084.294] lstrcmpiW (lpString1="Color", lpString2="$Recycle.bin") returned 1 [0084.294] lstrcmpiW (lpString1="Color", lpString2="System Volume Information") returned -1 [0084.294] lstrcmpiW (lpString1="Color", lpString2="Program Files") returned -1 [0084.294] lstrcmpiW (lpString1="Color", lpString2="Program Files (x86)") returned -1 [0084.294] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color") returned 45 [0084.294] lstrcmpW (lpString1="Color", lpString2=".") returned 1 [0084.294] lstrcmpW (lpString1="Color", lpString2="..") returned 1 [0084.294] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.294] GetProcessHeap () returned 0x3a00000 [0084.294] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.294] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\*") returned 47 [0084.294] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73de0392, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73de0392, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382f8 [0084.294] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.294] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.294] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.294] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.294] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.294] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\.") returned 47 [0084.294] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.294] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73de0392, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73de0392, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.294] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.294] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.294] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.294] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.294] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.294] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\..") returned 48 [0084.295] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.295] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.295] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73de0392, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73de0392, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73e065fe, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x480, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="ACECache11.lst", cAlternateFileName="ACECAC~1.LST")) returned 1 [0084.295] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Windows") returned -1 [0084.295] lstrcmpiW (lpString1="ACECache11.lst", lpString2="$Recycle.bin") returned 1 [0084.295] lstrcmpiW (lpString1="ACECache11.lst", lpString2="System Volume Information") returned -1 [0084.295] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files") returned -1 [0084.295] lstrcmpiW (lpString1="ACECache11.lst", lpString2="Program Files (x86)") returned -1 [0084.295] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\ACECache11.lst") returned 60 [0084.295] StrStrIW (lpFirst="ACECache11.lst", lpSrch=".ebal") returned 0x0 [0084.295] lstrcmpW (lpString1="ACECache11.lst", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.295] lstrcmpW (lpString1="ACECache11.lst", lpString2="taridd") returned -1 [0084.295] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\ACECache11.lst", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.295] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\acecache11.lst"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.315] GetTickCount () returned 0x11555fc [0084.315] GetTickCount () returned 0x11555fc [0084.315] GetTickCount () returned 0x11555fc [0084.315] GetTickCount () returned 0x11555fc [0084.315] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.315] GetProcessHeap () returned 0x3a00000 [0084.315] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.315] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x480, lpOverlapped=0x0) returned 1 [0084.319] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xfffffb80, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.319] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x480, lpOverlapped=0x0) returned 1 [0084.319] GetProcessHeap () returned 0x3a00000 [0084.319] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.319] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.319] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.319] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.319] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.319] CloseHandle (hObject=0x438) returned 1 [0084.319] GetProcessHeap () returned 0x3a00000 [0084.319] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0084.319] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\ACECache11.lst_r00t_{8ew5f6}.ebal") returned 79 [0084.319] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\ACECache11.lst" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\acecache11.lst"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\ACECache11.lst_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\acecache11.lst_r00t_{8ew5f6}.ebal")) returned 1 [0084.320] GetProcessHeap () returned 0x3a00000 [0084.320] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0084.320] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73a98eca, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d6dc69, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d6dc69, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Profiles", cAlternateFileName="")) returned 1 [0084.320] lstrcmpiW (lpString1="Profiles", lpString2="Windows") returned -1 [0084.320] lstrcmpiW (lpString1="Profiles", lpString2="$Recycle.bin") returned 1 [0084.320] lstrcmpiW (lpString1="Profiles", lpString2="System Volume Information") returned -1 [0084.320] lstrcmpiW (lpString1="Profiles", lpString2="Program Files") returned -1 [0084.320] lstrcmpiW (lpString1="Profiles", lpString2="Program Files (x86)") returned -1 [0084.320] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles") returned 54 [0084.320] lstrcmpW (lpString1="Profiles", lpString2=".") returned 1 [0084.320] lstrcmpW (lpString1="Profiles", lpString2="..") returned 1 [0084.321] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.321] GetProcessHeap () returned 0x3a00000 [0084.321] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0084.321] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\*") returned 56 [0084.321] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73a98eca, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d6dc69, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d6dc69, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38238 [0084.324] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.324] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.324] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.324] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.324] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.324] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\.") returned 56 [0084.324] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.324] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73a98eca, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d6dc69, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d6dc69, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.324] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.324] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.324] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.324] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.324] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.324] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\..") returned 57 [0084.324] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.324] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.324] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d479e6, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d479e6, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d479e6, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x102a0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wscRGB.icc", cAlternateFileName="")) returned 1 [0084.324] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Windows") returned 1 [0084.324] lstrcmpiW (lpString1="wscRGB.icc", lpString2="$Recycle.bin") returned 1 [0084.324] lstrcmpiW (lpString1="wscRGB.icc", lpString2="System Volume Information") returned 1 [0084.324] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files") returned 1 [0084.324] lstrcmpiW (lpString1="wscRGB.icc", lpString2="Program Files (x86)") returned 1 [0084.324] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc") returned 65 [0084.324] StrStrIW (lpFirst="wscRGB.icc", lpSrch=".ebal") returned 0x0 [0084.324] lstrcmpW (lpString1="wscRGB.icc", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.325] lstrcmpW (lpString1="wscRGB.icc", lpString2="taridd") returned 1 [0084.325] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.325] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.325] GetTickCount () returned 0x11555fc [0084.325] GetTickCount () returned 0x11555fc [0084.325] GetTickCount () returned 0x11555fc [0084.325] GetTickCount () returned 0x11555fc [0084.325] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.325] GetProcessHeap () returned 0x3a00000 [0084.325] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.325] ReadFile (in: hFile=0x43c, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.330] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.330] WriteFile (in: hFile=0x43c, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.331] GetProcessHeap () returned 0x3a00000 [0084.331] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.331] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.331] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.333] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.333] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.333] CloseHandle (hObject=0x43c) returned 1 [0084.333] GetProcessHeap () returned 0x3a00000 [0084.333] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.333] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc_r00t_{8ew5f6}.ebal") returned 84 [0084.333] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\wscrgb.icc_r00t_{8ew5f6}.ebal")) returned 1 [0084.334] GetProcessHeap () returned 0x3a00000 [0084.334] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.334] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d6dc69, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d6dc69, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d6dc69, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0xa74, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wsRGB.icc", cAlternateFileName="")) returned 1 [0084.334] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Windows") returned 1 [0084.334] lstrcmpiW (lpString1="wsRGB.icc", lpString2="$Recycle.bin") returned 1 [0084.334] lstrcmpiW (lpString1="wsRGB.icc", lpString2="System Volume Information") returned 1 [0084.334] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files") returned 1 [0084.334] lstrcmpiW (lpString1="wsRGB.icc", lpString2="Program Files (x86)") returned 1 [0084.334] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc") returned 64 [0084.334] StrStrIW (lpFirst="wsRGB.icc", lpSrch=".ebal") returned 0x0 [0084.334] lstrcmpW (lpString1="wsRGB.icc", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.334] lstrcmpW (lpString1="wsRGB.icc", lpString2="taridd") returned 1 [0084.334] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.334] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.335] GetTickCount () returned 0x115560c [0084.335] GetTickCount () returned 0x115560c [0084.335] GetTickCount () returned 0x115560c [0084.335] GetTickCount () returned 0x115560c [0084.335] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.335] GetProcessHeap () returned 0x3a00000 [0084.335] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.335] ReadFile (in: hFile=0x43c, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aeb3c*=0xa74, lpOverlapped=0x0) returned 1 [0084.336] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffff58c, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.336] WriteFile (in: hFile=0x43c, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0xa74, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aeb3c*=0xa74, lpOverlapped=0x0) returned 1 [0084.336] GetProcessHeap () returned 0x3a00000 [0084.337] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.337] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.337] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.337] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.337] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.337] CloseHandle (hObject=0x43c) returned 1 [0084.337] GetProcessHeap () returned 0x3a00000 [0084.337] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.337] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc_r00t_{8ew5f6}.ebal") returned 83 [0084.337] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\wsrgb.icc_r00t_{8ew5f6}.ebal")) returned 1 [0084.337] GetProcessHeap () returned 0x3a00000 [0084.338] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.338] FindNextFileW (in: hFindFile=0x3a38238, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x73d6dc69, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d6dc69, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d6dc69, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0xa74, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="wsRGB.icc", cAlternateFileName="")) returned 0 [0084.338] FindClose (in: hFindFile=0x3a38238 | out: hFindFile=0x3a38238) returned 1 [0084.338] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 86 [0084.338] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\Profiles\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\profiles\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.340] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0084.341] CloseHandle (hObject=0x438) returned 1 [0084.341] GetProcessHeap () returned 0x3a00000 [0084.341] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0084.341] FindNextFileW (in: hFindFile=0x3a382f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x73a98eca, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73d6dc69, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73d6dc69, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Profiles", cAlternateFileName="")) returned 0 [0084.341] FindClose (in: hFindFile=0x3a382f8 | out: hFindFile=0x3a382f8) returned 1 [0084.341] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 77 [0084.341] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\Color\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\color\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.342] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.342] CloseHandle (hObject=0x434) returned 1 [0084.342] GetProcessHeap () returned 0x3a00000 [0084.342] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.343] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73de0392, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73de0392, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Color", cAlternateFileName="")) returned 0 [0084.384] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0084.384] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0084.384] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Adobe\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\adobe\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0084.387] WriteFile (in: hFile=0x340, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0084.388] CloseHandle (hObject=0x340) returned 1 [0084.388] GetProcessHeap () returned 0x3a00000 [0084.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76330 | out: hHeap=0x3a00000) returned 1 [0084.389] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0084.389] lstrcmpiW (lpString1="Application Data", lpString2="Windows") returned -1 [0084.389] lstrcmpiW (lpString1="Application Data", lpString2="$Recycle.bin") returned 1 [0084.389] lstrcmpiW (lpString1="Application Data", lpString2="System Volume Information") returned -1 [0084.389] lstrcmpiW (lpString1="Application Data", lpString2="Program Files") returned -1 [0084.389] lstrcmpiW (lpString1="Application Data", lpString2="Program Files (x86)") returned -1 [0084.389] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Application Data") returned 50 [0084.389] lstrcmpW (lpString1="Application Data", lpString2=".") returned 1 [0084.389] lstrcmpW (lpString1="Application Data", lpString2="..") returned 1 [0084.389] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Application Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.389] GetProcessHeap () returned 0x3a00000 [0084.389] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.389] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Application Data\\*") returned 52 [0084.389] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Application Data\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x715a3e1e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x73de0392, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x73de0392, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Co?", cAlternateFileName="㋐Χ￿￿扨@￿￿㋐Χ\x05")) returned 0xffffffff [0084.389] GetProcessHeap () returned 0x3a00000 [0084.389] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.389] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="CEF", cAlternateFileName="")) returned 1 [0084.389] lstrcmpiW (lpString1="CEF", lpString2="Windows") returned -1 [0084.389] lstrcmpiW (lpString1="CEF", lpString2="$Recycle.bin") returned 1 [0084.389] lstrcmpiW (lpString1="CEF", lpString2="System Volume Information") returned -1 [0084.389] lstrcmpiW (lpString1="CEF", lpString2="Program Files") returned -1 [0084.389] lstrcmpiW (lpString1="CEF", lpString2="Program Files (x86)") returned -1 [0084.389] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF") returned 37 [0084.389] lstrcmpW (lpString1="CEF", lpString2=".") returned 1 [0084.390] lstrcmpW (lpString1="CEF", lpString2="..") returned 1 [0084.390] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.390] GetProcessHeap () returned 0x3a00000 [0084.390] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0084.390] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\*") returned 39 [0084.390] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385b8 [0084.390] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.390] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.390] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.390] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.390] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.390] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\.") returned 39 [0084.390] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.390] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.390] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.390] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.390] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.390] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.390] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.390] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\..") returned 40 [0084.390] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.390] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.390] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 1 [0084.390] lstrcmpiW (lpString1="User Data", lpString2="Windows") returned -1 [0084.390] lstrcmpiW (lpString1="User Data", lpString2="$Recycle.bin") returned 1 [0084.390] lstrcmpiW (lpString1="User Data", lpString2="System Volume Information") returned 1 [0084.390] lstrcmpiW (lpString1="User Data", lpString2="Program Files") returned 1 [0084.391] lstrcmpiW (lpString1="User Data", lpString2="Program Files (x86)") returned 1 [0084.391] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data") returned 47 [0084.391] lstrcmpW (lpString1="User Data", lpString2=".") returned 1 [0084.391] lstrcmpW (lpString1="User Data", lpString2="..") returned 1 [0084.391] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.391] GetProcessHeap () returned 0x3a00000 [0084.391] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.391] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\*") returned 49 [0084.391] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0084.391] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.391] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.391] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.391] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.391] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.391] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\.") returned 49 [0084.391] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.391] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.391] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.391] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.391] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.391] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.391] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.391] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\..") returned 50 [0084.391] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.391] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.391] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 1 [0084.391] lstrcmpiW (lpString1="Dictionaries", lpString2="Windows") returned -1 [0084.391] lstrcmpiW (lpString1="Dictionaries", lpString2="$Recycle.bin") returned 1 [0084.392] lstrcmpiW (lpString1="Dictionaries", lpString2="System Volume Information") returned -1 [0084.392] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files") returned -1 [0084.392] lstrcmpiW (lpString1="Dictionaries", lpString2="Program Files (x86)") returned -1 [0084.392] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries") returned 60 [0084.392] lstrcmpW (lpString1="Dictionaries", lpString2=".") returned 1 [0084.392] lstrcmpW (lpString1="Dictionaries", lpString2="..") returned 1 [0084.392] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.392] GetProcessHeap () returned 0x3a00000 [0084.392] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76330 [0084.392] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries\\*") returned 62 [0084.392] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0084.392] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.392] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.392] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.392] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.392] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.392] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries\\.") returned 62 [0084.392] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.392] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.392] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.392] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.392] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.392] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.392] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.392] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries\\..") returned 63 [0084.392] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.392] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.392] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0084.393] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0084.393] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 92 [0084.393] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\Dictionaries\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\cef\\user data\\dictionaries\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.394] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0084.394] CloseHandle (hObject=0x438) returned 1 [0084.395] GetProcessHeap () returned 0x3a00000 [0084.395] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76330 | out: hHeap=0x3a00000) returned 1 [0084.395] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Dictionaries", cAlternateFileName="DICTIO~1")) returned 0 [0084.395] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0084.395] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 79 [0084.395] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\User Data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\cef\\user data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.395] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.396] CloseHandle (hObject=0x434) returned 1 [0084.396] GetProcessHeap () returned 0x3a00000 [0084.396] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.396] FindNextFileW (in: hFindFile=0x3a385b8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd6a9d454, ftCreationTime.dwHighDateTime=0x1d35e03, ftLastAccessTime.dwLowDateTime=0xd6a9d454, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0xd6a9d454, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 0 [0084.396] FindClose (in: hFindFile=0x3a385b8 | out: hFindFile=0x3a385b8) returned 1 [0084.396] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 69 [0084.396] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\CEF\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\cef\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0084.397] WriteFile (in: hFile=0x340, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0084.398] CloseHandle (hObject=0x340) returned 1 [0084.398] GetProcessHeap () returned 0x3a00000 [0084.398] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.398] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Comms", cAlternateFileName="")) returned 1 [0084.398] lstrcmpiW (lpString1="Comms", lpString2="Windows") returned -1 [0084.398] lstrcmpiW (lpString1="Comms", lpString2="$Recycle.bin") returned 1 [0084.398] lstrcmpiW (lpString1="Comms", lpString2="System Volume Information") returned -1 [0084.398] lstrcmpiW (lpString1="Comms", lpString2="Program Files") returned -1 [0084.398] lstrcmpiW (lpString1="Comms", lpString2="Program Files (x86)") returned -1 [0084.398] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms") returned 39 [0084.398] lstrcmpW (lpString1="Comms", lpString2=".") returned 1 [0084.398] lstrcmpW (lpString1="Comms", lpString2="..") returned 1 [0084.398] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.398] GetProcessHeap () returned 0x3a00000 [0084.398] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76330 [0084.398] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\*") returned 41 [0084.398] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a381f8 [0084.399] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.399] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.399] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.399] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.399] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.399] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\.") returned 41 [0084.399] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.399] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a165bd, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc46ec579, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x476c0de7, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.399] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.399] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.399] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.399] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.399] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.399] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\..") returned 42 [0084.399] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.399] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.399] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x476c0de7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda8906a2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xda8906a2, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Temp", cAlternateFileName="")) returned 1 [0084.399] lstrcmpiW (lpString1="Temp", lpString2="Windows") returned -1 [0084.399] lstrcmpiW (lpString1="Temp", lpString2="$Recycle.bin") returned 1 [0084.399] lstrcmpiW (lpString1="Temp", lpString2="System Volume Information") returned 1 [0084.399] lstrcmpiW (lpString1="Temp", lpString2="Program Files") returned 1 [0084.399] lstrcmpiW (lpString1="Temp", lpString2="Program Files (x86)") returned 1 [0084.399] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp") returned 44 [0084.399] lstrcmpW (lpString1="Temp", lpString2=".") returned 1 [0084.399] lstrcmpW (lpString1="Temp", lpString2="..") returned 1 [0084.399] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.399] GetProcessHeap () returned 0x3a00000 [0084.399] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.399] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\*") returned 46 [0084.399] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x476c0de7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda8906a2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xda8906a2, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a384b8 [0084.401] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.401] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.401] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.401] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.401] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.401] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\.") returned 46 [0084.401] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.401] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x476c0de7, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda8906a2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xda8906a2, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.401] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.401] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.401] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.401] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.401] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.401] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\..") returned 47 [0084.401] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.401] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.401] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e43986b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda8906a2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xda8906a2, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 1 [0084.401] lstrcmpiW (lpString1="CalendarCache.dat", lpString2="Windows") returned -1 [0084.401] lstrcmpiW (lpString1="CalendarCache.dat", lpString2="$Recycle.bin") returned 1 [0084.401] lstrcmpiW (lpString1="CalendarCache.dat", lpString2="System Volume Information") returned -1 [0084.401] lstrcmpiW (lpString1="CalendarCache.dat", lpString2="Program Files") returned -1 [0084.401] lstrcmpiW (lpString1="CalendarCache.dat", lpString2="Program Files (x86)") returned -1 [0084.401] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat") returned 62 [0084.401] StrStrIW (lpFirst="CalendarCache.dat", lpSrch=".ebal") returned 0x0 [0084.401] lstrcmpW (lpString1="CalendarCache.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.401] lstrcmpW (lpString1="CalendarCache.dat", lpString2="taridd") returned -1 [0084.402] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.402] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\temp\\calendarcache.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.403] GetTickCount () returned 0x115564a [0084.403] GetTickCount () returned 0x115564a [0084.403] GetTickCount () returned 0x115564a [0084.403] GetTickCount () returned 0x115564a [0084.403] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.403] GetProcessHeap () returned 0x3a00000 [0084.403] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.403] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x14, lpOverlapped=0x0) returned 1 [0084.404] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffffec, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.404] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x14, lpOverlapped=0x0) returned 1 [0084.404] GetProcessHeap () returned 0x3a00000 [0084.404] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.404] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.404] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.414] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.415] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.415] CloseHandle (hObject=0x438) returned 1 [0084.415] GetProcessHeap () returned 0x3a00000 [0084.415] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.415] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat_r00t_{8ew5f6}.ebal") returned 81 [0084.415] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\temp\\calendarcache.dat"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\CalendarCache.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\temp\\calendarcache.dat_r00t_{8ew5f6}.ebal")) returned 1 [0084.416] GetProcessHeap () returned 0x3a00000 [0084.416] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0084.416] FindNextFileW (in: hFindFile=0x3a384b8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e43986b, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xda8906a2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xda8906a2, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CalendarCache.dat", cAlternateFileName="CALEND~1.DAT")) returned 0 [0084.416] FindClose (in: hFindFile=0x3a384b8 | out: hFindFile=0x3a384b8) returned 1 [0084.416] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 76 [0084.416] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Temp\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\temp\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.416] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.417] CloseHandle (hObject=0x434) returned 1 [0084.417] GetProcessHeap () returned 0x3a00000 [0084.417] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.417] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4713d6be, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6d619041, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Unistore", cAlternateFileName="")) returned 1 [0084.418] lstrcmpiW (lpString1="Unistore", lpString2="Windows") returned -1 [0084.418] lstrcmpiW (lpString1="Unistore", lpString2="$Recycle.bin") returned 1 [0084.418] lstrcmpiW (lpString1="Unistore", lpString2="System Volume Information") returned 1 [0084.418] lstrcmpiW (lpString1="Unistore", lpString2="Program Files") returned 1 [0084.418] lstrcmpiW (lpString1="Unistore", lpString2="Program Files (x86)") returned 1 [0084.418] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore") returned 48 [0084.418] lstrcmpW (lpString1="Unistore", lpString2=".") returned 1 [0084.418] lstrcmpW (lpString1="Unistore", lpString2="..") returned 1 [0084.418] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.418] GetProcessHeap () returned 0x3a00000 [0084.418] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.418] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\*") returned 50 [0084.418] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4713d6be, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6d619041, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0084.418] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.418] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.418] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.418] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.418] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.418] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\.") returned 50 [0084.418] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.418] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4713d6be, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6d619041, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.418] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.418] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.419] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.419] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.419] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.419] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\..") returned 51 [0084.419] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.419] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.419] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d619041, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x30deaa8c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data", cAlternateFileName="")) returned 1 [0084.419] lstrcmpiW (lpString1="data", lpString2="Windows") returned -1 [0084.419] lstrcmpiW (lpString1="data", lpString2="$Recycle.bin") returned 1 [0084.419] lstrcmpiW (lpString1="data", lpString2="System Volume Information") returned -1 [0084.419] lstrcmpiW (lpString1="data", lpString2="Program Files") returned -1 [0084.419] lstrcmpiW (lpString1="data", lpString2="Program Files (x86)") returned -1 [0084.419] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data") returned 53 [0084.419] lstrcmpW (lpString1="data", lpString2=".") returned 1 [0084.419] lstrcmpW (lpString1="data", lpString2="..") returned 1 [0084.419] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.419] GetProcessHeap () returned 0x3a00000 [0084.419] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.419] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\*") returned 55 [0084.419] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d619041, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x30deaa8c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38838 [0084.420] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.420] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.420] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.420] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.420] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.420] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\.") returned 55 [0084.420] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.421] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d619041, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x30deaa8c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.421] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.421] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.421] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.421] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.421] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.421] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\..") returned 56 [0084.421] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.421] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.421] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92842523, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92842523, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xe5af4421, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AggregateCache.uca", cAlternateFileName="AGGREG~1.UCA")) returned 1 [0084.421] lstrcmpiW (lpString1="AggregateCache.uca", lpString2="Windows") returned -1 [0084.421] lstrcmpiW (lpString1="AggregateCache.uca", lpString2="$Recycle.bin") returned 1 [0084.421] lstrcmpiW (lpString1="AggregateCache.uca", lpString2="System Volume Information") returned -1 [0084.421] lstrcmpiW (lpString1="AggregateCache.uca", lpString2="Program Files") returned -1 [0084.421] lstrcmpiW (lpString1="AggregateCache.uca", lpString2="Program Files (x86)") returned -1 [0084.421] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\AggregateCache.uca") returned 72 [0084.421] StrStrIW (lpFirst="AggregateCache.uca", lpSrch=".ebal") returned 0x0 [0084.421] lstrcmpW (lpString1="AggregateCache.uca", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.421] lstrcmpW (lpString1="AggregateCache.uca", lpString2="taridd") returned -1 [0084.421] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\AggregateCache.uca", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.421] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\AggregateCache.uca" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistore\\data\\aggregatecache.uca"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x43c [0084.422] GetTickCount () returned 0x1155669 [0084.422] GetTickCount () returned 0x1155669 [0084.422] GetTickCount () returned 0x1155669 [0084.422] GetTickCount () returned 0x1155669 [0084.422] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.422] GetProcessHeap () returned 0x3a00000 [0084.423] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.423] ReadFile (in: hFile=0x43c, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.423] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0xfffffffc, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.424] WriteFile (in: hFile=0x43c, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.424] GetProcessHeap () returned 0x3a00000 [0084.424] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.424] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.425] WriteFile (in: hFile=0x43c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.426] WriteFile (in: hFile=0x43c, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.426] WriteFile (in: hFile=0x43c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.426] CloseHandle (hObject=0x43c) returned 1 [0084.426] GetProcessHeap () returned 0x3a00000 [0084.426] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75718 [0084.426] wnsprintfW (in: pszDest=0x3a75718, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\AggregateCache.uca_r00t_{8ew5f6}.ebal") returned 91 [0084.426] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\AggregateCache.uca" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistore\\data\\aggregatecache.uca"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\AggregateCache.uca_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistore\\data\\aggregatecache.uca_r00t_{8ew5f6}.ebal")) returned 1 [0084.427] GetProcessHeap () returned 0x3a00000 [0084.427] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75718 | out: hHeap=0x3a00000) returned 1 [0084.427] FindNextFileW (in: hFindFile=0x3a38838, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x92842523, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x92842523, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xe5af4421, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x4, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="AggregateCache.uca", cAlternateFileName="AGGREG~1.UCA")) returned 0 [0084.427] FindClose (in: hFindFile=0x3a38838 | out: hFindFile=0x3a38838) returned 1 [0084.428] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 85 [0084.428] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\data\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistore\\data\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.428] WriteFile (in: hFile=0x438, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aeb44, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aeb44*=0x3a6, lpOverlapped=0x0) returned 1 [0084.429] CloseHandle (hObject=0x438) returned 1 [0084.429] GetProcessHeap () returned 0x3a00000 [0084.429] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.429] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d619041, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6d619041, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x30deaa8c, ftLastWriteTime.dwHighDateTime=0x1d32745, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data", cAlternateFileName="")) returned 0 [0084.429] FindClose (in: hFindFile=0x3a38378 | out: hFindFile=0x3a38378) returned 1 [0084.429] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 80 [0084.429] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\Unistore\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistore\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.430] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.431] CloseHandle (hObject=0x434) returned 1 [0084.431] GetProcessHeap () returned 0x3a00000 [0084.431] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.431] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a3c828, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc12eebd3, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xc12eebd3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 1 [0084.431] lstrcmpiW (lpString1="UnistoreDB", lpString2="Windows") returned -1 [0084.432] lstrcmpiW (lpString1="UnistoreDB", lpString2="$Recycle.bin") returned 1 [0084.432] lstrcmpiW (lpString1="UnistoreDB", lpString2="System Volume Information") returned 1 [0084.432] lstrcmpiW (lpString1="UnistoreDB", lpString2="Program Files") returned 1 [0084.432] lstrcmpiW (lpString1="UnistoreDB", lpString2="Program Files (x86)") returned 1 [0084.432] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB") returned 50 [0084.432] lstrcmpW (lpString1="UnistoreDB", lpString2=".") returned 1 [0084.432] lstrcmpW (lpString1="UnistoreDB", lpString2="..") returned 1 [0084.432] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.432] GetProcessHeap () returned 0x3a00000 [0084.432] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.432] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\*") returned 52 [0084.432] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a3c828, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc12eebd3, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x1a672446, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0084.434] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.434] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.434] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.434] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.434] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.434] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\.") returned 52 [0084.434] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.434] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a3c828, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc12eebd3, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0x1a672446, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.434] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.434] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.434] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.434] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.434] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.434] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\..") returned 53 [0084.434] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.434] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.434] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bfe5114, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6bfe5114, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1a541366, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="store.jfm", cAlternateFileName="")) returned 1 [0084.434] lstrcmpiW (lpString1="store.jfm", lpString2="Windows") returned -1 [0084.434] lstrcmpiW (lpString1="store.jfm", lpString2="$Recycle.bin") returned 1 [0084.434] lstrcmpiW (lpString1="store.jfm", lpString2="System Volume Information") returned -1 [0084.434] lstrcmpiW (lpString1="store.jfm", lpString2="Program Files") returned 1 [0084.434] lstrcmpiW (lpString1="store.jfm", lpString2="Program Files (x86)") returned 1 [0084.434] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.jfm") returned 60 [0084.434] StrStrIW (lpFirst="store.jfm", lpSrch=".ebal") returned 0x0 [0084.435] lstrcmpW (lpString1="store.jfm", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.435] lstrcmpW (lpString1="store.jfm", lpString2="taridd") returned -1 [0084.435] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.jfm", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.435] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.jfm" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\store.jfm"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.435] GetTickCount () returned 0x1155679 [0084.435] GetTickCount () returned 0x1155679 [0084.435] GetTickCount () returned 0x1155679 [0084.435] GetTickCount () returned 0x1155679 [0084.435] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.436] GetProcessHeap () returned 0x3a00000 [0084.436] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.436] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.439] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.439] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.439] GetProcessHeap () returned 0x3a00000 [0084.439] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.439] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.440] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.440] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.440] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.440] CloseHandle (hObject=0x438) returned 1 [0084.440] GetProcessHeap () returned 0x3a00000 [0084.440] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75718 [0084.440] wnsprintfW (in: pszDest=0x3a75718, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.jfm_r00t_{8ew5f6}.ebal") returned 79 [0084.440] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.jfm" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\store.jfm"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.jfm_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\store.jfm_r00t_{8ew5f6}.ebal")) returned 1 [0084.441] GetProcessHeap () returned 0x3a00000 [0084.441] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75718 | out: hHeap=0x3a00000) returned 1 [0084.441] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x46f4d81c, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46f4d81c, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x1a5b3b2e, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0xd80000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="store.vol", cAlternateFileName="")) returned 1 [0084.441] lstrcmpiW (lpString1="store.vol", lpString2="Windows") returned -1 [0084.441] lstrcmpiW (lpString1="store.vol", lpString2="$Recycle.bin") returned 1 [0084.441] lstrcmpiW (lpString1="store.vol", lpString2="System Volume Information") returned -1 [0084.441] lstrcmpiW (lpString1="store.vol", lpString2="Program Files") returned 1 [0084.441] lstrcmpiW (lpString1="store.vol", lpString2="Program Files (x86)") returned 1 [0084.441] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.vol") returned 60 [0084.441] StrStrIW (lpFirst="store.vol", lpSrch=".ebal") returned 0x0 [0084.441] lstrcmpW (lpString1="store.vol", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.441] lstrcmpW (lpString1="store.vol", lpString2="taridd") returned -1 [0084.441] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.vol", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.441] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.vol" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\store.vol"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.442] GetTickCount () returned 0x1155679 [0084.442] GetTickCount () returned 0x1155679 [0084.442] GetTickCount () returned 0x1155679 [0084.442] GetTickCount () returned 0x1155679 [0084.442] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.442] GetProcessHeap () returned 0x3a00000 [0084.442] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.442] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.444] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.445] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.445] GetProcessHeap () returned 0x3a00000 [0084.445] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.445] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.445] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.446] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.447] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.447] CloseHandle (hObject=0x438) returned 1 [0084.447] GetProcessHeap () returned 0x3a00000 [0084.447] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0084.447] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.vol_r00t_{8ew5f6}.ebal") returned 79 [0084.447] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.vol" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\store.vol"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\store.vol_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\store.vol_r00t_{8ew5f6}.ebal")) returned 1 [0084.447] GetProcessHeap () returned 0x3a00000 [0084.447] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0084.447] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c293b35, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6c293b35, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xc120a166, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="USS.jcp", cAlternateFileName="")) returned 1 [0084.447] lstrcmpiW (lpString1="USS.jcp", lpString2="Windows") returned -1 [0084.448] lstrcmpiW (lpString1="USS.jcp", lpString2="$Recycle.bin") returned 1 [0084.448] lstrcmpiW (lpString1="USS.jcp", lpString2="System Volume Information") returned 1 [0084.448] lstrcmpiW (lpString1="USS.jcp", lpString2="Program Files") returned 1 [0084.448] lstrcmpiW (lpString1="USS.jcp", lpString2="Program Files (x86)") returned 1 [0084.448] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jcp") returned 58 [0084.448] StrStrIW (lpFirst="USS.jcp", lpSrch=".ebal") returned 0x0 [0084.448] lstrcmpW (lpString1="USS.jcp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.448] lstrcmpW (lpString1="USS.jcp", lpString2="taridd") returned 1 [0084.448] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jcp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.448] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jcp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\uss.jcp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.448] GetTickCount () returned 0x1155679 [0084.448] GetTickCount () returned 0x1155679 [0084.448] GetTickCount () returned 0x1155679 [0084.448] GetTickCount () returned 0x1155679 [0084.448] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.448] GetProcessHeap () returned 0x3a00000 [0084.448] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.448] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2000, lpOverlapped=0x0) returned 1 [0084.450] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.451] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2000, lpOverlapped=0x0) returned 1 [0084.451] GetProcessHeap () returned 0x3a00000 [0084.451] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.451] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.451] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.455] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.455] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.456] CloseHandle (hObject=0x438) returned 1 [0084.456] GetProcessHeap () returned 0x3a00000 [0084.457] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74f08 [0084.457] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jcp_r00t_{8ew5f6}.ebal") returned 77 [0084.457] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jcp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\uss.jcp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jcp_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\uss.jcp_r00t_{8ew5f6}.ebal")) returned 1 [0084.457] GetProcessHeap () returned 0x3a00000 [0084.457] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74f08 | out: hHeap=0x3a00000) returned 1 [0084.457] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c1163b2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6c1163b2, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1a4363d1, ftLastWriteTime.dwHighDateTime=0x1d336e0, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="USS.jtx", cAlternateFileName="")) returned 1 [0084.457] lstrcmpiW (lpString1="USS.jtx", lpString2="Windows") returned -1 [0084.457] lstrcmpiW (lpString1="USS.jtx", lpString2="$Recycle.bin") returned 1 [0084.457] lstrcmpiW (lpString1="USS.jtx", lpString2="System Volume Information") returned 1 [0084.457] lstrcmpiW (lpString1="USS.jtx", lpString2="Program Files") returned 1 [0084.457] lstrcmpiW (lpString1="USS.jtx", lpString2="Program Files (x86)") returned 1 [0084.457] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jtx") returned 58 [0084.457] StrStrIW (lpFirst="USS.jtx", lpSrch=".ebal") returned 0x0 [0084.457] lstrcmpW (lpString1="USS.jtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.457] lstrcmpW (lpString1="USS.jtx", lpString2="taridd") returned 1 [0084.457] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.457] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jtx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\uss.jtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.458] GetTickCount () returned 0x1155689 [0084.458] GetTickCount () returned 0x1155689 [0084.458] GetTickCount () returned 0x1155689 [0084.458] GetTickCount () returned 0x1155689 [0084.458] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.458] GetProcessHeap () returned 0x3a00000 [0084.458] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.458] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.460] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.460] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.460] GetProcessHeap () returned 0x3a00000 [0084.460] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.460] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.460] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.462] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.462] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.462] CloseHandle (hObject=0x438) returned 1 [0084.462] GetProcessHeap () returned 0x3a00000 [0084.462] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.462] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jtx_r00t_{8ew5f6}.ebal") returned 77 [0084.462] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jtx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\uss.jtx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USS.jtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\uss.jtx_r00t_{8ew5f6}.ebal")) returned 1 [0084.463] GetProcessHeap () returned 0x3a00000 [0084.463] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.463] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46a62b13, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46a62b13, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x46a62b13, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="USSres00001.jrs", cAlternateFileName="USSRES~1.JRS")) returned 1 [0084.463] lstrcmpiW (lpString1="USSres00001.jrs", lpString2="Windows") returned -1 [0084.463] lstrcmpiW (lpString1="USSres00001.jrs", lpString2="$Recycle.bin") returned 1 [0084.463] lstrcmpiW (lpString1="USSres00001.jrs", lpString2="System Volume Information") returned 1 [0084.463] lstrcmpiW (lpString1="USSres00001.jrs", lpString2="Program Files") returned 1 [0084.463] lstrcmpiW (lpString1="USSres00001.jrs", lpString2="Program Files (x86)") returned 1 [0084.463] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs") returned 66 [0084.463] StrStrIW (lpFirst="USSres00001.jrs", lpSrch=".ebal") returned 0x0 [0084.463] lstrcmpW (lpString1="USSres00001.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.463] lstrcmpW (lpString1="USSres00001.jrs", lpString2="taridd") returned 1 [0084.463] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.463] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.463] GetTickCount () returned 0x1155689 [0084.463] GetTickCount () returned 0x1155689 [0084.463] GetTickCount () returned 0x1155689 [0084.463] GetTickCount () returned 0x1155689 [0084.463] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.464] GetProcessHeap () returned 0x3a00000 [0084.464] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.464] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.465] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.465] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.465] GetProcessHeap () returned 0x3a00000 [0084.465] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.465] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.465] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.613] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.614] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.614] CloseHandle (hObject=0x438) returned 1 [0084.614] GetProcessHeap () returned 0x3a00000 [0084.614] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74f08 [0084.614] wnsprintfW (in: pszDest=0x3a74f08, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs_r00t_{8ew5f6}.ebal") returned 85 [0084.614] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00001.jrs_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\ussres00001.jrs_r00t_{8ew5f6}.ebal")) returned 1 [0084.615] GetProcessHeap () returned 0x3a00000 [0084.615] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74f08 | out: hHeap=0x3a00000) returned 1 [0084.615] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x46a62b13, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x46a62b13, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x46a62b13, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="USSres00002.jrs", cAlternateFileName="USSRES~2.JRS")) returned 1 [0084.615] lstrcmpiW (lpString1="USSres00002.jrs", lpString2="Windows") returned -1 [0084.615] lstrcmpiW (lpString1="USSres00002.jrs", lpString2="$Recycle.bin") returned 1 [0084.615] lstrcmpiW (lpString1="USSres00002.jrs", lpString2="System Volume Information") returned 1 [0084.615] lstrcmpiW (lpString1="USSres00002.jrs", lpString2="Program Files") returned 1 [0084.615] lstrcmpiW (lpString1="USSres00002.jrs", lpString2="Program Files (x86)") returned 1 [0084.615] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs") returned 66 [0084.615] StrStrIW (lpFirst="USSres00002.jrs", lpSrch=".ebal") returned 0x0 [0084.615] lstrcmpW (lpString1="USSres00002.jrs", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.615] lstrcmpW (lpString1="USSres00002.jrs", lpString2="taridd") returned 1 [0084.615] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.615] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.616] GetTickCount () returned 0x1155734 [0084.616] GetTickCount () returned 0x1155734 [0084.616] GetTickCount () returned 0x1155734 [0084.616] GetTickCount () returned 0x1155734 [0084.616] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.616] GetProcessHeap () returned 0x3a00000 [0084.616] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.616] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.619] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.619] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.619] GetProcessHeap () returned 0x3a00000 [0084.619] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.619] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.619] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.670] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.670] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.670] CloseHandle (hObject=0x438) returned 1 [0084.670] GetProcessHeap () returned 0x3a00000 [0084.670] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0084.670] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs_r00t_{8ew5f6}.ebal") returned 85 [0084.670] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USSres00002.jrs_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\ussres00002.jrs_r00t_{8ew5f6}.ebal")) returned 1 [0084.671] GetProcessHeap () returned 0x3a00000 [0084.671] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76738 | out: hHeap=0x3a00000) returned 1 [0084.671] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c1163b2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6c221427, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6c221427, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="USStmp.jtx", cAlternateFileName="")) returned 1 [0084.671] lstrcmpiW (lpString1="USStmp.jtx", lpString2="Windows") returned -1 [0084.671] lstrcmpiW (lpString1="USStmp.jtx", lpString2="$Recycle.bin") returned 1 [0084.671] lstrcmpiW (lpString1="USStmp.jtx", lpString2="System Volume Information") returned 1 [0084.671] lstrcmpiW (lpString1="USStmp.jtx", lpString2="Program Files") returned 1 [0084.671] lstrcmpiW (lpString1="USStmp.jtx", lpString2="Program Files (x86)") returned 1 [0084.671] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.jtx") returned 61 [0084.671] StrStrIW (lpFirst="USStmp.jtx", lpSrch=".ebal") returned 0x0 [0084.671] lstrcmpW (lpString1="USStmp.jtx", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.672] lstrcmpW (lpString1="USStmp.jtx", lpString2="taridd") returned 1 [0084.672] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.jtx", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.672] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.jtx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\usstmp.jtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x438 [0084.673] GetTickCount () returned 0x1155763 [0084.673] GetTickCount () returned 0x1155763 [0084.673] GetTickCount () returned 0x1155763 [0084.673] GetTickCount () returned 0x1155763 [0084.673] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x2c, dwBufLen=0x80 | out: pbData=0x65aed10*, pdwDataLen=0x65aedc0*=0x80) returned 1 [0084.674] GetProcessHeap () returned 0x3a00000 [0084.674] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.674] ReadFile (in: hFile=0x438, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.677] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.677] WriteFile (in: hFile=0x438, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aedc4*=0x2800, lpOverlapped=0x0) returned 1 [0084.677] GetProcessHeap () returned 0x3a00000 [0084.677] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.677] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.677] WriteFile (in: hFile=0x438, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aedc4*=0x300, lpOverlapped=0x0) returned 1 [0084.792] WriteFile (in: hFile=0x438, lpBuffer=0x65aed10*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x65aed10*, lpNumberOfBytesWritten=0x65aedc4*=0x80, lpOverlapped=0x0) returned 1 [0084.792] WriteFile (in: hFile=0x438, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aedc4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aedc4*=0x4, lpOverlapped=0x0) returned 1 [0084.792] CloseHandle (hObject=0x438) returned 1 [0084.792] GetProcessHeap () returned 0x3a00000 [0084.792] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0084.792] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.jtx_r00t_{8ew5f6}.ebal") returned 80 [0084.792] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.jtx" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\usstmp.jtx"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\USStmp.jtx_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\usstmp.jtx_r00t_{8ew5f6}.ebal")) returned 1 [0084.793] GetProcessHeap () returned 0x3a00000 [0084.793] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0084.793] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c1163b2, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x6c221427, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x6c221427, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="USStmp.jtx", cAlternateFileName="")) returned 0 [0084.793] FindClose (in: hFindFile=0x3a38338 | out: hFindFile=0x3a38338) returned 1 [0084.793] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 82 [0084.793] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\UnistoreDB\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\unistoredb\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.794] WriteFile (in: hFile=0x434, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65aedcc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65aedcc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.795] CloseHandle (hObject=0x434) returned 1 [0084.795] GetProcessHeap () returned 0x3a00000 [0084.795] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0084.795] FindNextFileW (in: hFindFile=0x3a381f8, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x46a3c828, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xc12eebd3, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xc12eebd3, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="UnistoreDB", cAlternateFileName="UNISTO~1")) returned 0 [0084.795] FindClose (in: hFindFile=0x3a381f8 | out: hFindFile=0x3a381f8) returned 1 [0084.795] wnsprintfW (in: pszDest=0x3a76330, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 71 [0084.795] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Comms\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\comms\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0084.798] WriteFile (in: hFile=0x340, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0084.799] CloseHandle (hObject=0x340) returned 1 [0084.799] GetProcessHeap () returned 0x3a00000 [0084.799] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76330 | out: hHeap=0x3a00000) returned 1 [0084.799] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="ConnectedDevicesPlatform", cAlternateFileName="CONNEC~1")) returned 1 [0084.799] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="Windows") returned -1 [0084.799] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="$Recycle.bin") returned 1 [0084.800] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="System Volume Information") returned -1 [0084.800] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="Program Files") returned -1 [0084.800] lstrcmpiW (lpString1="ConnectedDevicesPlatform", lpString2="Program Files (x86)") returned -1 [0084.800] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform") returned 58 [0084.800] lstrcmpW (lpString1="ConnectedDevicesPlatform", lpString2=".") returned 1 [0084.800] lstrcmpW (lpString1="ConnectedDevicesPlatform", lpString2="..") returned 1 [0084.800] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.800] GetProcessHeap () returned 0x3a00000 [0084.800] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ee8 [0084.800] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\*") returned 60 [0084.800] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38738 [0084.800] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.800] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.800] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.800] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.800] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.800] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\.") returned 60 [0084.800] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.800] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc58b9bba, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.800] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.800] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.800] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.800] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.800] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.800] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\..") returned 61 [0084.800] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.800] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.800] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x435d76fd, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x5f7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CDPGlobalSettings.cdp", cAlternateFileName="CDPGLO~1.CDP")) returned 1 [0084.801] lstrcmpiW (lpString1="CDPGlobalSettings.cdp", lpString2="Windows") returned -1 [0084.801] lstrcmpiW (lpString1="CDPGlobalSettings.cdp", lpString2="$Recycle.bin") returned 1 [0084.801] lstrcmpiW (lpString1="CDPGlobalSettings.cdp", lpString2="System Volume Information") returned -1 [0084.801] lstrcmpiW (lpString1="CDPGlobalSettings.cdp", lpString2="Program Files") returned -1 [0084.801] lstrcmpiW (lpString1="CDPGlobalSettings.cdp", lpString2="Program Files (x86)") returned -1 [0084.801] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\CDPGlobalSettings.cdp") returned 80 [0084.801] StrStrIW (lpFirst="CDPGlobalSettings.cdp", lpSrch=".ebal") returned 0x0 [0084.801] lstrcmpW (lpString1="CDPGlobalSettings.cdp", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.801] lstrcmpW (lpString1="CDPGlobalSettings.cdp", lpString2="taridd") returned -1 [0084.801] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\CDPGlobalSettings.cdp", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.801] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\CDPGlobalSettings.cdp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\connecteddevicesplatform\\cdpglobalsettings.cdp"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x434 [0084.801] GetTickCount () returned 0x11557f0 [0084.801] GetTickCount () returned 0x11557f0 [0084.801] GetTickCount () returned 0x11557f0 [0084.801] GetTickCount () returned 0x11557f0 [0084.801] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aef98*, pdwDataLen=0x65af048*=0x2c, dwBufLen=0x80 | out: pbData=0x65aef98*, pdwDataLen=0x65af048*=0x80) returned 1 [0084.801] GetProcessHeap () returned 0x3a00000 [0084.801] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a68258 [0084.801] ReadFile (in: hFile=0x434, lpBuffer=0x3a68258, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesRead=0x65af04c*=0x5f7, lpOverlapped=0x0) returned 1 [0084.802] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0xfffffa09, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.802] WriteFile (in: hFile=0x434, lpBuffer=0x3a68258*, nNumberOfBytesToWrite=0x5f7, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a68258*, lpNumberOfBytesWritten=0x65af04c*=0x5f7, lpOverlapped=0x0) returned 1 [0084.802] GetProcessHeap () returned 0x3a00000 [0084.802] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a68258 | out: hHeap=0x3a00000) returned 1 [0084.802] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.802] WriteFile (in: hFile=0x434, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65af04c*=0x300, lpOverlapped=0x0) returned 1 [0084.802] WriteFile (in: hFile=0x434, lpBuffer=0x65aef98*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x65aef98*, lpNumberOfBytesWritten=0x65af04c*=0x80, lpOverlapped=0x0) returned 1 [0084.803] WriteFile (in: hFile=0x434, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65af04c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65af04c*=0x4, lpOverlapped=0x0) returned 1 [0084.803] CloseHandle (hObject=0x434) returned 1 [0084.803] GetProcessHeap () returned 0x3a00000 [0084.803] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.803] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\CDPGlobalSettings.cdp_r00t_{8ew5f6}.ebal") returned 99 [0084.803] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\CDPGlobalSettings.cdp" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\connecteddevicesplatform\\cdpglobalsettings.cdp"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\CDPGlobalSettings.cdp_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\connecteddevicesplatform\\cdpglobalsettings.cdp_r00t_{8ew5f6}.ebal")) returned 1 [0084.803] GetProcessHeap () returned 0x3a00000 [0084.803] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a746f8 | out: hHeap=0x3a00000) returned 1 [0084.803] FindNextFileW (in: hFindFile=0x3a38738, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc58b9bba, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc58b9bba, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x435d76fd, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x5f7, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CDPGlobalSettings.cdp", cAlternateFileName="CDPGLO~1.CDP")) returned 0 [0084.803] FindClose (in: hFindFile=0x3a38738 | out: hFindFile=0x3a38738) returned 1 [0084.804] wnsprintfW (in: pszDest=0x3a73ee8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 90 [0084.804] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\ConnectedDevicesPlatform\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\connecteddevicesplatform\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0084.809] WriteFile (in: hFile=0x340, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65af054, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65af054*=0x3a6, lpOverlapped=0x0) returned 1 [0084.810] CloseHandle (hObject=0x340) returned 1 [0084.810] GetProcessHeap () returned 0x3a00000 [0084.810] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ee8 | out: hHeap=0x3a00000) returned 1 [0084.810] FindNextFileW (in: hFindFile=0x3a38638, lpFindFileData=0x65af310 | out: lpFindFileData=0x65af310*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x8000000, cFileName="Google", cAlternateFileName="")) returned 1 [0084.810] lstrcmpiW (lpString1="Google", lpString2="Windows") returned -1 [0084.810] lstrcmpiW (lpString1="Google", lpString2="$Recycle.bin") returned 1 [0084.810] lstrcmpiW (lpString1="Google", lpString2="System Volume Information") returned -1 [0084.810] lstrcmpiW (lpString1="Google", lpString2="Program Files") returned -1 [0084.810] lstrcmpiW (lpString1="Google", lpString2="Program Files (x86)") returned -1 [0084.810] wnsprintfW (in: pszDest=0x3a732d0, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google") returned 40 [0084.810] lstrcmpW (lpString1="Google", lpString2=".") returned 1 [0084.810] lstrcmpW (lpString1="Google", lpString2="..") returned 1 [0084.810] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.810] GetProcessHeap () returned 0x3a00000 [0084.810] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76738 [0084.810] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\*") returned 42 [0084.810] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\*", lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38178 [0084.810] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.810] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.810] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.810] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.810] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.810] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\.") returned 42 [0084.811] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.811] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xadb6a93, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a3bd622, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x7e3bdb64, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.811] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.811] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.811] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.811] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.811] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.811] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\..") returned 43 [0084.811] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.811] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.811] FindNextFileW (in: hFindFile=0x3a38178, lpFindFileData=0x65af088 | out: lpFindFileData=0x65af088*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4aa60657, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x4aa60657, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Chrome", cAlternateFileName="")) returned 1 [0084.811] lstrcmpiW (lpString1="Chrome", lpString2="Windows") returned -1 [0084.811] lstrcmpiW (lpString1="Chrome", lpString2="$Recycle.bin") returned 1 [0084.811] lstrcmpiW (lpString1="Chrome", lpString2="System Volume Information") returned -1 [0084.811] lstrcmpiW (lpString1="Chrome", lpString2="Program Files") returned -1 [0084.811] lstrcmpiW (lpString1="Chrome", lpString2="Program Files (x86)") returned -1 [0084.811] wnsprintfW (in: pszDest=0x3a76738, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome") returned 47 [0084.811] lstrcmpW (lpString1="Chrome", lpString2=".") returned 1 [0084.811] lstrcmpW (lpString1="Chrome", lpString2="..") returned 1 [0084.811] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.811] GetProcessHeap () returned 0x3a00000 [0084.811] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a736d8 [0084.811] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\*") returned 49 [0084.811] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\*", lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4aa60657, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x4aa60657, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a385f8 [0084.811] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.811] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.811] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.811] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.812] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.812] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\.") returned 49 [0084.812] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.812] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4aa60657, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0x4aa60657, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.812] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.812] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.812] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.812] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.812] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.812] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\..") returned 50 [0084.812] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.812] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.812] FindNextFileW (in: hFindFile=0x3a385f8, lpFindFileData=0x65aee00 | out: lpFindFileData=0x65aee00*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xfa850ed2, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xfaa1ab04, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="User Data", cAlternateFileName="USERDA~1")) returned 1 [0084.812] lstrcmpiW (lpString1="User Data", lpString2="Windows") returned -1 [0084.812] lstrcmpiW (lpString1="User Data", lpString2="$Recycle.bin") returned 1 [0084.812] lstrcmpiW (lpString1="User Data", lpString2="System Volume Information") returned 1 [0084.812] lstrcmpiW (lpString1="User Data", lpString2="Program Files") returned 1 [0084.812] lstrcmpiW (lpString1="User Data", lpString2="Program Files (x86)") returned 1 [0084.812] wnsprintfW (in: pszDest=0x3a736d8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data") returned 57 [0084.812] lstrcmpW (lpString1="User Data", lpString2=".") returned 1 [0084.812] lstrcmpW (lpString1="User Data", lpString2="..") returned 1 [0084.812] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.812] GetProcessHeap () returned 0x3a00000 [0084.812] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a746f8 [0084.812] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\*") returned 59 [0084.812] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\*", lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xfa850ed2, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xfaa1ab04, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38378 [0084.818] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.818] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.818] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.818] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.818] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.818] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\.") returned 59 [0084.818] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.818] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xfa850ed2, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xfaa1ab04, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.818] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.818] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.818] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.818] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.818] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.818] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\..") returned 60 [0084.818] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.818] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.818] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525fa8ee, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x525fa8ee, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x525fa8ee, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CertificateTransparency", cAlternateFileName="CERTIF~1")) returned 1 [0084.818] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Windows") returned -1 [0084.818] lstrcmpiW (lpString1="CertificateTransparency", lpString2="$Recycle.bin") returned 1 [0084.818] lstrcmpiW (lpString1="CertificateTransparency", lpString2="System Volume Information") returned -1 [0084.818] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files") returned -1 [0084.818] lstrcmpiW (lpString1="CertificateTransparency", lpString2="Program Files (x86)") returned -1 [0084.818] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 81 [0084.818] lstrcmpW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0084.818] lstrcmpW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0084.818] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.818] GetProcessHeap () returned 0x3a00000 [0084.818] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.818] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*") returned 83 [0084.819] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525fa8ee, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x525fa8ee, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x525fa8ee, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a382b8 [0084.819] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.819] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.819] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.819] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.819] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.819] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\.") returned 83 [0084.819] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.819] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525fa8ee, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x525fa8ee, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x525fa8ee, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.819] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.819] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.819] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.819] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.819] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.819] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\..") returned 84 [0084.819] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.819] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.819] FindNextFileW (in: hFindFile=0x3a382b8, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x525fa8ee, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x525fa8ee, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x525fa8ee, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0084.819] FindClose (in: hFindFile=0x3a382b8 | out: hFindFile=0x3a382b8) returned 1 [0084.819] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 113 [0084.819] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\certificatetransparency\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378 [0084.824] WriteFile (in: hFile=0x378, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.825] CloseHandle (hObject=0x378) returned 1 [0084.825] GetProcessHeap () returned 0x3a00000 [0084.825] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.825] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Crashpad", cAlternateFileName="")) returned 1 [0084.825] lstrcmpiW (lpString1="Crashpad", lpString2="Windows") returned -1 [0084.825] lstrcmpiW (lpString1="Crashpad", lpString2="$Recycle.bin") returned 1 [0084.825] lstrcmpiW (lpString1="Crashpad", lpString2="System Volume Information") returned -1 [0084.825] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files") returned -1 [0084.825] lstrcmpiW (lpString1="Crashpad", lpString2="Program Files (x86)") returned -1 [0084.825] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 66 [0084.825] lstrcmpW (lpString1="Crashpad", lpString2=".") returned 1 [0084.825] lstrcmpW (lpString1="Crashpad", lpString2="..") returned 1 [0084.825] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.825] GetProcessHeap () returned 0x3a00000 [0084.825] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.825] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*") returned 68 [0084.825] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0084.826] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.826] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.826] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.826] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.826] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.826] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\.") returned 68 [0084.826] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.826] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a3bd622, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.826] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.826] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.826] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.826] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.826] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.826] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\..") returned 69 [0084.826] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.826] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.826] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="metadata", cAlternateFileName="")) returned 1 [0084.826] lstrcmpiW (lpString1="metadata", lpString2="Windows") returned -1 [0084.826] lstrcmpiW (lpString1="metadata", lpString2="$Recycle.bin") returned 1 [0084.826] lstrcmpiW (lpString1="metadata", lpString2="System Volume Information") returned -1 [0084.826] lstrcmpiW (lpString1="metadata", lpString2="Program Files") returned -1 [0084.826] lstrcmpiW (lpString1="metadata", lpString2="Program Files (x86)") returned -1 [0084.826] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata") returned 75 [0084.826] StrStrIW (lpFirst="metadata", lpSrch=".ebal") returned 0x0 [0084.826] lstrcmpW (lpString1="metadata", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.826] lstrcmpW (lpString1="metadata", lpString2="taridd") returned -1 [0084.826] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.826] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0084.827] GetTickCount () returned 0x1155800 [0084.827] GetTickCount () returned 0x1155800 [0084.827] GetTickCount () returned 0x1155800 [0084.827] GetTickCount () returned 0x1155800 [0084.827] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0084.827] GetProcessHeap () returned 0x3a00000 [0084.827] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.827] ReadFile (in: hFile=0x368, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65ae8b4*=0x0, lpOverlapped=0x0) returned 1 [0084.827] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.827] WriteFile (in: hFile=0x368, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65ae8b4*=0x0, lpOverlapped=0x0) returned 1 [0084.827] GetProcessHeap () returned 0x3a00000 [0084.827] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.827] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.827] WriteFile (in: hFile=0x368, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0084.828] WriteFile (in: hFile=0x368, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0084.828] WriteFile (in: hFile=0x368, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0084.828] CloseHandle (hObject=0x368) returned 1 [0084.829] GetProcessHeap () returned 0x3a00000 [0084.829] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0084.829] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata_r00t_{8ew5f6}.ebal") returned 94 [0084.829] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\metadata_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\metadata_r00t_{8ew5f6}.ebal")) returned 1 [0084.829] GetProcessHeap () returned 0x3a00000 [0084.829] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.829] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="reports", cAlternateFileName="")) returned 1 [0084.829] lstrcmpiW (lpString1="reports", lpString2="Windows") returned -1 [0084.829] lstrcmpiW (lpString1="reports", lpString2="$Recycle.bin") returned 1 [0084.829] lstrcmpiW (lpString1="reports", lpString2="System Volume Information") returned -1 [0084.829] lstrcmpiW (lpString1="reports", lpString2="Program Files") returned 1 [0084.829] lstrcmpiW (lpString1="reports", lpString2="Program Files (x86)") returned 1 [0084.829] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 74 [0084.829] lstrcmpW (lpString1="reports", lpString2=".") returned 1 [0084.829] lstrcmpW (lpString1="reports", lpString2="..") returned 1 [0084.830] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.830] GetProcessHeap () returned 0x3a00000 [0084.830] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.830] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*") returned 76 [0084.830] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a386b8 [0084.830] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.830] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.830] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.830] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.830] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.830] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\.") returned 76 [0084.830] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.830] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.830] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.830] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.830] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.831] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.831] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.831] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\..") returned 77 [0084.831] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.831] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.831] FindNextFileW (in: hFindFile=0x3a386b8, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x4a42fd3b, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 0 [0084.831] FindClose (in: hFindFile=0x3a386b8 | out: hFindFile=0x3a386b8) returned 1 [0084.831] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 106 [0084.831] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\reports\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0084.831] WriteFile (in: hFile=0x368, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae634, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae634*=0x3a6, lpOverlapped=0x0) returned 1 [0084.832] CloseHandle (hObject=0x368) returned 1 [0084.832] GetProcessHeap () returned 0x3a00000 [0084.832] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0084.832] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xc3c501de, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.dat", cAlternateFileName="")) returned 1 [0084.832] lstrcmpiW (lpString1="settings.dat", lpString2="Windows") returned -1 [0084.832] lstrcmpiW (lpString1="settings.dat", lpString2="$Recycle.bin") returned 1 [0084.832] lstrcmpiW (lpString1="settings.dat", lpString2="System Volume Information") returned -1 [0084.832] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files") returned 1 [0084.832] lstrcmpiW (lpString1="settings.dat", lpString2="Program Files (x86)") returned 1 [0084.832] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat") returned 79 [0084.832] StrStrIW (lpFirst="settings.dat", lpSrch=".ebal") returned 0x0 [0084.832] lstrcmpW (lpString1="settings.dat", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.832] lstrcmpW (lpString1="settings.dat", lpString2="taridd") returned -1 [0084.832] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.833] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x368 [0084.833] GetTickCount () returned 0x115580f [0084.833] GetTickCount () returned 0x115580f [0084.833] GetTickCount () returned 0x115580f [0084.833] GetTickCount () returned 0x115580f [0084.833] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae800*, pdwDataLen=0x65ae8b0*=0x80) returned 1 [0084.833] GetProcessHeap () returned 0x3a00000 [0084.833] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.833] ReadFile (in: hFile=0x368, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65ae8b4*=0x28, lpOverlapped=0x0) returned 1 [0084.834] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0xffffffd8, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.834] WriteFile (in: hFile=0x368, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x28, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65ae8b4*=0x28, lpOverlapped=0x0) returned 1 [0084.834] GetProcessHeap () returned 0x3a00000 [0084.834] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.834] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.834] WriteFile (in: hFile=0x368, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae8b4*=0x300, lpOverlapped=0x0) returned 1 [0084.838] WriteFile (in: hFile=0x368, lpBuffer=0x65ae800*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x65ae800*, lpNumberOfBytesWritten=0x65ae8b4*=0x80, lpOverlapped=0x0) returned 1 [0084.838] WriteFile (in: hFile=0x368, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae8b4, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae8b4*=0x4, lpOverlapped=0x0) returned 1 [0084.839] CloseHandle (hObject=0x368) returned 1 [0084.839] GetProcessHeap () returned 0x3a00000 [0084.839] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a73ae0 [0084.839] wnsprintfW (in: pszDest=0x3a73ae0, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat_r00t_{8ew5f6}.ebal") returned 98 [0084.839] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\settings.dat_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\settings.dat_r00t_{8ew5f6}.ebal")) returned 1 [0084.839] GetProcessHeap () returned 0x3a00000 [0084.839] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a73ae0 | out: hHeap=0x3a00000) returned 1 [0084.839] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a42fd3b, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x4a42fd3b, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xc3c501de, ftLastWriteTime.dwHighDateTime=0x1d327e6, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="settings.dat", cAlternateFileName="")) returned 0 [0084.839] FindClose (in: hFindFile=0x3a38678 | out: hFindFile=0x3a38678) returned 1 [0084.839] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\---==%$$$OPEN_ME_UP$$$==---.txt") returned 98 [0084.839] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\---==%$$$OPEN_ME_UP$$$==---.txt" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpad\\---==%$$$open_me_up$$$==---.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378 [0084.843] WriteFile (in: hFile=0x378, lpBuffer=0x406478*, nNumberOfBytesToWrite=0x3a6, lpNumberOfBytesWritten=0x65ae8bc, lpOverlapped=0x0 | out: lpBuffer=0x406478*, lpNumberOfBytesWritten=0x65ae8bc*=0x3a6, lpOverlapped=0x0) returned 1 [0084.844] CloseHandle (hObject=0x378) returned 1 [0084.844] GetProcessHeap () returned 0x3a00000 [0084.844] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75310 | out: hHeap=0x3a00000) returned 1 [0084.844] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50a8a90d, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xe6ef52bb, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe6f1b526, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x100000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="CrashpadMetrics-active.pma", cAlternateFileName="CRASHP~2.PMA")) returned 1 [0084.844] lstrcmpiW (lpString1="CrashpadMetrics-active.pma", lpString2="Windows") returned -1 [0084.844] lstrcmpiW (lpString1="CrashpadMetrics-active.pma", lpString2="$Recycle.bin") returned 1 [0084.844] lstrcmpiW (lpString1="CrashpadMetrics-active.pma", lpString2="System Volume Information") returned -1 [0084.844] lstrcmpiW (lpString1="CrashpadMetrics-active.pma", lpString2="Program Files") returned -1 [0084.844] lstrcmpiW (lpString1="CrashpadMetrics-active.pma", lpString2="Program Files (x86)") returned -1 [0084.844] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CrashpadMetrics-active.pma") returned 84 [0084.844] StrStrIW (lpFirst="CrashpadMetrics-active.pma", lpSrch=".ebal") returned 0x0 [0084.844] lstrcmpW (lpString1="CrashpadMetrics-active.pma", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.844] lstrcmpW (lpString1="CrashpadMetrics-active.pma", lpString2="taridd") returned -1 [0084.844] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CrashpadMetrics-active.pma", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.844] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CrashpadMetrics-active.pma" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpadmetrics-active.pma"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x378 [0084.844] GetTickCount () returned 0x115580f [0084.844] GetTickCount () returned 0x115580f [0084.844] GetTickCount () returned 0x115580f [0084.844] GetTickCount () returned 0x115580f [0084.844] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x2c, dwBufLen=0x80 | out: pbData=0x65aea88*, pdwDataLen=0x65aeb38*=0x80) returned 1 [0084.845] GetProcessHeap () returned 0x3a00000 [0084.845] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a782b8 [0084.845] ReadFile (in: hFile=0x378, lpBuffer=0x3a782b8, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesRead=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.852] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.852] WriteFile (in: hFile=0x378, lpBuffer=0x3a782b8*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a782b8*, lpNumberOfBytesWritten=0x65aeb3c*=0x2800, lpOverlapped=0x0) returned 1 [0084.853] GetProcessHeap () returned 0x3a00000 [0084.853] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a782b8 | out: hHeap=0x3a00000) returned 1 [0084.853] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.853] WriteFile (in: hFile=0x378, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65aeb3c*=0x300, lpOverlapped=0x0) returned 1 [0084.874] WriteFile (in: hFile=0x378, lpBuffer=0x65aea88*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x65aea88*, lpNumberOfBytesWritten=0x65aeb3c*=0x80, lpOverlapped=0x0) returned 1 [0084.874] WriteFile (in: hFile=0x378, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65aeb3c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65aeb3c*=0x4, lpOverlapped=0x0) returned 1 [0084.874] CloseHandle (hObject=0x378) returned 1 [0084.874] GetProcessHeap () returned 0x3a00000 [0084.874] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.874] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CrashpadMetrics-active.pma_r00t_{8ew5f6}.ebal") returned 103 [0084.874] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CrashpadMetrics-active.pma" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpadmetrics-active.pma"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\CrashpadMetrics-active.pma_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\crashpadmetrics-active.pma_r00t_{8ew5f6}.ebal")) returned 1 [0084.875] GetProcessHeap () returned 0x3a00000 [0084.875] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a74b00 | out: hHeap=0x3a00000) returned 1 [0084.875] FindNextFileW (in: hFindFile=0x3a38378, lpFindFileData=0x65aeb78 | out: lpFindFileData=0x65aeb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50c2e339, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xfa82ac98, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xfa82ac98, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Default", cAlternateFileName="")) returned 1 [0084.875] lstrcmpiW (lpString1="Default", lpString2="Windows") returned -1 [0084.875] lstrcmpiW (lpString1="Default", lpString2="$Recycle.bin") returned 1 [0084.875] lstrcmpiW (lpString1="Default", lpString2="System Volume Information") returned -1 [0084.876] lstrcmpiW (lpString1="Default", lpString2="Program Files") returned -1 [0084.876] lstrcmpiW (lpString1="Default", lpString2="Program Files (x86)") returned -1 [0084.876] wnsprintfW (in: pszDest=0x3a746f8, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 65 [0084.876] lstrcmpW (lpString1="Default", lpString2=".") returned 1 [0084.876] lstrcmpW (lpString1="Default", lpString2="..") returned 1 [0084.876] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.876] GetProcessHeap () returned 0x3a00000 [0084.876] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a74b00 [0084.876] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*") returned 67 [0084.876] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*", lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50c2e339, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xfa82ac98, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xfa82ac98, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38338 [0084.877] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.877] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.877] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.877] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.877] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.877] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\.") returned 67 [0084.877] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.877] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x50c2e339, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0xfa82ac98, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xfa82ac98, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.878] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.878] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.878] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.878] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.878] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.878] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\..") returned 68 [0084.878] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.878] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.878] FindNextFileW (in: hFindFile=0x3a38338, lpFindFileData=0x65ae8f0 | out: lpFindFileData=0x65ae8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5172d381, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5172d381, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x517321bc, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="Cache", cAlternateFileName="")) returned 1 [0084.878] lstrcmpiW (lpString1="Cache", lpString2="Windows") returned -1 [0084.879] lstrcmpiW (lpString1="Cache", lpString2="$Recycle.bin") returned 1 [0084.879] lstrcmpiW (lpString1="Cache", lpString2="System Volume Information") returned -1 [0084.879] lstrcmpiW (lpString1="Cache", lpString2="Program Files") returned -1 [0084.879] lstrcmpiW (lpString1="Cache", lpString2="Program Files (x86)") returned -1 [0084.879] wnsprintfW (in: pszDest=0x3a74b00, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 71 [0084.879] lstrcmpW (lpString1="Cache", lpString2=".") returned 1 [0084.879] lstrcmpW (lpString1="Cache", lpString2="..") returned 1 [0084.879] lstrcmpW (lpString1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache", lpString2="C:\\Users\\FD1HVy\\Desktop") returned -1 [0084.879] GetProcessHeap () returned 0x3a00000 [0084.879] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75310 [0084.879] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\*" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*") returned 73 [0084.879] FindFirstFileW (in: lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*", lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5172d381, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5172d381, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x517321bc, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName=".", cAlternateFileName="")) returned 0x3a38678 [0084.880] lstrcmpiW (lpString1=".", lpString2="Windows") returned -1 [0084.880] lstrcmpiW (lpString1=".", lpString2="$Recycle.bin") returned 1 [0084.880] lstrcmpiW (lpString1=".", lpString2="System Volume Information") returned -1 [0084.880] lstrcmpiW (lpString1=".", lpString2="Program Files") returned -1 [0084.880] lstrcmpiW (lpString1=".", lpString2="Program Files (x86)") returned -1 [0084.880] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\.") returned 73 [0084.880] lstrcmpW (lpString1=".", lpString2=".") returned 0 [0084.880] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5172d381, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5172d381, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x517321bc, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="..", cAlternateFileName="")) returned 1 [0084.880] lstrcmpiW (lpString1="..", lpString2="Windows") returned -1 [0084.880] lstrcmpiW (lpString1="..", lpString2="$Recycle.bin") returned 1 [0084.880] lstrcmpiW (lpString1="..", lpString2="System Volume Information") returned -1 [0084.880] lstrcmpiW (lpString1="..", lpString2="Program Files") returned -1 [0084.880] lstrcmpiW (lpString1="..", lpString2="Program Files (x86)") returned -1 [0084.880] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\..") returned 74 [0084.880] lstrcmpW (lpString1="..", lpString2=".") returned 1 [0084.880] lstrcmpW (lpString1="..", lpString2="..") returned 0 [0084.880] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5172faf1, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x5172faf1, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xfa76c10c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_0", cAlternateFileName="")) returned 1 [0084.880] lstrcmpiW (lpString1="data_0", lpString2="Windows") returned -1 [0084.880] lstrcmpiW (lpString1="data_0", lpString2="$Recycle.bin") returned 1 [0084.880] lstrcmpiW (lpString1="data_0", lpString2="System Volume Information") returned -1 [0084.880] lstrcmpiW (lpString1="data_0", lpString2="Program Files") returned -1 [0084.880] lstrcmpiW (lpString1="data_0", lpString2="Program Files (x86)") returned -1 [0084.880] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0") returned 78 [0084.880] StrStrIW (lpFirst="data_0", lpSrch=".ebal") returned 0x0 [0084.880] lstrcmpW (lpString1="data_0", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.880] lstrcmpW (lpString1="data_0", lpString2="taridd") returned -1 [0084.880] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.880] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x35c [0084.881] GetTickCount () returned 0x115583e [0084.881] GetTickCount () returned 0x115583e [0084.881] GetTickCount () returned 0x115583e [0084.881] GetTickCount () returned 0x115583e [0084.881] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.881] GetProcessHeap () returned 0x3a00000 [0084.881] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a792c0 [0084.881] ReadFile (in: hFile=0x35c, lpBuffer=0x3a792c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesRead=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.883] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.883] WriteFile (in: hFile=0x35c, lpBuffer=0x3a792c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesWritten=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.883] GetProcessHeap () returned 0x3a00000 [0084.883] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a792c0 | out: hHeap=0x3a00000) returned 1 [0084.883] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.884] WriteFile (in: hFile=0x35c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.884] WriteFile (in: hFile=0x35c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.884] WriteFile (in: hFile=0x35c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.884] CloseHandle (hObject=0x35c) returned 1 [0084.884] GetProcessHeap () returned 0x3a00000 [0084.884] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0084.884] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0_r00t_{8ew5f6}.ebal") returned 97 [0084.884] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_0_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_0_r00t_{8ew5f6}.ebal")) returned 1 [0084.885] GetProcessHeap () returned 0x3a00000 [0084.885] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0084.885] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x517321bc, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x517321bc, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xfa76c10c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x42000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_1", cAlternateFileName="")) returned 1 [0084.885] lstrcmpiW (lpString1="data_1", lpString2="Windows") returned -1 [0084.885] lstrcmpiW (lpString1="data_1", lpString2="$Recycle.bin") returned 1 [0084.885] lstrcmpiW (lpString1="data_1", lpString2="System Volume Information") returned -1 [0084.885] lstrcmpiW (lpString1="data_1", lpString2="Program Files") returned -1 [0084.885] lstrcmpiW (lpString1="data_1", lpString2="Program Files (x86)") returned -1 [0084.885] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1") returned 78 [0084.885] StrStrIW (lpFirst="data_1", lpSrch=".ebal") returned 0x0 [0084.885] lstrcmpW (lpString1="data_1", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.885] lstrcmpW (lpString1="data_1", lpString2="taridd") returned -1 [0084.885] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.885] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x35c [0084.885] GetTickCount () returned 0x115583e [0084.885] GetTickCount () returned 0x115583e [0084.885] GetTickCount () returned 0x115583e [0084.885] GetTickCount () returned 0x115583e [0084.885] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.886] GetProcessHeap () returned 0x3a00000 [0084.886] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a792c0 [0084.886] ReadFile (in: hFile=0x35c, lpBuffer=0x3a792c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesRead=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.902] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.902] WriteFile (in: hFile=0x35c, lpBuffer=0x3a792c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesWritten=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.902] GetProcessHeap () returned 0x3a00000 [0084.902] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a792c0 | out: hHeap=0x3a00000) returned 1 [0084.902] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.903] WriteFile (in: hFile=0x35c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.905] WriteFile (in: hFile=0x35c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.905] WriteFile (in: hFile=0x35c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.905] CloseHandle (hObject=0x35c) returned 1 [0084.905] GetProcessHeap () returned 0x3a00000 [0084.905] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a75f28 [0084.905] wnsprintfW (in: pszDest=0x3a75f28, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1_r00t_{8ew5f6}.ebal") returned 97 [0084.905] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_1_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_1_r00t_{8ew5f6}.ebal")) returned 1 [0084.912] GetProcessHeap () returned 0x3a00000 [0084.912] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a75f28 | out: hHeap=0x3a00000) returned 1 [0084.912] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x517321bc, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x517321bc, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0x517321bc, ftLastWriteTime.dwHighDateTime=0x1d327ca, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_2", cAlternateFileName="")) returned 1 [0084.912] lstrcmpiW (lpString1="data_2", lpString2="Windows") returned -1 [0084.912] lstrcmpiW (lpString1="data_2", lpString2="$Recycle.bin") returned 1 [0084.912] lstrcmpiW (lpString1="data_2", lpString2="System Volume Information") returned -1 [0084.912] lstrcmpiW (lpString1="data_2", lpString2="Program Files") returned -1 [0084.912] lstrcmpiW (lpString1="data_2", lpString2="Program Files (x86)") returned -1 [0084.912] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2") returned 78 [0084.912] StrStrIW (lpFirst="data_2", lpSrch=".ebal") returned 0x0 [0084.912] lstrcmpW (lpString1="data_2", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.912] lstrcmpW (lpString1="data_2", lpString2="taridd") returned -1 [0084.912] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.912] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x35c [0084.913] GetTickCount () returned 0x115585d [0084.913] GetTickCount () returned 0x115585d [0084.913] GetTickCount () returned 0x115585d [0084.913] GetTickCount () returned 0x115585d [0084.913] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.913] GetProcessHeap () returned 0x3a00000 [0084.914] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a792c0 [0084.914] ReadFile (in: hFile=0x35c, lpBuffer=0x3a792c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesRead=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.915] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0xffffe000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.915] WriteFile (in: hFile=0x35c, lpBuffer=0x3a792c0*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesWritten=0x65ae62c*=0x2000, lpOverlapped=0x0) returned 1 [0084.915] GetProcessHeap () returned 0x3a00000 [0084.915] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a792c0 | out: hHeap=0x3a00000) returned 1 [0084.915] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.915] WriteFile (in: hFile=0x35c, lpBuffer=0x3a29f70*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a29f70*, lpNumberOfBytesWritten=0x65ae62c*=0x300, lpOverlapped=0x0) returned 1 [0084.915] WriteFile (in: hFile=0x35c, lpBuffer=0x65ae578*, nNumberOfBytesToWrite=0x80, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x65ae578*, lpNumberOfBytesWritten=0x65ae62c*=0x80, lpOverlapped=0x0) returned 1 [0084.915] WriteFile (in: hFile=0x35c, lpBuffer=0x40603c*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x40603c*, lpNumberOfBytesWritten=0x65ae62c*=0x4, lpOverlapped=0x0) returned 1 [0084.915] CloseHandle (hObject=0x35c) returned 1 [0084.916] GetProcessHeap () returned 0x3a00000 [0084.916] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x400) returned 0x3a76b40 [0084.916] wnsprintfW (in: pszDest=0x3a76b40, cchDest=512, pszFmt="%s_%S_{%6S}%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2_r00t_{8ew5f6}.ebal") returned 97 [0084.916] MoveFileW (lpExistingFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2"), lpNewFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_2_r00t_{8ew5f6}.ebal" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_2_r00t_{8ew5f6}.ebal")) returned 1 [0084.916] GetProcessHeap () returned 0x3a00000 [0084.916] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a76b40 | out: hHeap=0x3a00000) returned 1 [0084.916] FindNextFileW (in: hFindFile=0x3a38678, lpFindFileData=0x65ae668 | out: lpFindFileData=0x65ae668*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x517321bc, ftCreationTime.dwHighDateTime=0x1d327ca, ftLastAccessTime.dwLowDateTime=0x517321bc, ftLastAccessTime.dwHighDateTime=0x1d327ca, ftLastWriteTime.dwLowDateTime=0xfa76c10c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x402000, dwReserved0=0x1, dwReserved1=0x8000000, cFileName="data_3", cAlternateFileName="")) returned 1 [0084.916] lstrcmpiW (lpString1="data_3", lpString2="Windows") returned -1 [0084.916] lstrcmpiW (lpString1="data_3", lpString2="$Recycle.bin") returned 1 [0084.916] lstrcmpiW (lpString1="data_3", lpString2="System Volume Information") returned -1 [0084.916] lstrcmpiW (lpString1="data_3", lpString2="Program Files") returned -1 [0084.916] lstrcmpiW (lpString1="data_3", lpString2="Program Files (x86)") returned -1 [0084.916] wnsprintfW (in: pszDest=0x3a75310, cchDest=512, pszFmt="%s\\%s" | out: pszDest="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3") returned 78 [0084.917] StrStrIW (lpFirst="data_3", lpSrch=".ebal") returned 0x0 [0084.917] lstrcmpW (lpString1="data_3", lpString2="---==%$$$OPEN_ME_UP$$$==---.txt") returned 1 [0084.917] lstrcmpW (lpString1="data_3", lpString2="taridd") returned -1 [0084.917] StrCmpNW (lpStr1="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3", lpStr2="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\6BRINgW2sOZB79UTr2SOk", nChar=99) returned -1 [0084.917] CreateFileW (lpFileName="\\\\?\\C:\\Users\\FD1HVy\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\data_3" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\google\\chrome\\user data\\default\\cache\\data_3"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x35c [0084.917] GetTickCount () returned 0x115585d [0084.917] GetTickCount () returned 0x115585d [0084.917] GetTickCount () returned 0x115585d [0084.917] GetTickCount () returned 0x115585d [0084.917] CryptEncrypt (in: hKey=0x3a1ee28, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x2c, dwBufLen=0x80 | out: pbData=0x65ae578*, pdwDataLen=0x65ae628*=0x80) returned 1 [0084.917] GetProcessHeap () returned 0x3a00000 [0084.917] RtlAllocateHeap (HeapHandle=0x3a00000, Flags=0x8, Size=0x2800) returned 0x3a792c0 [0084.917] ReadFile (in: hFile=0x35c, lpBuffer=0x3a792c0, nNumberOfBytesToRead=0x2800, lpNumberOfBytesRead=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesRead=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.919] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0xffffd800, lpNewFilePointer=0xffffffff, dwMoveMethod=0x0 | out: lpNewFilePointer=0xffffffff) returned 1 [0084.919] WriteFile (in: hFile=0x35c, lpBuffer=0x3a792c0*, nNumberOfBytesToWrite=0x2800, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0 | out: lpBuffer=0x3a792c0*, lpNumberOfBytesWritten=0x65ae62c*=0x2800, lpOverlapped=0x0) returned 1 [0084.922] GetProcessHeap () returned 0x3a00000 [0084.922] HeapFree (in: hHeap=0x3a00000, dwFlags=0x8, lpMem=0x3a792c0 | out: hHeap=0x3a00000) returned 1 [0084.922] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.922] WriteFile (hFile=0x35c, lpBuffer=0x3a29f70, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x65ae62c, lpOverlapped=0x0) Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x49d1f000" os_pid = "0x5f0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xfb4" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "64" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000fac7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 9 os_tid = 0xdcc Thread: id = 10 os_tid = 0xd88 Thread: id = 11 os_tid = 0xa2c Thread: id = 12 os_tid = 0xa14 Thread: id = 13 os_tid = 0x8dc Thread: id = 14 os_tid = 0x8d4 Thread: id = 15 os_tid = 0x520 Thread: id = 16 os_tid = 0x67c Thread: id = 17 os_tid = 0x678 Thread: id = 18 os_tid = 0x644 Thread: id = 19 os_tid = 0x640 Thread: id = 20 os_tid = 0x63c Thread: id = 21 os_tid = 0x5f4 Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0xb499000" os_pid = "0x260" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfb4" cmd_line = "\"C:\\WINDOWS\\sysnative\\vssadmin.exe\" delete shadows /all /quiet" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0xf00 Thread: id = 28 os_tid = 0xf90 Thread: id = 30 os_tid = 0x9d8 Thread: id = 31 os_tid = 0x4a8 Thread: id = 32 os_tid = 0x798 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xb40b000" os_pid = "0x39c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x260" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "64" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000103c1" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 23 os_tid = 0xf14 Thread: id = 24 os_tid = 0x2e8 Thread: id = 25 os_tid = 0xc9c Thread: id = 26 os_tid = 0xdac Thread: id = 27 os_tid = 0x344